DHS confirms new cybersecurity rules for pipeline companies

The measures follow a ransomware attack that halted Colonial Pipeline deliveries for several days.

JIM WATSON via Getty Images

As expected, the Department of Homeland Security’s Transportation Security Administration (TSA) has issued mandatory cybersecurity rules for pipeline companies. Under the security directive, critical pipeline owners and operators will have to designate a cybersecurity coordinator with around-the-clock availability. They'll also need to report cybersecurity incidents, including confirmed and potential issues, to the Cybersecurity and Infrastructure Security Agency (CISA).

In addition, critical pipeline owners and operators will have to assess their current cybersecurity practices, pinpoint vulnerabilities and review their plans to address risks. They'll have 30 days to report their findings to TSA and CISA. Those might not be the only measures, as TSA is considering other directives.

Pipeline cybersecurity has been brought into focus in recent weeks, following a ransomware attack on Colonial Pipeline. The company paused gasoline and diesel deliveries for several days earlier this month after its billing system was compromised. That led to fuel shortages in some areas.

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” Secretary of Homeland Security Alejandro N. Mayorkas said in a statement. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”