The Transportation Security Administration (TSA) on Thursday mandated that owners and operators of critical pipelines report “potential and confirmed cybersecurity incidents” to the Department of Homeland Security and review the current plans and assess gaps and report on those as well.
Additional directives aimed at strengthening the cybersecurity of the pipeline industry are also under consideration, DHS said.
The new mandates follow a ransomware attack earlier this month against Georgia-based pipeline operator Colonial Pipeline that resulted in the company temporarily shutting down operations and causing fuel shortages along the East Coast and mid-Atlantic regions of the U.S.
“The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security,” Homeland Security Secretary Alejandro Mayorkas said in a statement Thursday morning. “DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
The six-page security directive has several parts, including requiring the reporting of incidents to the Cybersecurity and Infrastructure Security Agency (CISA), which is the DHS component responsible for working with the private sector, typically on a voluntary basis, to share cyber threat information and best practices. Cyber incident reports are due within 12 hours of discovery of an incident.
Some of the information that DHS wants in the incident reports includes known threat information and the source of the attack, if known, the specific malware, malicious internet protocol addresses, and the impact, or potential impact, on a victim’s information or operational technology systems and operations, the directive says.
The directive also requires pipeline owners and operators to have a Cybersecurity Coordinator who is available around-the-clock. Pipeline owners and operators must also “review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days,” DHS said.
The directive goes into effect on May 28. From that date, impacted companies have seven days to provide TSA with the contact information of their Cybersecurity Coordinators and backups.
Additional measures under consideration include ways to “strengthen the public-private partnership,” DHS said.
The Homeland Security Act of 2002 gives DHS the authority to secure the nation’s transportation systems. TSA, through the Aviation and Transportation Act of 2001, was given the lead within the federal government for transportation security, which includes hazardous materials and pipelines.
Rep. John Katko (R-N.Y.), the ranking member on the House Homeland Security Committee, approved of the new security directive.
“TSA requiring the pipeline industry to immediately report cyber incidents is imperative to securing a key element of our country’s critical infrastructure,” he said in a statement. He urged DHS to work with industry in implementing the directive.