TSA formalizes new cybersecurity rules for critical pipeline owners and operators

The Department of Homeland Security’s Transportation Security Administration has formally announced new cybersecurity requirements for critical pipeline owners and operators.
The directive, requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week.

The order also requires critical pipeline owners and operators to review their current practices and to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” Secretary of Homeland Security Alejandro N. Mayorkas said. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security.”

The TSA is also considering follow-on mandatory measures that will further support the pipeline industry. The follow-on orders are aimed at enhancing cybersecurity and strengthening the public-private partnership “so critical to the cybersecurity of our homeland.” What exactly those “mandatory measures” would be was not detailed.
As noted when it first reported that the directive was coming, the TSA’s oversight of pipeline security alongside its better-known role in providing airport security is an artifact of a reorganization of the federal government following the 9/11 attacks. The Department of Transportation had previously overseen pipeline security. Muddling things somewhat, DOT is still in charge of pipeline safety, making sure pipelines don’t fail.