The Transportation Security Administration (TSA) recently announced it is easing some of the pipeline-cybersecurity rules that were issued following the Colonial Pipeline attack in May 2021. Companies will now have more time to report cyberattacks (i.e., 24 hours, which is double the previously mandated timeline) and more control when designing their cyber-defenses.
The industry collective was displeased with the guidelines TSA issued in response to the Colonial Pipeline ransomware attack, preferring outcome-oriented guidelines. For example: accomplish this task, or achieve this level of security in a way that you can oversee how you design your security defenses. It’s important to build regulations, but the regulatory process in the US is slow, so there needs to be a balance in setting regulations that aren’t too prescriptive.
With the guidelines issued in July, it appears that the TSA listened to the feedback provided by the industry on the prior security directive and moved this recent directive toward a more objective—rather than prescriptive—set of achievable requirements.
That said, there are several fairly rigid requirements that pipeline operators will be required to comply with, such as the section that deals with software updates, patch validation and how organizations can accept and document the risk of not patching when it is not feasible to do so. It is incredibly difficult to find balance when creating regulations, and the TSA has done a reasonable job with this new set of security measures.
With TSA’s new guidelines, companies should remain vigilant about their network systems and remain transparent when reporting ransomware attacks. While the threat landscape is still very diverse, pipeline operators' most significant risk is the threat of criminal ransomware operators affecting their production. Ensuring a baseline standard of care and implementing basic cybersecurity protections goes a long way to prevent these types of attacks from succeeding.
As governments build and establish cybersecurity regulations, it’s important to keep in mind that vendor-neutral, interoperable and standards-based cybersecurity solutions are the best approach to dramatically improving private and public-sector collaboration and enhancing the nation’s collective defense against cyber-attackers. Cybersecurity regulations that are too prescriptive miss out on these key benefits.
Marty Edwards is deputy CTO—OT/IoT with Tenable