Thursday, May 27, 2021

DHS Directive Require Critical Pipelines To Comply With Federal Cybersecurity Measures

The Department of Homeland Security (DHS), on Thursday, will Mandate Critical Pipeline Operators, comply with several Cybersecurity Measures, including Reporting Cybersecurity Incidents to DHS within 12 hours.

The Transportation Security Administration (TSA) Security Directive says:

- Pipeline Companies will be Required to Report both Confirmed and Potential Incidents.

- Pipeline Owners and Operators will also be Required to Designate a "24/7, always available" Cybersecurity Coordinator who can Respond to Incidents and Coordinate with TSA and the Department's Cybersecurity and Infrastructure Security Agency (CISA).

- Within 30 days, these Companies must also Complete and Assess how their Practices line up with TSA's long-standing Pipeline Guidance, Identify any Gaps, and Propose Plans to Remedy those Gaps.

- There are Financial Penalties associated with Failure to Comply with Security Directives, which can be imposed on a Daily Basis, so they can ramp up pretty significantly over time. The Fine range starts around $7,000 and depends on the Specific Violation.

TSA is responsible for Transportation Security, including Hazardous Material, and Pipeline Security, and has Guidelines in place for the Industry. However, this will be the First time that the Critical Pipeline Sector has been Mandated to report Cybersecurity Incidents.

The Directive will apply to around 100 Companies considered to have the most Critical Pipelines in the U.S. The Companies are aware of their Critical Status and are familiar with the Existing Pipeline Security Guidelines.

While recognizing the "difficult choice" for Companies, the U.S. Government strongly Discourages paying Ransom, because there is No assurance of getting your Decrypted Data back and Paying Ransom further Fuels the Epidemic of Criminal Activity.

The Industry "was bracing for a more burdensome set of cyber standards," former DHS Assistant Secretary for Infrastructure Protection, Brian Harrell said. "I applaud TSA for seeking the cyber subject matter expertise at CISA. This, combined with the surface infrastructure knowledge of TSA, could lead to a successful compliance regime. I believe everyone is still interested in understanding what pipelines are in scope, and if TSA has the proper risk analysis in place. Regardless, Congress needs to fund this effort and TSA needs to hire additional staff -- like yesterday," he said.

The CISA doesn't Plan to release Compliance Information on Specific Pipelines, because of Potential Security Risks, but the New Requirements will allow the Agency to produce Better aggregate Analysis of Vulnerability and Risk in the Pipeline Sector.

One Official emphasized that the Security Directive is the First Step, to be "followed by more," Specific Details about Future Plans.

Another Official said the Department is thinking through how this Security Directive might serve as a Model for the Agencies involved and a potential Future Regulatory approach, adding that they want to Avoid a "check-the-box kind of compliance regime."

TSA is currently Staffed, at a level in the Pipeline Security Sections, to be able to Respond to the Issues that will be covered by this Security Directive and the Future Actions that TSA will be taking.

But the Official said the Agency is continuing to Expand its Cybersecurity Group within the Pipeline Team, to be able to carry out Additional Cybersecurity Assessments on Pipeline Facilities.

TSA has Committed to Conducting 52 Cybersecurity Assessments, called a "validated architecture design review," in Partnership with the CISA, this Fiscal year.

NYC Wins When Everyone Can Vote! Michael H. Drucker

No comments: