The Transportation Security Administration is taking a new approach in cyber regulations for oil and gas pipeline operators, allowing them to sort out what is best for their respective businesses rather than being told how to do it, the agency’s chief said on Thursday.
Administrator David Pekoske told a Senate committee that he would sign a revised security directive that “allows what’s currently being done to continue. But, if owners and operators want to more tailor their cyber approach to their own business model, it gives them the flexibility to do that. So, we’re going from a very prescriptive measures-based approach to a performance-based approach, which we think will be well received.”
Industry has already provided “very good feedback” on the new approach, which Pekoske said he would be signing on Thursday afternoon. The TSA chief appeared before the Homeland Security and Governmental Affairs Committee as part of his confirmation process for a second five-year term to lead the agency.
TSA in May 2021 and again in July 2021 took advantage of existing authorities it has related to U.S. transportation systems to begin requiring certain cybersecurity practices be implemented by oil and gas pipeline operators immediately in the wake of a ransomware cyber-attack against East Coast pipeline operator Colonial Pipeline. That attack impacted company’s information networks but to prevent a potential migration to its operating systems, Colonial Pipeline temporarily shut down operations, causing fuel shortages.
That event was a wake-up call for the U.S. government due to a lack of a keen awareness of the pipeline industry and its cybersecurity posture. Since then, TSA has moved to begin mandating certain cybersecurity measures by the rail and aviation industries.
Congress has also passed legislation that has been signed into law mandating that critical infrastructure entities report major cyber incidents to the federal government.
The May 2021 directive signed by Pekoske required critical pipeline owners and operators to report confirmed cyber incidents to the DHS Cybersecurity and Infrastructure Security Agency, designate a cybersecurity coordinator, review current practices, and identify cyber gaps and measures to address these gaps.
The July 2021 directive required critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known cyber threat, develop and implement a contingency and recovery plans, and conduct a cybersecurity architecture review. The specific measures were not publicly released due to security sensitivities.
Pekoske told the committee that the revision to the second directive “will be a template for our approach to rail and for aviation in the future.”