New Cybersecurity Regulations for Pipelines Set to Be Released

(Bloomberg) -- The Biden administration is poised to issue new regulations for pipeline operators in the aftermath of the April hack that temporarily paralyzed the nation’s biggest fuel conduit, according to three people familiar with the matter.

The rules, which could be released as early as Monday, are the second tranche by the agency since the attack on Colonial Pipeline Co.. It represents a further move away from a system that until now had relied on self-reporting and other voluntary measures.

Transportation Security Administration officials were scheduled to brief the industry on the rules Monday, one of the people said. All three asked not to be identified discussing non-public information. The TSA did not respond to a request for comment.

Under the rules put in place in May, pipeline operators who fail to report cybersecurity attacks could be subject to fines and would also require pipeline companies to designate a representative to be available around the clock as a point of contact. The rules also require operators to compare their practices with the TSA guidelines and identify and report risks.

A TSA official testified to Congress last month that a security directive being drafted by the Department of Homeland Security was expected to include specific mitigation measures along with more specification requirements with regards to assessments.

The new rules come as pipeline operators warn against overly prescriptive mandates that interfere with highly individualized voluntary cybersecurity programs tailored to the needs of specific companies.

TSA officials have made clear the directive is needed to mitigate security concerns and make pipelines more secure, according to two people familiar with the matter.

Industry representatives who have viewed a copy of TSA’s draft directive argued that the provisions as prepared needed to be better targeted to the risk of individual companies and in some cases were overly specific. Among the rules in the draft were requirements related to password updates, disabling Microsoft Corp. macros and emerging programmable logic controllers, according to two of the people.

Hackers who stole data and locked computers forced the shutdown of Colonial’s roughly 5,500 mile (8,851 kilometers) pipeline system for nearly a week. The pipeline, which provides about 45% of the fuel used on the East Coast, was turned back on after company paid a multimillion dollar ransom, but not before the shutdown caused shortages at gas stations.

Unlike power plants, U.S. pipelines had not been required to follow any federal cybersecurity mandates, even though Homeland Security was given the authority to impose them through its Transportation Security Administration when it was created in the wake of the Sept. 11, 2001, terrorist attacks.

That’s been an approach the industry has championed -- and fought for as well. An effort in 2012 to require cybersecurity regulations for pipelines and other significant infrastructure through legislation failed after intense lobbying by oil companies and other corporate interests.

©2021 Bloomberg L.P.