WASHINGTON, DC (Bloomberg) –The Biden administration is moving forward with mandatory cybersecurity requirements for pipelines, according to a person briefed on the plans, following the ransomware attack earlier this month that paralyzed the biggest fuel pipeline in the nation.
Pipeline operators would be required for the first time to report certain cyberattacks to the Department of Homeland Security under a forthcoming security directive being issued by the Transportation Security Administration, according to the person, who spoke on the condition of anonymity to discuss government matters that had not been made public yet.
The directive, which is expected to require companies to establish a point of contact for cyber issues, is seen as a precursor to broader mandates for the pipeline sector which has resisted cyber security regulations in favor of a voluntary system they say is more nimble.
“The Biden Administration is taking further action to better secure our nation’s critical infrastructure,” the Department of Homeland Security said in a statement. “We will release additional details in the days ahead.”
While the Transportation Security Administration, federal agency charged with protecting the nation’s pipelines, has long had the authority to issue cyber requirements, it instead has relied on voluntary best practices and self-reporting by the industry to secure the operations.
Now, in the wake of the attack that shuttered the Colonial Pipeline Co., the agency is developing mandates that will establish rules for how pipeline companies must safeguard their systems against cyberattacks, as well as steps they should take if they are hacked, according to the Washington Post, which earlier reported on the new rules.
“This TSA security directive is a major step in the right direction towards ensuring that pipeline operators are taking cybersecurity seriously and reporting any incidents immediately,” Representative Bennie Thompson, chairman of the House Homeland Security Committee, said in a statement.
Despite the Colonial incident, which paralyzed a critical supply of gasoline and other refined products to New York and other cities along the East Coast leading to fuel shortages, the energy and pipeline industry remains wary about new regulations, which they fear could be overly prescriptive and too rigid to adapt to the rapidly changing digital threats.
“We want TSA to get right anything they plan to do,” said John Stoody, a spokesman for the Association of Oil Pipe Lines, which represents companies that include Colonial Pipeline. “For example, an overly broad reporting requirement could overwhelm TSA with hundreds of thousands of cyberattack reports every day that would not do anyone any good.”