DHS to require pipeline companies to report cyberattacks

The Department of Homeland Security (DHS) will issue a directive later this week requiring all pipeline companies to report cyber incidents to federal authorities after a devastating ransomware attack on Colonial Pipeline forced a shutdown of operations.

The Washington Post first reported that DHS’s Transportation Security Administration (TSA), which is responsible for securing critical pipelines, will issue the directive this week following concerns that pipeline operators are not required to report cyber incidents, unlike other critical infrastructure sectors.

A spokesperson for DHS told The Hill in an emailed statement Tuesday that “the Biden administration is taking further action to better secure our nation’s critical infrastructure,” with TSA and the federal Cybersecurity and Infrastructure Security Agency (CISA) working together on the issue.

“TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems. We will release additional details in the days ahead,” the spokesperson said.

Both TSA and CISA declined to comment on the directive, pointing to DHS for details.

According to The Post, companies will be required to report incidents to both TSA and CISA as well as designate an official with the ability to contact both agencies in order to report a cyberattack.

“This is a first step, and the department views it as a first step, and it will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes,” a senior DHS official told the Post.

The directive comes two weeks after a cyber criminal group that President Biden said was likely based in Russia used the “DarkSide” ransomware variant to compromise Colonial Pipeline’s IT systems. Colonial, the supplier of 45 percent of the East Coast’s fuel, chose to shut down pipelines to protect its operational systems, causing fuel shortages in multiple states.

While the electric sector and other critical infrastructure groups have mandatory cybersecurity standards, the pipeline industry does not. Federal officials are increasingly calling for cybersecurity mandates for the pipeline sector following the Colonial Pipeline attack.

When asked about potential mandatory standards, Homeland Security Secretary Alejandro Mayorkas told reporters at the White House earlier this month that the administration was discussing the idea of some further oversight.

“Our conversations within the administration are ongoing and have been underway with respect to what measures we need to take both administratively and of course in a companion effort in the legislature to see how we can raise the cyber hygiene across the country,” Mayorkas said.

In addition, the Biden administration launched a 100-day initiative in April to secure the electric sector against cyberattacks, with initiatives also planned to secure other critical sectors including the oil and gas industry.

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) on Tuesday applauded the upcoming directive. 

“While the Colonial Pipeline attack shows there is much more work to be done to protect the nation’s pipelines and other critical infrastructure from cyber attacks, this TSA security directive is a major step in the right direction towards ensuring that pipeline operators are taking cybersecurity seriously and reporting any incidents immediately,” Thompson said in a statement. 

“While Congress will continue its oversight of TSA’s pipeline security efforts, TSA – with its twenty years of experience – will remain the Federal entity responsible for pipeline security with the authorities to mandate security requirements,” he added.