TSA ramps up fuel pipeline cyber strategy
At a Senate hearing, the TSA administrator updated lawmakers on the implementation of two recent cybersecurity directives issued in the wake of the ransomware attack on Colonial Pipeline.
David Pekoske, administrator of the Transportation Security Administration, told the Senate Commerce Committee on Tuesday that the agency has received responses from all of the energy pipeline companies tasked with reporting cybersecurity incidents, assigning a cybersecurity coordinator to be on call and reviewing their existing cybersecurity practices under a May 20 directive.
TSA's role in regulating the cybersecurity of U.S. pipeline infrastructure has been under increased scrutiny since the ransomware attack targeting the business IT systems of Colonial Pipeline, which led to the halting of gas to service stations in much of the East Coast in early May.
Pekoske also explained that TSA's second security directive issued in June, most of which is non-public, involves a look at "whether or not a business IT system might bridge into an operating technology system, which could, in the case of a pipeline, affect the flow of product through that pipeline."
Sen. Maria Cantwell (D-Wash.), the chair of the committee, noted that pipeline security appeared to be a neglected part of TSA's operations, which largely focus on security screening for air travelers.
"At one point, TSA only had six individuals working in the pipeline security group and that number has now grown to 34, but they're covering 2.7 million miles of pipeline, and we need to increase our accountability over this issue," Cantwell said at the hearing.
Leslie Gordon, acting director of Homeland Security and Justice at the Government Accountability Office, told lawmakers that TSA had made progress in addressing outstanding recommendations about pipeline cybersecurity from reports dating back to 2018, but that the new directives may create additional workforce needs.
"This security directive is placing significant additional cybersecurity requirements on private sector-owned pipeline owner-operators and likely will generate additional information for TSA on cybersecurity needs and likely add to TSA's volume of work," Gordon said at the hearing.
Gordon also noted that the security measures promulgated in the TSA directives "do not include several known mitigation strategies for current cyber threats, including ransomware attacks."