The Transportation Security Administration intends to release the first of at least two security directives that would require pipeline operators to notify it when they are targets or victims of cyberattacks, according to senior officials at the Department of Homeland Security. The action, expected this week, also will require each company to designate a point person for cybersecurity.
The order “should be understood as step one” in a detailed program by the Biden administration to boost the security of more than 2.5 million miles of U.S. pipelines, said one of the DHS officials. “Step two will be a more muscular mandate,” in coming weeks, that will require pipeline owners to take concrete steps to secure their assets against attacks, the official said.
The action by TSA, which is part of DHS, provides the first solid evidence that the Biden administration intends to insert itself into pipeline security more directly than the Trump, Obama and Bush administrations, which deferred to the pipeline industry’s desire to avoid regulations for physical- and cybersecurity.
The springboard for TSA’s more assertive stance is the ransomware attack earlier this month on Colonial Pipeline Co., and a sharp increase in attacks against the critical assets on which the nation relies for fuel, electricity, water and other services.
The TSA directives will be backed by the agency’s penalty and enforcement authority. Although TSA created pipeline-security guidelines more than a decade ago, compliance has been voluntary. By contrast, the electric power industry—which depends on gas pipelines for much of its fuel—has had physical security standards since 2006 and cybersecurity standards since 2016, both backed by penalties.
The Biden administration’s goal is to put in place “effective, enforceable regulation, not create a check-the-box exercise” for pipelines, said one of the DHS officials.
The planned directives were reported earlier Tuesday by the Washington Post.
The effort is likely to receive pushback from industry. Even after the Colonial Pipeline hack, representatives of the American Petroleum Institute, a trade group, expressed opposition to mandatory cybersecurity standards for pipelines, saying it wouldn’t be fair to single out pipelines for stricter treatment than the rest of industry.
Rep. Bennie Thompson (D., Miss.), chairman of the Committee on Homeland Security, said TSA’s action is “a major step in the right direction.”
Both the power and pipeline industries have had detailed state and federal safety standards for decades. But a separate, and uneven, system of oversight has sprung up to protect against malicious acts and it has resulted in a somewhat artificial distinction between safety and security, said Bill Caram, executive director of the Pipeline Safety Trust, a nonprofit advocacy organization in Bellingham, Wash.
The pitfalls of a longstanding collaborative approach to pipeline security between TSA and the pipeline industry became clear on May 7, when Colonial Pipeline received a ransom demand and, finding some of its computer systems locked, made a snap decision to shut down its 5,500-mile fuel-transport network that stretches from Texas to New Jersey.