TSA’s role in pipeline safety seems to be a weak link for some in government and industry – FCW


Cyber ​​security

TSA’s role in pipeline safety appears to be a weak link for some in government and industry

Lawmakers and government officials are reexamining the Transportation Security Administration’s place in regulating the cybersecurity of the country’s gas pipelines in the wake of the ransomware attack on Colonial Pipeline’s commercial systems. The office responsible for these policies is historically understaffed and the agency has yet to address several issues raised by government auditors in December 2018.

In this case, Colonial Pipeline faced a crippling attack on its computer system, but the fallout from the event has worried regulators and lawmakers about how the United States is prepared to deal with an attack on it. industrial control systems that manage energy pipelines.

The Department of Energy has been designated as the sector-specific agency for cybersecurity incidents, and its Office of Cybersecurity, Energy Security and Emergency Response (CESER) is managing the response. The Agency for Cybersecurity and Infrastructure Security monitors the attack and regularly publishes industry bulletins on ransomware protection. The FBI is also investigating.

The TSA has statutory authority to regulate pipeline cybersecurity, but has historically relied on industry standards and non-mandatory guidelines. Pipeline owners also work with the Department of Transportation’s Pipeline Safety and Hazardous Administration for non-cybersecurity issues. There have been several efforts in Congress over the years to clarify or shift responsibilities, but these bills ultimately failed.

Yet many are concerned about the current distribution of powers.

“It is time to establish mandatory cybersecurity standards for pipelines similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-growing number and the sophistication of malicious cyber actors, “said Richard Glick, chairman of the Federal Energy Regulatory Commission, said in a declaration Monday.

The FERC, which regulates the electricity grid, has previously called for pipeline authorities to change hands.

A senior TSA official in 2019 testified to lawmakers that the country’s pipeline securing office – the surface division of the office for security policy and industry engagement – has only five employees full-time, none of whom are cybersecurity experts.

Leslie Gordon, acting director of homeland security and justice at GAO, told FCW on Monday that three recommendations from her office December 2018 Report to TSA on improving “significant weaknesses” in the safety management of its pipeline remain open.

Open recommendations include that the TSA administrator develop a strategic manpower plan needed to conduct security reviews of critical facilities. The watchdog recommended that the TSA identify other sources of data to determine threats and vulnerabilities in critical pipelines. The auditors also wrote that TSA should coordinate an “independent, external peer review of its pipeline risk ranking tool.”

TSA officials told GAO that all three recommendations will be addressed later this year. A separate 2019 report also recommended that the TSA update its 2010 pipeline security and disaster recovery protocol plan to reflect modern threats and technology. Gordon said the TSA had indicated it would be done by June 30.

A TSA spokeswoman told FCW on Monday that it had expanded its surface operations capabilities to include transportation security inspectors and had partnered with the Cybersecurity and Infrastructure Security Agency and the Idaho National Labs “to provide advanced training in cybersecurity”.

Rep. Jim Langevin (DR.I.) in an interview with the Washington post called on TSA to be held accountable for safety failures and suggested assessing whether TSA is best placed to oversee gas and oil pipelines.

Karen Evans, who led CESER during the Trump administration and served as CIO of the Department of Homeland Security, said the current arrangement “makes sense if you work it from the inside out.” She added: “There are a bunch of other things that come into play, not just cyber.”

In one May 11 letter to the head of CISA, Representative John Katko (RN.Y.), a senior member of the House Homeland Security Committee, spoke favorably on a public-private initiative involving CISA, Energy and TSA to conduct “validated assessments of the architecture and design review ”on pipeline systems, and wanted to know if the assessment program, which focuses on natural gas transportation, will be expanded to include fuel pipelines.

Chris Strand, chief compliance officer at threat intelligence firm IntSights, told FCW that transferring regulatory authorities to FERC made sense from a cybersecurity perspective.

“This would then position the oil and gas energy industry under the same intense and mandatory cybersecurity reporting structure as the rest of the energy industry,” he said on Wednesday. “This would include more scrutiny and mandatory regulation for reporting cybersecurity incidents,” as well as compliance with a standard core security control set or guideline “that meets existing standards for protecting critical infrastructure in the world. North American Electric Reliability Corporation.

Tim Conway, a technical director specializing in industrial control systems at the SANS Institute, told FCW authorities could be clarified, but that did not necessarily stop the government from responding to the attack on Colonial.

“The ransomware attack on the Colonial Pipeline demonstrated that clear rules would help for this event and future events, but confusion over authorities does not cripple our country’s ability to respond and work together across agencies regardless of authorities declared, ”he told FCW on Wednesday. He said the level of cooperation between government and the private sector and between government agencies was “encouraging”, and said: “it is important that we act quickly and align regulators to streamline our national response. to deal with future cyber threats. “

About the Author

Justin Katz covers cybersecurity for FCW. Previously, it covered the Navy and Marine Corps for Home Defense, focusing on weapons, vehicle acquisition, and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington DC areas. Connect with him on Twitter at @JustinSKatz.


About Keith Tatum

Check Also

Gas flows to the east via the Yamal-Europe gas pipeline are decreasing, flows via Ukraine are stabilizing

November 8 (Reuters) – Eastward gas flows via the Yamal-Europe pipeline to Poland from Germany …

Leave a Reply

Your email address will not be published.