16 Jun, 2021

Upcoming cyber rule for pipelines will include 'mandatory mitigating measures'

author's image

By Ellie Potter


Pipeline companies can expect more rules around how they handle cyberthreats following the Colonial Pipeline Co. cybersecurity breach, a federal regulator told U.S. lawmakers on June 15.

The U.S. Transportation Security Administration, which is responsible for protecting U.S. critical infrastructure against cyberthreats, is developing a new regulation pertaining to "security-sensitive information," Sonya Proctor, assistant administrator for TSA's surface operations, told the U.S. House Committee on Homeland Security subcommittees on Transportation and Maritime Security and Cybersecurity, Infrastructure Protection and Innovation.

"We're in the process now of developing our second security directive ... which will have more specific mandatory mitigating measures that will be required by owners and operators," Proctor said during a June 15 subcommittee hearing. "That directive is going to be very specific."

Historically, the TSA issued pipeline security guidelines for owners and operators to follow, though doing so was not mandatory. But in May, the agency ordered operators to report all confirmed and suspected cybersecurity incidents, following the ransomware attack that forced Colonial to shut down its major oil pipeline for days.

The new directive will "have a lot more details and will be rather prescriptive in terms of the mitigation measures required," Proctor said.

Several federal officials, including Commissioners Richard Glick and Neil Chatterjee of the U.S. Federal Energy Regulatory Commission, said the U.S. Energy Department should oversee pipeline cybersecurity rather than the TSA.