Homeland Security to Require Cybersecurity Reporting by Pipeline Industry

In the wake of last month’s debilitating Colonial Pipeline ransomware attack, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a security directive that will enable it to safeguard critical companies in the pipeline industry by identifying, protecting and responding to cybersecurity threats, according to an agency press release issued on Thursday.

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Alejandro N. Mayorkas, Secretary of Homeland Security. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

Although some states require a report in the event of a cybersecurity attack, there is no centralized data registry to examine the impact on the company and citizens while implementing a plan of action by the government to immediately combat the digital disruption. Prior to today’s announcement, the agency only provided voluntary guidance regarding the handling of cyberattacks.

Pipelines are identified as critical infrastructures since they are modes of transportation for gas, chemicals and water. The Colonial Pipeline attack elevated the risk exposure after the nation’s gasoline supply was subject to disruption for several days.

The security directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours. The report must describe the incident’s projected impact, technical details associated with the attack and all current and planned company responses. Within 30 days, critical pipeline owners and operators must review their current practices and identify any gaps and related remediation measures to address cyber-related risks while reporting the results to TSA and CISA. Pipeline owners and operators must designate a cybersecurity coordinator to be available 24 hours a day, seven days a week.

TSA is also considering mandatory measures that will further support the pipeline sector in enhancing its cybersecurity and strengthen the public-private partnership necessary to U.S. cybersecurity.

Since 2001, TSA has worked closely with pipeline owners and operators as well as its partners across the federal government to enhance the physical security preparedness of U.S. hazardous liquid and natural gas pipeline systems. As the nation’s lead agency for protecting critical infrastructure against cybersecurity threats, CISA provides cybersecurity resources to mitigate potential risks, including a dedicated hub that disseminates information to organizations, communities and individuals about how to better protect against ransomware attacks.

The new TSA security directive also highlights the critical role that CISA plays as the nation’s cyber defense center Through the National Defense Authorization Act late last year, Congress empowered CISA to execute its mission to secure federal civilian government networks and the nation’s critical infrastructure from physical and cyber threats.