DHS will issue mandatory cybersecurity rules for pipeline companies

The decision follows the recent Colonial Pipeline ransomware attack.

Yuri Gripas / reuters

Following the Colonial Pipeline ransomware attack that led to fuel shortages in parts of the US, the federal government plans to impose mandatory cybersecurity regulation on the pipeline industry for the first time. According to The Wall Street Journal, the Department of Homeland Security and Transportation Security Administration (the same TSA that decides if you can board a plane or not) will soon require pipelines to notify federal authorities when they fall victim to hackers.

They'll need to inform both the TSA and the Cybersecurity and Infrastructure Security Agency (CISA) of any incidents and employ a cybersecurity official with a 24/7 direct line to those units. They'll also have to test their systems for vulnerabilities. According to The Washington Post, the TSA will issue "more robust" rules detailing how pipeline companies should secure their networks and respond to hacks "in the coming weeks."

"This is a first step, and the department views it as a first step, and it will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes," a Department of Homeland Security official told The Washington Post.

Pipeline security fell under TSA jurisdiction in 2002 as a byproduct of the September 11th terror attacks in 2001. For the most part, the agency has focused its attention on protecting pipelines from physical threats such as terror attacks. It only issued its first set of cybersecurity guidelines in 2010, and even then, those were only voluntary. That's not uncommon in the US. Most industries that oversee critical infrastructure, including projects like dams, don't have mandatory standards they're required to adhere to by the government. President Biden recently signed a executive order that touched on some of those issues.

Where things get tricky is that cybersecurity isn't necessarily a strength of the TSA. In 2019, the agency testified it only had five employees trained to handle cybersecurity audits and enforcement. The Department of Homeland Security plans to hire more staff across both the TSA and CISA and instruct the two units to work together on enforcement.