Critical pipeline operators have reported more than 220 cybersecurity incidents since the Transportation Security Administration implemented emergency measures in the wake of the crippling ransomware attack on one of America’s most important pipelines, according to TSA Administrator David Pekoske.
Companies have been reporting incidents since day one of the agency’s May 28 security directive aimed at critical pipelines, Pekoske told CNN in an interview. Reporting of cybersecurity incidents has ramped up since the directive, according to Pekoske, who said the reports will help TSA understand the risks facing the industry. Prior to the directive, reporting was voluntary.
TSA issued its first cybersecurity directive following the ransomware incident at Colonial Pipeline, which prompted the shutdown of operations and led to several days of panic gasoline buying and shortages throughout the East Coast.
The directive includes a requirement for around 100 critical pipeline companies to report cybersecurity incidents to the Department of Homeland Security’s cybersecurity agency within 12 hours, a DHS official previously said. TSA has unique authority over the surface transportation industry, which includes more than 2.7 million miles of natural gas and hazardous liquid pipelines, allowing the agency to regulate the industry.
Companies are required to report incidents related to unauthorized access of an IT or operational technology system, discovery of malicious software, activity resulting in a denial of service, a physical attack against network infrastructure or any other cybersecurity incident that results in operational disruption, according to the directive.
The incidents are reported to the Cybersecurity and Infrastructure Security Agency, and that agency evaluates each incident to determine if a response is needed, TSA spokesperson Alexa Lopez told CNN.
“TSA and CISA will use this information to determine the most appropriate mitigating measures to close potential vulnerability gaps in the national critical function set of pipelines,” she said in a statement.
Pressed during a congressional hearing Tuesday by Democratic Sen. Richard Blumenthal of Connecticut on whether companies are reporting cyberattacks “as fully as they should be,” Pekoske said, “Yes, they are reporting more than they have in the past.”
“The first security directive, the first thing it requires is reporting for significant incidents, because we wanted to get a baseline of information as to what is going on,” the administrator told the Senate Committee on Commerce, Science and Transportation.
Pekoske told lawmakers the reporting requirement is beneficial for companies to see they aren’t alone, and he expects the reporting to “continue to be robust,” which will help TSA. The raw data from the reports will not be made public for propriety reasons, but summary data will be available.
Under the first directive, the pipeline owners and operators are also required to designate a “24/7, always available” cybersecurity coordinator who can respond to incidents and coordinate with TSA and the department’s Cybersecurity and Infrastructure Security Agency. Within 30 days of the directive, the pipelines were also required to complete and assess how their practices align with TSA’s long-standing pipeline guidance, identify any gaps and propose plans to remedy those gaps.
All the designated pipeline owner/operators have complied with the requirements in the first directive, Pekoske told the congressional panel on Tuesday, including conducting the self-assessment. TSA, working with the Cybersecurity and Infrastructure Security Agency, is analyzing all the assessments to identify further mitigation efforts, according to Pekoske.
In July, TSA issued a second directive escalating cybersecurity requirements for the industry, a move meant to protect against ransomware and other known threats.
Pipeline companies expressed concerns about the second security directive, including its “aggressive time lines,” and pipeline operators requested more time, Pekoske told the panel on Tuesday.
Pipeline companies are allowed to provide TSA with plans for alternative security procedures, according to Pekoske, who said there will be a “very good give and take” with the industry.
The two directives are not based solely on the Colonial incident and are in place for a year but can be extended. The agency, Pekoske told CNN, is reviewing longer-term cybersecurity efforts, but no decisions have been made yet.
“The Colonial incident was criminal activity. We are concerned about other activity that might target pipeline systems in the country,” he said.