Almost two years ago, a ransomware attack on the Colonial Pipeline Company, a major supplier of fuel to the northeastern U.S., pushed the Transportation Security Administration (TSA) to develop directives for pipeline owners and operators to implement cybersecurity measures.
TSA Administrator David Pekoske shared a few lessons learned from the attack and critical aspects of implementing a shared cybersecurity defense framework between public and private sectors to protect critical infrastructure during day two of the Hack the Capital event on May 11.
“The incident caused us to immediately put in place security directives to first and foremost report cybersecurity incidents and we found that there was not a consistent reporting framework within the US government, and certainly not within the transportation sector,” Pekoske said, adding that TSA acknowledged that this effort required a key Federal partner – the Cybersecurity and Infrastructure Security Agency (CISA).
Together, CISA and TSA brought together more than 25 major pipeline operators and industrial control systems partners to strengthen security practices to safeguard the operational technology networks critical to pipeline operations, efforts that complement the Security Directives TSA issued in the aftermath of the attack on the Colonial Pipeline.
Pekoske explained that, alongside CISA, TSA worked with major industry players to develop directives that were prescriptive and flexible – a key element that allows the security directives to be efficient, he added.
“When you think about it, particularly in the realm of cybersecurity, we shouldn’t try to lock ourselves down in the regulatory regime that will need to be changed all the time. We should try to put a framework in place that we can adjust as the circumstances adjust and as the industry adjusts,” Pekoske said.
In addition, TSA understood that there would be owners and operators that are on the current list of companies that are covered by the security directives that might fall off based on several factors – such as a change in their status or whether they’re critical to that transportation sub-sector – therefore it decided not to regulate every one of the roughly 3,000 pipelines in the United States.
“We worked with CISA to determine the definition we have for criticality within critical infrastructure was applicable and if you’re determined to be a critical owner-operator, then you’re covered by these regulations,” Pekoske said.
Pekoske also explained that the security directives are not cyber prevention-centric, but cyber resilient-centric. This framework builds resiliency and if attacked, the services that the critical infrastructure sector provides could come back online quickly.
“There’s a big difference from preventing a cyber incident, to being able to respond to one because you go from prevention measures to a crisis response and the crisis response framework can be a little bit different than the prevention,” Pekoske said. “I think that piece is critically important, and we do want to begin to conduct [crisis response tests] more regularly.”