The Biden administration is poised to issue new cybersecurity regulations for pipelines and liquefied natural gas facilities in the aftermath of the April hack that temporarily paralyzed the nation’s biggest liquid fuel conduit.
The rules, which could be released as early as this week by the Transportation Security Administration, are the second tranche by the agency since the attack on Colonial Pipeline Co.. It represents a further move away from a system that until now had relied on self-reporting and other voluntary measures.
“This Security Directive will apply to those pipeline systems that TSA has designated as critical to our nation’s infrastructure and is urgently needed so as to better protect our critical pipeline infrastructure from cybersecurity threats,” the Department of Homeland Security, which oversees the TSA, said in a statement that added that the directive would apply to liquefied natural gas facilities as well as pipelines.
TSA officials were scheduled to brief the industry on the rules Monday, according to one person familiar with the matter who asked not to be identified discussing non-public information.
Under the rules put in place in May, pipeline operators who fail to report cybersecurity attacks could be subject to fines and would also require pipeline companies to designate a representative to be available around the clock as a point of contact. The rules also require operators to compare their practices with the TSA guidelines and identify and report risks.
A TSA official testified to Congress last month that a security directive being drafted was expected to include specific mitigation measures along with more specification requirements with regards to assessments.
The new rules come as pipeline operators warn against overly prescriptive mandates that interfere with highly individualized voluntary cybersecurity programs tailored to the needs of specific companies.
TSA officials have made clear the directive is needed to mitigate security concerns and make pipelines more secure, according to two people familiar with the matter.
Industry representatives who have viewed a copy of TSA’s draft directive argued that the provisions as prepared needed to be better targeted to the risk of individual companies and in some cases were overly specific. Among the rules in the draft were requirements related to password updates, disabling Microsoft Corp. macros and emerging programmable logic controllers, according to two people familiar with the matter.
Hackers who stole data and locked computers forced the shutdown of Colonial’s roughly 5,500 mile (8,851 kilometers) pipeline system for nearly a week. The pipeline, which provides about 45% of the fuel used on the East Coast, was turned back on after company paid a multimillion dollar ransom, but not before the shutdown caused shortages at gas stations.
Unlike power plants, U.S. pipelines had not been required to follow any federal cybersecurity mandates, even though Homeland Security was given the authority to impose them when it was created in the wake of the Sept. 11, 2001, terrorist attacks.
That’s been an approach the industry has championed — and fought for as well. An effort in 2012 to require cybersecurity regulations for pipelines and other significant infrastructure through legislation failed after intense lobbying by oil companies and other corporate interests.