The Transportation Security Administration, in the wake of the ransomware attack on the Colonial Pipeline that caused widespread gasoline disruptions earlier this month, has announced new reporting requirements for pipeline operators.
In a security directive, the TSA, which oversees pipeline cybersecurity, said it will now require that pipeline operators report any cyberattacks on their systems to the federal government within 12 hours. Pipeline companies must also put in place a 24/7, on-call cybersecurity coordinator to work with the government in case of an attack, and conduct an assessment of their cyber practices in the next 30 days.
The directive was outlined Wednesday evening by Department of Homeland Security officials under the condition they remain unidentified.
The attack on the Colonial Pipeline disrupted gasoline supplies on the East Coast, and caused panic buying in some states.
A DHS official called the new directive “part of a multipronged process, with the concept that this is step one in the immediate wake of the Colonial Pipeline incident” and will be followed by other actions.
Companies are to report cyberattacks to the Cybersecurity and Infrastructure Security Agency, CISA, which like TSA is part of DHS. Those that fail to do so would be subject to fines, starting at $7,000 a day. That’s a departure from past practice, when TSA issued a set of voluntary guidelines that pipeline operators were expected to follow.
Chris Krebs, a past CISA director, told NPR’s Morning Edition on Wednesday that because companies aren’t currently required to report ransomware attacks, “we don’t really understand how bad the problem is.”
There are some 2.7 million miles of pipelines in the United States. DHS says about 100 systems are considered critical and fall under the new directive. An official said this directive will be followed by an additional set of actions “in the not too distant future.”
A DHS official said the agency still looks forward “to a very collaborative relationship with the pipeline industry,” and said their “input is important and it will continue to help to shape our direction.”
The DHS directive follows an executive order signed by President Biden two weeks ago that aims to boost America’s cyberdefenses.