Ransomware, Critical Infrastructure Security, Risk Assessments/Management

Revisions to TSA pipeline cyber rules highlight delicate balance between fed goals, industry realities

After the May 2021 Colonial Pipeline ransomware attack led to significant disruptions in gas supply, the Biden administration rolled out a pair of new strict regulations on how pipeline owners and operators manage their cybersecurity.

At the time, Secretary of Homeland Security Alejandro Mayorkas said the regulations would enable his department to “better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security.”

One year later, efforts to regulate the pipeline sector’s protections against future ransomware attacks and other threats continue, but have been revised in recent months in response to feedback from industry that some provisions are unrealistic, unworkable or do not take into account the realities of the pipeline sector.

In a statement, a spokesperson from the Transportation Security Administration confirmed to SC Media that the agency reissued a revised set of regulations for its first security directive in May 2022 that increased the amount of time owners and operators would have to report hacks to the government from 12 hours to 24 hours. The agency plans to do the same for the second directive before it expires to build in more flexibility for industry to meet the same objectives without having to follow the government’s specific prescriptions.

The Wall Street Journal first reported on the regulatory changes.

“The re-issuance of the security directives will transition to a performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology,” the spokesperson said.

According to a fact sheet SC Media obtained from the TSA, since the security directives were put in place the agency has received more than 380 requests from industry for “alternative measures,” or requests to be exempt from certain requirements if they can find another method of accomplishing the same level of security.

The fact sheet does not detail the nature of those requests except to say that “41 requests were addressed and closed by revising the Security Directive to extend the cycle time for certain actions from 7 days to 15 days.” The agency also said it has established a “surge team” of cybersecurity experts, policy writers and lawyers to assist internal specialists in reviewing and processing those requests.

The regulations, which TSA said were “purposely designed to allow for flexibility,” also allows companies to opt out of certain requirements if they believe doing so would create a safety issue or risk operational disruption of the pipeline. To date, the agency said it has not received any notification from industry that an operational disruption has occurred as a result of the implementing the requirements, and has received “fewer than 10” notifications that claim the potential for future disruption. Follow up investigations of those claims by the Pipeline and Hazardous Materials Safety Administration have concluded that they do not.

A delicate dance of federal regulation for cybersecurity of private companies

The changes underscore the delicate line that federal regulators must tow as they seek to significantly raise the floor of cybersecurity protections for pipeline operators, water companies and other sectors of the economy that are largely owned privately, and where they have little direct experience with operational realities.

In May, just weeks before the revised regulations were reportedly put in place, Jason Tama, director of resilience and response at the White House National Security Council told SC Media that developing cybersecurity regulations that can both meet the modern bar federal regulators are trying to set and apply to the specific needs of individual industries and sectors is a constant challenge.

Pushback from industry to a range of new regulations — as well as the complaints that they do not do enough to take operational realities into account — are a part of a mostly healthy dialogue that is needed to properly calibrate those rules. The experience, he said, has reinforced for the White House the maxim that “if you’ve seen one sector, you’ve seen one sector: pipelines is different than water is different than medical.”

“We constantly need to stress test [our infrastructure protection framework], we need to evaluate that, trust in our departments and agencies that have the expertise in those sectors to mitigate the risks that they best can, working in close partnership with industry … and you balance that with frankly limited authorities and capabilities that vary by agency, and so sometimes that ends up in a little different approaches based on the authorities you have to try to put the finger in the dike,” Tama said.

Outside of government, cybersecurity companies that work with pipeline owners and operators say the early stumbles are far from fatal but do indicate that agencies like TSA will need more money, resources and expertise from other agencies.

The agency has tried to meet the new demand for pipeline cybersecurity, boosting its cyber workforce around pipeline operations from just five employees in 2019 to more than 20 today (and requesting another 13 in 2023 budget requests). Padraic O’Reilly, co-founder of CyberSaint, which offers cybersecurity services to companies in the defense and energy sectors, told SC Media in an interview that the agency still needs to draw more from other agencies, like the Department of Energy and the Cybersecurity and Infrastructure Security Agency, that have more experience securing operational technology.

That concern is one of the reasons that some lawmakers have introduced legislation that would seek to move authority for pipeline cybersecurity from TSA to a new entity under the Department of Energy, a debate that O’Reilly said will likely continue into the future.

“TSA was not necessarily equipped for this, they just weren’t,” he said. “They were handed it in a sense because they had the regulatory authority, but were they the proper entity to look at it and will they be the proper entity to look at it going forward? That’s why some of these senators have been pushing for the Department of Energy to take a look at this, because the analog for this, to me, is the [North American Electric Reliability Corporation’s] critical infrastructure protection requirements.”

O’Reilly pointed to certain requirements that came out of the TSA directives, like shorter patching timelines and implementing multifactor authentication for devices, that do not take into account the obstacles owners and operators typically face when securing their operations. Many companies lack the kind of built-in redundancy that would allow them to turn off critical systems or devices for updates at will, while implementing multifactor authentication for, say, programmable logic controllers, can be “quite tough” to do.

Scoping out the 'public good' in critical infrastructure cybersecurity

Others echoed those concerns even as they credited TSA for being responsive to public feedback. Chris Grove, a director and cybersecurity strategist at Nozomi Networks, welcomed the changes and shift to a more performance-based approach for measuring compliance. However, he also said the episode underscores how “attempting to prescribe solutions across an entire sector can be complicated, if not impossible.”

“We need an increase in transparency between asset owners, government, and other stakeholders, in a way that improves our ability to respond to threats without overburdening the asset operators, or codifying recommendations that could work against the tenants of safe and secure industrial operations,” he said.

The hacking of Colonial Pipeline, JBS Foods and others, as well as attempts by hacking groups to gain access to other infrastructure like water treatment facilities and the electrical grid, have largely marked the end of the voluntary cybersecurity regulatory regime that companies in critical infrastructure have operated under until now.

What the new regime will look like and how prescriptive the government can be is still being negotiated, and the pushback from the pipeline sector in some ways mirror parallel debates that are happening in the water and railway industries, as well as companies who may be subject to new cyber rules being put in place by CISA and the Securities and Exchange Commission.

Some experts reached by SC Media said they expect any upcoming rulemaking process around the TSA regulations over the next year to largely reaffirm and codify the revised rules. But larger discussions over how far the government can and should go, how to effectively hold critical infrastructure entities to higher standards and which agencies to vest authorities in, will continue for years.

“The problem of having so much of our infrastructure in private hands — it’s good in some regards — but it’s also hard to do the right calculations with respect to the public good,” said O’Reilly. “The government has to be involved because they’re the only ones that can correlate the amount of information that needs to be correlated and they have a lot of expertise, but it’s [also] sort of which part of government gets involved here.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.