Companies that operate pipelines must alert the government whenever they suffer cyberattacks, the Transportation Security Administration ordered Thursday, in the Biden administration’s first effort to harden U.S. critical infrastructure after hackers disrupted the East Coast’s gasoline supply three weeks ago.
Pipeline operators also must preemptively assess their cybersecurity postures for weaknesses that could open the door to hackers, according to the new TSA rule.
The rule announced Thursday is the first-ever federal cybersecurity regulation for pipeline companies, which until now have faced only voluntary TSA guidance, including the suggestion that they report breaches. It comes as Congress is debating even more sweeping responses to this month’s disruptive Colonial Pipeline hack, such as proposals to mandate cyber incident reporting by all companies that operate critical infrastructure or provide key technology services.
In addition, some lawmakers of both parties have suggested stripping oversight of pipeline security from the TSA, an arm of the Department of Homeland Security whose main duties include preventing terrorist attacks on commercial airliners.
The cyberattack on Colonial, first disclosed May 7, prompted the Georgia-based company to shut down the 5,500-mile-long pipeline that supplies much of the East Coast’s gasoline, diesel and jet fuel, leading to hoarding and widespread fuel shortages.
“The Colonial Pipeline ransomware attack was a powerful reminder … of why we need to take this action,” a senior DHS official told reporters during a Wednesday briefing.
Under the new rule, pipeline operators have 12 hours to report cyber incidents to DHS’ Cybersecurity and Infrastructure Security Agency, which is partnering with TSA on pipeline security. Within 30 days, they must also assess how their cybersecurity practices line up with existing TSA guidance and develop plans to fix any gaps.
TSA will be able impose daily penalties on companies that do not comply.
Operators must also designate a lead cyber employee to maintain 24/7 communication with TSA and CISA.
TSA plans to issue a second pipeline cyber directive with more significant requirements in the coming weeks, The Washington Post has reported.
“This is step one in the immediate wake of the Colonial Pipeline incident, to be followed by more,” a senior DHS official said.
The new incident-reporting requirement is meant to ensure that the government’s cyber defenders understand the nature and scope of digital attacks as they work to prevent further intrusions. Although Colonial alerted the FBI after discovering that it had been hit by an extortion attack known as ransomware, it did not provide technical data to CISA until several days later. The company also did not inform CISA that it had paid a multimillion-dollar ransom to regain access to its data.
The Colonial hack exposed the shortcomings of the federal government’s current approach to defending critical infrastructure. Few of the 16 infrastructure sectors, which are managed by a cluster of different federal agencies, face mandatory cyber requirements.
In addition, several of the agencies responsible for overseeing infrastructure, including the TSA and the Environmental Protection Agency, have little experience with cybersecurity and devote few resources to digital threats. In 2018, TSA’s pipeline security arm only had six full-time employees, and the agency lacked a plan for ensuring that employees had the requisite cyber knowledge, according to a report from the Government Accountability Office.
TSA now has enough personnel to enforce the new rule, a senior DHS official said, and those staffers have received training from CISA and other government experts. “We are continuing to expand that group,” the official said.
Through an existing partnership, CISA and TSA have conducted security reviews of 23 pipeline facilities since October 2020 and plan to conduct another 29 reviews in the next four months, according to the official.
For years, federal cyber leaders and industry executives have emphasized cooperation rather than regulation as a means of safeguarding infrastructure from hackers. But many companies — including some that run the United States’ power plants, water treatment facilities and other vital infrastructure — either ignore cybersecurity or devote too few resources and attention to it, creating weak links that can metastasize into bigger problems.
Biden administration officials have also touted the value of public-private partnerships and voluntary information sharing, but the Colonial hack appears to have galvanized the administration to pursue a stricter approach to protecting a vital part of the country’s energy system.
“Even though we will have more structured oversight … we still look forward to a very collaborative relationship with the pipeline industry,” one senior DHS official said.
But, another added, one lesson from the Colonial hack is that “we need to adopt a more more muscular approach.”
Frustration with the voluntary approach has mounted in Congress, too. A bipartisan group of lawmakers is drafting legislation to require critical infrastructure companies and major IT service providers to disclose hacks to the government.
TSA’s new rules are likely to spark intense pushback from the oil sector, which has opposed new regulations on its members even as evidence has mounted that voluntary standards are inadequate.
“Any potential regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation’s critical infrastructure,” Suzanne Lemieux, the American Petroleum Institute’s manager of operations security and emergency response, said in a statement after the rule’s release. In mid-May, Lemieux said regulation was “premature” without “a full understanding” of the Colonial hack.
While TSA steps up its oversight of pipelines, some policymakers are questioning whether it is even the right agency to do that work. On the Hill, leaders of the House Energy and Commerce Committee are pushing for the Energy Department to take over TSA’s pipeline portfolio. The chair of the House Homeland Security Committee, however, has argued that TSA has the necessary experience to retain its role.
https://ift.tt/3wCKY6Z
Business
Bagikan Berita Ini
0 Response to "TSA orders pipeline companies to disclose breaches after Colonial hack - POLITICO"
Post a Comment