In a direct response to May’s ransomware attack against Colonial Pipeline, the Transportation Security Administration on Tuesday announced that “a number of urgently needed protections against cyber intrusions” will be imposed on operators of “critical pipelines” in the U.S.

The security directive builds on cybersecurity measures issued in the immediate aftermath of the attack, which led Colonial to shut down for nearly a week its entire 5,500-mile network that delivers nearly half of the U.S. East Coast’s supply of gasoline, diesel, jet fuel and other petroleum products. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.) The FBI attributed the ransomware attack to the Eastern European criminal organization DarkSide, which seems to have gone quiet since a raid by law enforcement that recovered most of the ransom paid by Colonial. (See Colonial CEO Welcomes Federal Cyber Assistance.)

TSA’s earlier measure required owners and operators of critical pipelines to “report confirmed and potential cybersecurity incidents” to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). They were also required to appoint a cybersecurity coordinator to serve as a single point of contact with federal officials 24 hours a day, seven days a week; review their current cybersecurity practices; and identify and report to TSA and CISA any cyber risks identified, along with related mitigation measures.

The new requirements, developed alongside CISA, mandate that critical pipeline operators and owners:

• implement “specific mitigation measures” (not named in TSA’s announcement) to protect against ransomware and other threats to information technology and operational technology systems;
• develop and implement a cybersecurity contingency and recovery plan; and
• conduct a cybersecurity architecture design review.

TSA defines a critical pipeline as one that “provides primary service to designated critical infrastructure” and constitutes a “single point of failure” — meaning that rendering the pipeline inoperable would leave the critical infrastructure unable to perform its mission.

Operators may also designate pipelines as critical themselves according to more stringent criteria, including whether damage to them could disrupt service to critical national defense facilities, airports or power plants; cause mass injuries or environmental effects; or disrupt the ability of state and local governments to provide essential services for an extended period.

“Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Secretary of Homeland Security Alejandro Mayorkas said in a statement. “Public-private partnerships are critical to the security of every community across our country, and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

Cyber Actions Spurred by Colonial Hack

The Colonial attack focused attention on the cybersecurity preparedness — or apparent lack thereof — of the U.S. pipeline system, with multiple recommendations emerging after the hack. For example, the week after the attack FERC Chairman Richard Glick and Commissioner Allison Clements called for “mandatory cybersecurity standards,” similar to NERC’s Critical Infrastructure Protection (CIP), to cover the nation’s pipelines. Glick previously joined then-Chairman Neil Chatterjee for an op-ed in 2019 calling for Congress to reassign responsibility for pipeline security from TSA to a new agency. (See TSA Defends Pipeline Security Practices Before FERC.)

Concrete actions taken by the federal government include an executive order issued by President Biden in May that, among other things, expanded the role of CISA to include reviewing federal agencies’ current cybersecurity requirements, developing future security strategies, and receiving reports of cyber vulnerabilities and incidents from government contractors. (See Biden Directs Federal Cybersecurity Overhaul.)

Biden’s order also created a cybersecurity safety review board led by public- and private-sector officials to investigate incidents and make recommendations for improvements, as well as a pilot for a software supply chain security labeling scheme that consumers can use to judge the safety of software products at a glance.