TSA preps second pipeline cyber directive

Pipeline system. Shutterstock image ID: 572546314 by Kodda 

The Transportation Security Administration told lawmakers on Tuesday that the agency is developing a second security directive focused on requirements for pipeline cybersecurity mitigation measures and that the agency has a cadre of inspectors ready to enforce those requirements.

Sonya Proctor, the assistant administrator for surface operations at TSA, told two subcommittees of the House Homeland Security Committee that the new directive will be a "security sensitive information" document and "will be rather prescriptive in terms of the mitigation measures required."

Proctor was testifying before House lawmakers alongside Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, about the effects of the ransomware attack against Colonial Pipeline.

A representative from the FBI was invited to testify at the hearing but declined to attend, according to Rep. Bonnie Watson Coleman (D-N.J.).

In the weeks following the May 7 attack, TSA issued a security directive mandating pipeline owners and operators to report "confirmed and potential" cybersecurity incidents to CISA as well as designate cybersecurity coordinators. The directive also requires pipeline owners to conduct self-assessments focused on the extent to which they are complying with existing voluntary standards.

Proctor's remarks on Tuesday were in response to a question from Coleman about how TSA will verify information companies report to the federal government and the consequences for misrepresenting themselves.

During previous hearings with Colonial Pipeline CEO Joseph Blount, lawmakers took issue with the company's lack of cooperation with TSA to conduct voluntary security assessments, both physical and otherwise.

Asked about the delays, Proctor said other companies also postponed assessments due to health concerns related to the pandemic. She also said Colonial had also postponed the assessment because it was making certain software updates.

"We had spoken in March. They had asked for about six weeks to complete some cyber updates and the six weeks was actually the week after the incident with Colonial," Proctor said of the validated architecture design review.

Lawmakers at the hearing also voiced concerns about the White House's choice to designate the Department of Energy as the lead agency for the incident. Since the May 7 attack, lawmakers on the Homeland Security Committee and others overseeing the Energy Department have been laying out their arguments for a coming turf war over whether TSA should keep its regulatory authority over pipeline companies.

When asked about what rationale CISA was given by the White House, Goldstein emphasized the breakdown of roles between agencies and that DOE was deemed the lead agency because of the incident's impact on the supply of gasoline to the East Coast.

About the Author

Justin Katz is a former staff writer at FCW.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected