Policymakers in Washington are responding to the systemic weaknesses exposed in the Colonial Pipeline ransomware attack.
Will the Biden Administration buck the general trend against ordering private sector entities to take specified cybersecurity measures?
Word around Washington is that the agency charged with securing pipelines and other infrastructure will soon issue an order or regulations that would require pipelines and possibly other infrastructure owners and operators to report incidents and other information. Generally, United States (U.S.) policymakers have been loath to place binding requirements on the private sector even those portions considered critical cyber infrastructure. This approach may be changing given the recent onslaught of attacks and intrusions.
The Transportation Security Administration (TSA), the entity people traveling by air have come to know and love, may act this week to issue binding requirements on the pipeline industry. Government stakeholders seem agreed that this industry has been underregulated and its cybersecurity may be questionable. The agency itself lacks resources and expertise (see here for more detail and analysis) and so it will be of interest to see what form such an order or regulation may take.
As reported in The Washington Post and cyberscoop, the Transportation Security Administration (TSA) will issue an order to pipeline owners and operators requiring them to report hacks. This is likely in response to the fact that the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) did not receive “technical information” on the ransomware from Colonial Pipeline for days after the attack. Other outlets are reporting TSA, a component agency of DHS, will issue regulations. An unnamed DHS official said “[t]he Biden Administration is taking further action to better secure our nation’s critical infrastructure. TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems…[and] [w]e will release additional details in the days ahead.”
Regardless of whether the agency issues a directive, regulations, or both, the question is begged whether the agency possesses this authority for the very good reason no such regulatory action has been taken to date on cybersecurity. Consequently, does the TSA have this authority? And, does the agency have additional authority that could be brought to bear on pipeline cybersecurity?
The first place to start is with the powers Congress granted the TSA. In 49 U.S.C. 114, TSA is given the responsibility to “oversee the implementation, and ensure the adequacy, of security measures at airports and other transportation facilities.” Even though the latter term is not defined, it may be safe to read “transportation facility” as including pipelines given the regulatory ambit Congress gave the TSA. Hence, the agency is charged with overseeing the “security measures” (another undefined term) of pipelines, which almost certainly would include cybersecurity.
Moreover, the TSA has the power to issue emergency regulations or security directives. To wit:
Notwithstanding any other provision of law or executive order (including an executive order requiring a cost-benefit analysis), if the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security, the Administrator shall issue the regulation or security directive without providing notice or an opportunity for comment and without prior approval of the Secretary.
There are few if any limits on this power. It strikes me as likely TSA will be using this authority to mandate that pipelines report hacks and possibly other related information. Given how broad this grant of authority is, TSA may even be able to direct pipelines to take certain steps to secure their networks. However, at present, the Biden Administration does not seem to be leaning towards this sort of order.
Additionally, the Pipeline and Hazardous Materials Safety Administration (PMHSA) may have the authority to order pipelines to implement cybersecurity and technology standards. This argument is admittedly more of a stretch. Nonetheless, 49 U.S.C. §60102 provides the Secretary of Transportation through PHMSA the plenary power to “prescribe minimum safety standards for pipeline transportation and for pipeline facilities,” including those that “may apply to the design, installation, inspection, emergency plans and procedures, testing, construction, extension, operation, replacement, and maintenance of pipeline facilities.” Moreover, “[a] standard prescribed under subsection (a) shall be-
- practicable; and
- designed to meet the need for-
- gas pipeline safety, or safely transporting hazardous liquids, as appropriate;
Surely, one could make the colorable argument that minimum cybersecurity standards are vital to the safety of pipelines carrying gasoline and oil. Of course, TSA would not welcome PHMSA horning in on its jurisdiction, so the use of this power in the manner I am suggesting is much less likely.
Congress may also be acting on legislation to augment the TSA’s authority. Last week, the House Homeland Security Committee marked up and reported a bill that would address generally the TSA’s authority over the cybersecurity of pipelines. Representative Emanuel Cleaver (D-MO) offered the “Pipeline Security Act” (H.R.3243) the committee proceeded to amend. Broadly speaking, this bill would codify TSA’s authority over pipeline cybersecurity and other threats since the TSA’s enabling act (i.e. the “Homeland Security Act of 2002”) does not exactly provide this explicit authority. The bill would make clear the TSA has responsibility, in coordination with the Cybersecurity and Infrastructure Security Agency, over pipeline cybersecurity, acts of terrorism, and other “nefarious acts that jeopardize the physical security or cybersecurity of such transportation facilities.” A Pipeline Division would be established inside the TSA to carry out the aforementioned powers. Specifically, this new TSA division would have the following duties:
- (1) Developing, in consultation with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders, guidelines for improving the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities, consistent with the National Institute of Standards and Technology Framework for Improvement of Critical Infrastructure Cybersecurity and any update to such guidelines pursuant to section 2(c)(15) of the National Institute for Standards and Technology Act (15 U.S.C. 272(c)(15)).
- (2) Updating such guidelines as necessary based on intelligence and risk assessments, but not less frequently than every three years unless such guidelines are superseded by directives or regulations.
- (3) Sharing of such guidelines and, as appropriate, intelligence and information regarding such security threats to pipeline transportation and pipeline facilities, as appropriate, with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders.
- (4) Conducting voluntary security assessments based on such guidelines or mandatory security assessments if required by superseding directives or regulations, to provide recommendations or requirements for the improvement of the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities, including the security policies, plans, practices, and training programs maintained by owners and operators of pipeline facilities.
- (5) Carrying out a program through which the Administrator identifies and ranks the relative risk of pipelines and inspects pipeline facilities designated by owners and operators of such facilities as critical based on such guidelines or superseding directives or regulations.
- (6) Supporting the development and implementation of a security directive or regulation when the Administrator issues such a directive or regulation (the original bill had this language: “(6) Preparing notice and comment regulations for publication, if determined necessary by the Administrator.”)
And so, this bill, as amended, clarifies and increases TSA’s ability to issue security directives and regulations. Subsection 2 among its duties makes clear the voluntary cybersecurity guidelines TSA may issue can be superseded by directives and regulations. Subsection 6 makes much the same clear. Consequently, the agency would have the authority (if it does not already) to issue directives to pipelines regarding cybersecurity risks in much the same way it issues directives to airlines and airports.
TSA would also need to develop “shall develop a personnel strategy for enhancing operations within the pipeline security section.”
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.