Cybersecurity Focus Swings To Pipelines

Subscribe to my newsletter, The Wavelength, if you want updates on global technology developments four times a week.

Policymakers in Washington are responding to the systemic weaknesses exposed in the Colonial Pipeline ransomware attack.

Twitter

Will the Biden Administration buck the general trend against ordering private sector entities to take specified cybersecurity measures?

Cocktail Party

Word around Washington is that the agency charged with securing pipelines and other infrastructure will soon issue an order or regulations that would require pipelines and possibly other infrastructure owners and operators to report incidents and other information. Generally, United States (U.S.) policymakers have been loath to place binding requirements on the private sector even those portions considered critical cyber infrastructure. This approach may be changing given the recent onslaught of attacks and intrusions.

Meeting

The Transportation Security Administration (TSA), the entity people traveling by air have come to know and love, may act this week to issue binding requirements on the pipeline industry. Government stakeholders seem agreed that this industry has been underregulated and its cybersecurity may be questionable. The agency itself lacks resources and expertise (see here for more detail and analysis) and so it will be of interest to see what form such an order or regulation may take.

Geek Out

As reported in The Washington Post and cyberscoop, the Transportation Security Administration (TSA) will issue an order to pipeline owners and operators requiring them to report hacks. This is likely in response to the fact that the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) did not receive “technical information” on the ransomware from Colonial Pipeline for days after the attack. Other outlets are reporting TSA, a component agency of DHS, will issue regulations. An unnamed DHS official said “[t]he Biden Administration is taking further action to better secure our nation’s critical infrastructure. TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems…[and] [w]e will release additional details in the days ahead.”

Regardless of whether the agency issues a directive, regulations, or both, the question is begged whether the agency possesses this authority for the very good reason no such regulatory action has been taken to date on cybersecurity. Consequently, does the TSA have this authority? And, does the agency have additional authority that could be brought to bear on pipeline cybersecurity?

The first place to start is with the powers Congress granted the TSA. In 49 U.S.C. 114, TSA is given the responsibility to “oversee the implementation, and ensure the adequacy, of security measures at airports and other transportation facilities.” Even though the latter term is not defined, it may be safe to read “transportation facility” as including pipelines given the regulatory ambit Congress gave the TSA. Hence, the agency is charged with overseeing the “security measures” (another undefined term) of pipelines, which almost certainly would include cybersecurity.

Moreover, the TSA has the power to issue emergency regulations or security directives. To wit:

Notwithstanding any other provision of law or executive order (including an executive order requiring a cost-benefit analysis), if the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security, the Administrator shall issue the regulation or security directive without providing notice or an opportunity for comment and without prior approval of the Secretary.

There are few if any limits on this power. It strikes me as likely TSA will be using this authority to mandate that pipelines report hacks and possibly other related information. Given how broad this grant of authority is, TSA may even be able to direct pipelines to take certain steps to secure their networks. However, at present, the Biden Administration does not seem to be leaning towards this sort of order.

Additionally, the Pipeline and Hazardous Materials Safety Administration (PMHSA) may have the authority to order pipelines to implement cybersecurity and technology standards. This argument is admittedly more of a stretch. Nonetheless, 49 U.S.C. §60102 provides the Secretary of Transportation through PHMSA the plenary power to “prescribe minimum safety standards for pipeline transportation and for pipeline facilities,” including those that “may apply to the design, installation, inspection, emergency plans and procedures, testing, construction, extension, operation, replacement, and maintenance of pipeline facilities.” Moreover, “[a] standard prescribed under subsection (a) shall be-

  • practicable; and
  • designed to meet the need for-
  • gas pipeline safety, or safely transporting hazardous liquids, as appropriate;

Surely, one could make the colorable argument that minimum cybersecurity standards are vital to the safety of pipelines carrying gasoline and oil. Of course, TSA would not welcome PHMSA horning in on its jurisdiction, so the use of this power in the manner I am suggesting is much less likely.

Congress may also be acting on legislation to augment the TSA’s authority. Last week, the House Homeland Security Committee marked up and reported a bill that would address generally the TSA’s authority over the cybersecurity of pipelines. Representative Emanuel Cleaver (D-MO) offered the “Pipeline Security Act” (H.R.3243) the committee proceeded to amend. Broadly speaking, this bill would codify TSA’s authority over pipeline cybersecurity and other threats since the TSA’s enabling act (i.e. the “Homeland Security Act of 2002”) does not exactly provide this explicit authority. The bill would make clear the TSA has responsibility, in coordination with the Cybersecurity and Infrastructure Security Agency, over pipeline cybersecurity, acts of terrorism, and other “nefarious acts that jeopardize the physical security or cybersecurity of such transportation facilities.” A Pipeline Division would be established inside the TSA to carry out the aforementioned powers. Specifically, this new TSA division would have the following duties:

  • (1)  Developing,  in  consultation  with  relevant  Federal,  State,  local,  Tribal,  and  territorial  entities  and  public  and  private  sector  stakeholders,  guidelines  for  improving  the  security  of  pipeline  transportation  and  pipeline  facilities  against  cybersecurity  threats, an act of terrorism, and other nefarious acts that  jeopardize  the  physical  security  or  cybersecurity of  such  transportation  or  facilities,  consistent  with  the  National  Institute  of  Standards  and  Technology  Framework  for  Improvement  of  Critical  Infrastructure  Cybersecurity  and  any  update  to  such  guidelines  pursuant  to  section  2(c)(15)  of  the  National  Institute   for   Standards   and   Technology   Act   (15 U.S.C. 272(c)(15)).
  • (2) Updating such guidelines as necessary based on intelligence and risk assessments, but not less frequently than every three years unless such guidelines are superseded by directives or regulations.
  • (3) Sharing of such guidelines and, as appropriate, intelligence and information regarding such security threats to pipeline transportation and pipeline  facilities,  as  appropriate,  with  relevant  Federal,  State,  local,  Tribal,  and  territorial  entities  and  public and private sector stakeholders.
  • (4)  Conducting  voluntary  security  assessments based on such guidelines or mandatory security assessments if required by superseding directives or regulations, to provide recommendations or requirements for  the  improvement  of  the  security  of  pipeline transportation  and  pipeline  facilities  against  cybersecurity  threats,  an  act  of  terrorism,  and  other  nefarious  acts  that  jeopardize  the  physical  security  or  cybersecurity  of  such  transportation  or  facilities,  including  the  security  policies,  plans,  practices,  and training  programs  maintained  by  owners  and  operators of pipeline facilities.
  • (5)  Carrying  out  a  program  through  which  the  Administrator  identifies  and  ranks  the  relative  risk  of   pipelines   and   inspects   pipeline   facilities   designated  by  owners  and  operators  of  such  facilities  as  critical based on such guidelines or superseding directives or regulations.
  • (6) Supporting the development and implementation of a security directive or regulation when the Administrator issues such a directive or regulation (the original bill had this language: “(6)  Preparing  notice  and  comment  regulations  for  publication,  if  determined  necessary  by  the  Administrator.”)

And so, this bill, as amended, clarifies and increases TSA’s ability to issue security directives and regulations. Subsection 2 among its duties makes clear the voluntary cybersecurity guidelines TSA may issue can be superseded by directives and regulations. Subsection 6 makes much the same clear. Consequently, the agency would have the authority (if it does not already) to issue directives to pipelines regarding cybersecurity risks in much the same way it issues directives to airlines and airports.

TSA would also need to develop “shall develop a personnel strategy for enhancing operations within the pipeline security section.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by JJ Ying on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s