This week, the Transportation Security Administration (TSA) in the US will mandate that pipeline organizations report cyber incidents to federal authorities. This announcement arrives on the heels of the Colonial Pipeline incident, which disrupted fuel supplies along the Eastern Seaboard for several days. Gas stations across America remained underserved more than a week later.

Experts attest that a more prolonged fuel shortage could have halted commercial flights, disrupted mass transit systems and endangered the chemical refinery business.

In the end, Colonial Pipeline’s leadership determined that the best means of moving forward consisted of paying the hackers’ ransom. As a result, the company coffers saw a deficit of $4.4 million.

In the past, the TSA, an offshoot of the Department of Homeland Security (DHS), has only offered voluntary reporting guidelines.

 White House security directives

“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” stated a spokeswoman from the DHS. Critical infrastructure organizations are reportedly collaborating with the Cybersecurity and Infrastructure Security Agency (CISA), which can offer further guidance in the adoption of measures to increase cyber resilience.

Pipeline regulations

The TSA retains the authority to create initiatives around surface transportation. However, the Department of Transportation is technically in charge of the safety of the pipes themselves. Who should really take responsibility for ensuring the security of America’s pipelines? In light of new concerns, is the current division of responsibilities antiquated?

 US infrastructure systems

In the United States, the majority of infrastructure systems are not required to follow specific cyber security standards. From medical waste incineration sites to wastewater systems, organizations lack heavy federal regulation in regards to cyber security. A small percentage of US infrastructure sectors do follow mandatory security standards. It’s mainly relegated to nuclear plants and electrical power.

In 2012, mandatory requirements for a broader swath of sectors were introduced to Congress. However, political opposition prevented their promotion.

What’s included within TSA’s new directive?

  • Organizations will be required to have a Chief Information Security Officer
  • Organizations will be required to report cyber incidents to TSA and CISA
  • Existing cyber guidelines must be enforced and security gaps addressed

“This is a first step, and the department views it as a first step…It will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes,” says one Department of Homeland Security official.

Specific objectives, security

Current TSA guidelines describe typical cyber security measures. But there’s no accountability. Experts propose a “performance-based” approach to cyber security. “The idea is to specify key objectives for the company, allowing it to innovate and keep up with technology to accomplish the goals.”

 Pipeline regulations, new normal

Are TSA’s new mandates enough? Some critics may appreciate the increased emphasis on serious cyber security measures, yet others wonder about following what may amount to outdated guidelines and vague CISA directives.

Furthermore, critical infrastructure has already seen issues related to agency ownership. Should this agency own the initiatives, or should another agency? Says Brian Harrell, of the Department of Homeland Security, “Let’s not have six sets of books that regulate one way on Monday, and another way on Tuesday.”

Oversight, pipeline security

In 2019, the TSA only had five pipeline security division staffers. At present, the existing staff may not possess the skillsets to handle audits and cyber security enforcement. To ameliorate the issue, the Department of Homeland Security is asking CISA to step in. The DHS is also creating 16 new professional roles within the TSA and 100 within CISA.

For more on this story, visit The Washington Post.