TSA to change cybersecurity rules for pipelines following industry criticism

The Transportation Security Administration (TSA) announced changes to a cybersecurity directive for U.S. pipelines after backlash from industry experts and trade groups. 

TSA issued two sets of security directives last year after the ransomware attack on Colonial Pipeline dominated headlines and caused a week-long run on gasoline along the East Coast of the U.S.

The attack kickstarted wide-ranging government efforts to better protect critical infrastructure, and in May TSA reissued the first set of security directives for critical pipelines after they expired. 

The first set of rules forced owners and operators of critical pipelines to report cybersecurity incidents, designate a cybersecurity coordinator, and conduct vulnerability assessments. The reissued security directive changed the incident reporting time from 12 to 24 hours.

In July 2021, TSA said it worked with the Cybersecurity and Infrastructure Security Agency (CISA) on more “technical countermeasures” designed to prevent threats they've discovered in their research of the pipeline industry. 

Details were not released publicly, but TSA said last year that the directive required owners to “implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”

A TSA spokesperson told The Record on Wednesday that the agency is planning to reissue the second set of security guidelines next month but with changes that “afford greater flexibility to industry in achieving critical cyber security outcomes.” The changes were first reported by The Wall Street Journal. 

A TSA spokesperson said the new version of the directive will move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology.”

“TSA also intends to issue a notice of proposed rulemaking within the next year that, if issued as a final rule, would – for the first time – permanently codify a number of critical cybersecurity requirements for pipelines and other surface transportation systems," the spokesperson said. "This action will protect critical transportation infrastructure from continually evolving, and increasingly sophisticated cyber threats, and better safeguard our national and economic security.”

'Screwed this up'

The second set of rules faced significant backlash from industry cybersecurity experts and companies who said the rules were overly prescriptive and actually damaged efforts to improve pipeline security.  

Robert M. Lee, CEO of infrastructure cybersecurity firm Dragos, bluntly told Politico in March that TSA “has screwed this up” in “every sense,” adding that it “is a perfect example of what not to do with a regulatory process.”

Critical infrastructure cybersecurity experts like SynSaber CTO Ron Fabela said in an email that the second directive from TSA was “an alphabet soup of buzzwords (zero trust, MFA) and kitchen sink requirements that just didn't apply to pipeline environments.”

“TSA is being secretive and not releasing these documents for public comment and review, which adds to some mystery over the requirement and control efficacy. What we do know is that industry participation through organizations such as the American Petroleum Institute, which is comprised of the owners/operators to be regulated, is the right direction versus individual favoritism to one or few technology vendors," he said.

Nozomi Networks director Chris Grove added that the updated guidance highlighted that attempting to prescribe solutions across an entire sector can be complicated, if not impossible. 

Cooperation between the government and the private sector is crucial to cybersecurity success, Grove explained, adding that there needs to be an increase in transparency between asset owners, government, and other stakeholders, in a way that improves their ability to respond to threats without overburdening the asset operators, or codifying recommendations that could work against the tenets of safe and secure industrial operations.

“These much-needed changes allow for defenders to be more agile, and do what’s best for their specific infrastructure and environment using a measurable, performance-based approach," Grove said. 

Fabela noted that the move to more performance-based metrics gives asset owners and operators room to implement security controls that meet their unique environmental requirements. 

He was relieved that that the breach notification timeline was lengthened from 12 to 24 hours but questioned what happens after reports are submitted. 

Breach notification has potential for confusion as the community wrestles with "what event or events constitute a reportable breach," and more critically, "what are the benefits of reporting besides compliance," Fabela said. 

“With a focus on breach notification becoming standard across all sectors, it's apparent that scalable and flexible monitoring be factored into every compliance program, as the answer of ‘we didn't know’ is no longer acceptable to regulators,” he added. 

“Reactive cyber security rules for industry continue to be a challenge for the entire industry, not just pipeline operations.”

The TSA spokesperson told The Record that the agency has had “extensive coordination” with industry experts and is only regulating the most critical of the nation’s pipelines. The agency also shares advisory information with industry organizations – even those not covered by the directives – through CISA, FBI, and the NSA. 

They added that there is the potential for additional security directives to be handed down in the coming months. 

The spokesperson noted that another security directive was issued in December 2021 covering higher-risk freight railroads, passenger rail, and rail transit. Those directives expire in December.

“TSA is committed to working with the owners and operators of the nation’s critical transportation infrastructure to defend those systems from the ever-present threat of cyberattack,” the spokesperson said. 

“The disruptive ransomware attack on Colonial Pipeline in May 2021 revealed a continuing significant national security risk with critical vulnerabilities in the pipeline sector.”