The Transportation Security Administration (TSA) is working on an additional cybersecurity directive for pipeline companies in the wake of the ransomware attack on Colonial Pipeline.
“We are continuing to develop additional measures for pipeline companies, and we are developing now a second security directive which would have the force of a regulation,” Sonya Proctor, the assistant administrator for Surface Operations at TSA, testified during a hearing held by two House Homeland Security Committee subcommittees on Tuesday.
The new directive will be the second issued by TSA, with the agency rolling out a directive last month that required pipeline owners and operators to report cybersecurity incidents within 12 hours of discovery to the Cybersecurity and Infrastructure Security Agency (CISA). It also increased coordination between pipeline owners and both CISA and TSA.
Proctor said Tuesday that the upcoming second directive would be classified as more sensitive in nature than the first directive due to “the nature of the mitigating measures that are going to be required.”
She noted that the directive “will require more specific mitigation measures, and it will ultimately include more specific requirements with regard to assessments,” and that TSA inspectors trained in both pipeline operations and cybersecurity will be tasked with ensuring pipeline companies adhere to both directives.
“As recently evidenced, cyber intrusions into pipeline computer networks have the potential to negatively impact our national security, economy, commerce, and wellbeing,” Proctor said as part of her prepared statement for the hearing. “For these reasons, TSA remains committed to securing our Nation’s pipelines against evolving and emerging risks.”
Both directives are being put together by TSA in the wake of the ransomware attack on Colonial Pipeline last month. The company provides 45 percent of the East Coast’s fuel supply, and major gas shortages were seen in several states when Colonial was forced to shut down the entire pipeline for nearly a week to protect operational controls from attack.
Colonial subsequently revealed that it had opted to pay the attackers around $4.4 million in Bitcoin demanded to regain control of its systems, though the Justice Department announced last week that it had been able to recover the majority of those funds.
House lawmakers Tuesday stressed the need for both TSA and CISA to have more visibility and powers when it came to responding to a cyberattack on critical systems such as pipelines, and criticized Colonial for not accepting CISA’s assistance in investigating its networks following the attack.
”Colonial still has not agreed to participate in the physical assessment, and only agreed to cooperate with TSA’s cybersecurity assessment three weeks after the ransomware attack occurred,” Rep. Bonnie Watson Coleman (D-N.J.), chair of the committee’s subcommittee on Transportation and Maritime Security, testified. “If this is at all indicative of how pipeline owners and operators view their regulators, we have a problem.”
Colonial CEO Joseph Blount testified to the House Homeland Security Committee last week that the company had turned down assistance from CISA due to “world-class experts,” such as cybersecurity company FireEye, already having been called in to help.
Eric Goldstein, the executive director for Cybersecurity at CISA, also testified at the hearing Tuesday, and stressed the need for Congress to do more to ensure companies reported attacks to CISA.
“The more that we as a country can do to drive reporting of cybersecurity incidents to CISA, as TSA recently did with their security directives…that will help drive that change,” Goldstein testified.
More assistance for CISA in this space may be on the way, with Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security’s cybersecurity subcommittee, noting Tuesday that she is working on legislation on this issue.
“I’m working on legislation that will require critical infrastructure to report certain cybersecurity incidents to CISA so that we’re developing the muscle memory and the institutional knowledge to improve our cyber defenses over time,” Clarke testified.
She stressed this was “only half the battle,” and that the federal government “can only do so much.”
“We need the private sector to open the door to CISA and TSA – not just because it benefits them, but because it benefits our collective national security,” Clarke said.