Governance, Risk and Compliance, Critical Infrastructure Security, Supply chain, Industry Regulations

TSA announces new pipeline security order

High-profile ransomware cases like the attack on Colonial Pipeline last year have got the industry’s attention. Today’s columnist, Shaun Bertrand of CBI, offers four tips on how security teams can mitigate ransomware. (Michael M. Santiago/Getty Images)

Though details are under wraps, Homeland Security Secretary Alejandro Mayorkas announced Tuesday that the Transportation Security Agency has issued its anticipated second order on oil and gas pipeline security.

“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” said Mayorkas through a press release. “Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security. Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

The order follows a similar action in May as part of the Biden administration's efforts to respond to a destabilizing ransomware attack on the Colonial Pipeline, which supplies fuel across the East Coast. The TSA is the DHS agency in charge of pipeline security, though it works closely with CISA in developing cybersecurity decisions. When it announced the first order, the TSA said a second, more detailed order would soon follow.

As expected, Homeland Security has not released the specifics of the order. In June, Sonya Proctor, assistant administrator for surface operations for the TSA, told a House hearing that the second order would be marked "security-sensitive information," something not-quite-classified but still seen as too much of a risk for public eyes.

At the time, Proctor did say that the order will "have the force of a regulation that would require more specific mitigation measures. And it will ultimately include more specific requirements with regard to assessment," she said, later adding that the directive would be subject to inspection by the TSA's principal security investigators."

"It will have a lot more detail and be more prescriptive in terms of the mitigation measures required," she said.

The first order was more general. Pipeline operators were required to alert CISA of all cybersecurity incidents, companies needed to create an always available coordinator to handle security problems, and pipelines were given 30 days to audit for cybersecurity guidelines that had not previously been mandatory or enforced, and develop a plan to plug any gaps.

Earlier in the day, at a hearing about ransomware, Rep. David McKinley, R-W.Va., expressed deep concerns about pipeline security, saying he felt that the best way to disincentivize ransomware and ensure critical operations would be to build a secondary pipeline to shadow existing infrastructure.

"President Biden and his people on the left, unfortunately, seem to continue to block building additional pipelines, as a redundant system," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.