Biden Admin Unveils Pipeline Cybersecurity Mandates

Owners and operators of certain pipelines will need to implement various cybersecurity protections under a new directive issued Tuesday by the Transportation Security Administration (TSA).

The security directive applies to owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas, the U.S. Department of Homeland Security (DHS) reported.

“Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” remarked DHS Secretary Alejandro N. Mayorkas.

DHS stated the security directive requires owners and operators of TSA-designated critical pipelines to:

• implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems
• Develop and implement a cybersecurity contingency and recovery plan
• Conduct a cybersecurity architecture design review.

Tuesday’s announcement marks TSA’s second security directive in recent months. In May of this year, in the wake of a major cyberattack on Colonial Pipeline, TSA issued an initial security directive. DHS stated the first directive required critical pipeline owners and operators to:

• report confirmed and potential cybersecurity incidents to DHS’ Cybersecurity and Infrastructure Security Agency (CISA)
• designate a cybersecurity coordinator to be available 24 hours a day, seven days a week
• review current practices
• identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

But will it work?

A “data-driven defense evangelist” with computer and network security firm KnowBe4 (NASDAQ: KNBE) called the latest TSA directive “good news” but added that it probably will be ineffective.

“Anything that gets us better secured is a good thing,” remarked KnowBe4’s Roger Grimes in a written statement emailed to Rigzone. “It will also likely not work.”

Grimes pointed out the TSA mandate follows a string of existing cybersecurity actions.

“(I)t is hard to be perfect and every organization is already trying to do computer security perfectly,” he explained. “Adding another requirement on top of all the other requirements and regulations overtop of what they already know they should be doing is likely not going to result in being significantly more resilient to cyber-attacks. It cannot hurt … but it is not likely to be the final nail in the coffin that defeats all malicious hackers and malware.”

Making it harder for malicious hackers and malware to hide would help to mitigate the problem, Grimes said.

“Hackers hack and spread malware because they either cannot be traced or cannot be arrested and punished when caught,” he noted. “A malicious hacker is more likely to be struck by lightning, twice, than to get arrested for hacking.”

Grimes said that making the Internet “significantly … more secure by default” would help.

“There are ways to make the Internet significantly more secure,” he said. “I have written on this topic for decades and recently re-submitted plans for how to do so to CISA and other Internet security groups. We have the technology. We do not have to reinvent the wheel. We just need to right people in the same room and a true willingness to solve the problem.”

In addition to a “far more secure Internet,” Grimes said that a “global agreement on digital crimes” would aid in fighting malicious hackers and malware.

“One more regulation on an industry is not going to change the problem,” he concluded. “How do I know? Because we had three decades of increased regulation and the problem is only getting worse each year.”

To contact the author, email mveazey@rigzone.com.