The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued a Security Directive last week intended to protect and respond to cyber threats posed to pipeline companies. This latest action, which may be followed by additional mandatory measures, is designed to strengthen earlier informational notices and voluntary guidelines from the DHS Cybersecurity and Infrastructure Agency (CISA) by setting mandatory baseline cybersecurity requirements for the pipeline industry. Additionally, even though the Security Directive does not state so explicitly, government officials noted that violating the Security Directive’s requirements could be penalized with a fine.
The measures are part of a broader government effort to be more proactive in combatting cyber threats, including the Biden administration’s recently issued cybersecurity executive order, which creates a series of initiatives designed to help the U.S. government better respond to cybersecurity threats. They are also a direct response to the Colonial Pipeline ransomware attack in May 2021, which led Colonial Pipeline Company to shut down more than 5,000 miles of its pipeline that carries fuel to customers throughout the southern and eastern regions of the United States. Even though Colonial Pipeline Company was able to restore its operations a few days after it publicly disclosed the attack, the incident caused over 10,000 gas stations to run out of fuel and highlighted the unique vulnerability of critical infrastructure systems to relatively common cyber threats.
The Security Directive requires three key actions on the part of TSA-identified pipeline owners and operators:
In short, this new Security Directive is yet another signal that the U.S. government is seeking to take bold actions to defend against cyber threats, including by relying on existing legal authority to make voluntary guidance mandatory for critical sectors. On the heels of the recent executive order on cybersecurity, which applied to the U.S. government and federal government contractors, the new guidance also shows some of the ways that the U.S. government will seek to implement minimum cybersecurity requirements for private-sector entities. It remains unclear to what extent TSA will act to enforce these new requirements, but this Security Directive is a noteworthy step to address the cyber defenses of the pipeline sector and may be a sign of what is to come for other critical infrastructure sectors.