Building on a recent security directive to owners and operators of pipelines, the Transportation Security Administration (TSA) is developing a new regulation to further strengthen cybersecurity within the pipeline sector, an agency official said this week.
The second directive “will require more specific mitigation measures and it will ultimately include more specific requirements with regard to assessments,” Sonya Proctor, assistant administrator for Surface Operations at TSA, said at a House hearing on Tuesday. She added that the directive will be categorized as sensitive security information given the mitigation measures that will be required but said implementation by pipeline operators will be subject to inspection by agency surface inspectors.
Proctor was replying to a question from Rep. Bonnie Watson Coleman (D-N.J.), chairwoman of the House Homeland Security subcommittee on Transportation and Maritime Security, who pointed out that the first security directive, which was issued in May, only requires pipeline operators to self-assess compliance with the directive. She asked how TSA will verify compliance with that directive.
Proctor said the upcoming directive will also have more specific requirements for assessments and that the agency has surface inspectors trained in pipeline operations. Some of these inspectors also have cybersecurity training, adding the inspectors will enforce the security directives.
The May mandate followed a ransomware attack earlier that month on East Coast pipeline operator Colonial Pipeline, who shutdown its operations to guard against a potential jump of the malware from its information technology network to the control systems that enable its thousands of miles of pipelines to function.
That initial directive also requires pipeline operators to report cyber incidents within 12 hours of discovery of an incident to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Operators must also have cybersecurity coordinators available all day, every day and review their current practices and identify security gaps and plans to remediate gaps and report results to TSA and CISA.
Proctor said she has the resources and personnel necessary to carryout TSA’s pipeline security work.
TSA has the statutory authorities to regulate pipeline security and Congress appears increasingly interested in moving from voluntary compliance with best practices and cybersecurity standards by other critical infrastructure sectors of the economy to mandated compliance.