September 2021, Vol. 248, No. 9
Government
INGAA Questions New Pipeline Cybersecurity Mandates
By Stephen Barlas, Contributing Editor, Washington D.C.
The ransomware attack on the Colonial Pipeline Company oil pipeline in May continues to have federal regulatory reverberations reflected in the first-time safety and operation mandates published by the Department of Homeland Security (DHS) in July. But members of Congress, who view gas and oil pipelines as dangerously vulnerable to cyberattacks, appear to be underwhelmed by the DHS mandates which come from its subagency, the Transportation Security Administration (TSA). A second directive in May was simply non-enforceable guidance.
A top TSA official told a Senate committee that the pipeline industry had input into the new mandates issued July 19. But the Interstate Natural Gas Association of America (INGAA) does not appear particularly happy with them.
A spokeswoman said, “In this instance, TSA used emergency authority to implement a significant new set of regulations without the usual notice-and-comment procedures, and INGAA anticipates that improvements to the TSA directive will be necessary to maximize its efficacy and practicality. INGAA believes that the directive would be improved by providing pipeline operators more ability to base their cybersecurity protections on individual pipeline systems’ specific configurations and risks.”
Some in Congress feel the directive doesn’t go far enough. At hearings in the Senate Commerce, Science and Transportation Committee on July 27, Chairman Sen. Maria Cantwell (D-Wash.) said the DHS directives were a step in the right direction, but more regulation is needed.
The July directive requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of protections against cyber-intrusions, including mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.
David Pekoske, administrator of the TSA, told the Senate committee that TSA consulted with industry on the security directive and took its comments into consideration, including updating the security directive to incorporate some of the feedback received. No one from industry appeared at those hearings.
Cantwell implied that the DHS needed additional requirements on pipelines, some of them based on a report from the Government Accountability Office (GAO). She explained, “The GAO report shows the use of incomplete information for security risk assessments and aged protocols for responding to security incidents, as well as many of the workforce issues that we have previously addressed in this committee.”
At the hearings, Leslie Gordon, acting director of Homeland Security and Justice, GAO, complimented the TSA for correcting most of the shortcomings the GAO had identified in two recent reports. But she underlined two weaknesses that were still evident. One was incomplete information for pipeline risk assessments. GAO identified factors that likely limit the usefulness of TSA’s risk assessment methodology for prioritizing pipeline security reviews.
The second was aged protocols for responding to pipeline security incidents. The TSA still uses its 2010 Pipeline Security and Incident Recovery Protocol Plan, which is very light with regard to cybersecurity. TSA has started to correct those shortcomings but has not completed that job, according to the GAO.
At hearings across the Capitol on the same day, at the House Energy and Commerce Committee, top Republican Rep. Fred Upton (Mich.) pointed out that not enough pipeline executives have the required clearance level needed to access DHS information and data.
Federal Energy Regulatory Commission (FERC) Commissioner Neil Chatterjee, whose formal term ended in August, answered, “There is no question that is a problem.” He went on to say that if a missile had taken out the Colonial Pipeline, “we would have clearly recognized that as an act of terrorism and known how to respond accordingly. Our mindset is not there yet.”
While members of the House, Senate and FERC (which has no authority over pipeline cybersecurity) feel DHS needs to go further, the agency is staffing up to increase pipeline oversight. Pekoske has expanded TSA’s pipeline cybersecurity personnel from six to 39 full-time employees since the passage of the TSA Modernization Act in October 2018.
Further, in fiscal year 2020, TSA established and trained a 20-member field-based pipeline security assessment team (PSAT), which comprises credentialed transportation security inspectors (TSIs) located around the nation to expand TSA’s support and engagement capacity with pipeline owners and operators. Eight members from the PSAT team and TSA headquarters have completed comprehensive cybersecurity training provided by Idaho National Labs.
Comments