TSA issues new cybersecurity rules for fuel pipeline operators
WASHINGTON — The Biden administration, taking a more proactive role in the cybersecurity of private companies, is moving forward with new rules that compel pipeline operators to improve their defenses against cybercriminals.
A security directive issued Tuesday by the Transportation Security Administration, a unit of Homeland Security, follows a spate of ransomware attacks targeting critical infrastructure. The order, which marks the first new regulation in this area after years of a voluntary approach, cuts short the traditional rule-making process to address what Homeland Security Secretary Alejandro Mayorkas called an urgent threat to American lives and livelihoods.
“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Mayorkas said in a statement announcing the new rules.
In May, the Colonial Pipeline was knocked off line after a brazen ransomware attack, setting off days of panic buying at gas stations in several states. The network, which supplies the East Coast with 45 percent of its fuel, was taken down after a hacker group known as DarkSide infiltrated the Georgia-based company’s servers and encrypted its data, demanding a ransom to restore access. Cybersecurity experts described the incident as the biggest known cyberattack on U.S. energy infrastructure.
The TSA announcement comes as the DHS and FBI disclosed for the first time that Chinese statesponsored hackers targeted 23 U.S. natural gas pipeline operators from 2011 to 2013. The newly declassified phishing campaign successfully compromised systems on at least 13 of them, according to the advisory.
The attacks highlight the myriad ways cybercriminals can strangle economies and disrupt daily life. The Biden administration pledged a “whole-of-government response” to protect the United States from ransomware attacks in response to the Colonial hack.
Tuesday’s directive, along with one from late May, adds the TSA to a patchwork of federal agencies engaged in pipeline cybersecurity issues, including the DHS’s Cybersecurity and Infrastructure Security Agency, the Department of Energy and the Coast Guard. The FBI recently set up a task force to go after cybercriminals.
The TSA announcement provides few details on the order or how it will be enforced, as much of it is classified to prevent hackers from learning too much about pipeline operators’ cyberdefenses. It’s unclear whether the directive will include penalties for companies that fail to meet its standards.
According to the announcement, pipeline owners are now required to implement specific, though unspecified, safeguards against ransomware attacks. The measures cover the IT systems commonly targeted by cybercriminals as well as physical systems that control the flow of fuel. It also requires pipeline operators to review their IT infrastructure and develop plans for how to respond to a hack.
Industry groups are likely to oppose the new regulations. Williams and Jensen, a law firm that lobbies for Colonial Pipeline, upped its lobbying income from $30,000 to $150,000 in the most recent quarter, according to the company’s Senate lobbying disclosure. The firm lobbied on cybersecurity issues and also worked to “provide information regarding the May 7th ransomware attack,” according to the disclosure.
The American Public Gas Association, a trade group, said the new rules are too vague and that pipeline operators will need more time to implement them.
In a Sunday letter obtained by the Washington Post, APGA manager Chuck Phillips said many natural gas companies have to rely on utility boards or local governments for budget approval, something that can delay upgrades.
“Technology upgrades to ensure secure infrastructure are considered when appropriate, but this requires significant time and conversation years in advance of execution,” wrote Phillips.
For example, Phillips said, it would be impossible to deploy multifactor authentication across all of a company’s physical IT systems within 90 days. He called several of the TSA’s requirements “unreasonable.”
Ron Gula, the founder of Tenable Network Security, said Tuesday’s directive was “a positive step, but nebulous at best.” The lack of detail provided by the TSA, he noted, could give pipeline executives too much leeway to interpret the regulations according to their companies’ interests.
“The lack of detail is the most concerning for me here,” Gula said. “It will leave interpretation of these broad recommendations up to boards and executives who are not cybersecurity experts.”
David Holtzman, a private cybersecurity expert who studies critical infrastructure, said the TSA directive is not broad enough and does too little to punish noncompliance. He also said he thought it was based too closely on the Colonial Pipeline incident.
“Like TSA making people take off their shoes in the security line, (the security directive) appears highly targeted and backwardlooking, not proactive enough to forestall future threats,” Holtzman said.
The measure in and of itself is not a silver bullet, said one U.S. official, who spoke on the condition of anonymity to discuss regulation that is not public. However, the official said, implementing regulation through a security directive as opposed to a traditional rule-making with public notice and a comment period is “tricky” because the agency must justify it as “immediately needed to protect the security of the sector” or risk litigation.
“It’s as good and robust and forward-leaning as it could be given the instrument (the agency is) working with,” the official said.
Sen. Angus King, I-Maine, called the directive “a needed step that risks falling short based on the level of threat we face.” He said the government also needs to identify other sectors where critical infrastructure might be vulnerable to hackers.
“We have to identify the most systemically important critical infrastructure — across numerous sectors — and ensure we have established an effective public-private collaboration with the federal government,” King said.