The Transportation Security Administration (TSA) is loosening pipeline cybersecurity rules imposed after the hack of Colonial Pipeline last year, giving companies a longer window to report cyberattacks and more leeway to design their defenses.
The first-of-their-kind cyber directives, unveiled after a ransomware attack disrupted the East Coast’s largest fuel conduit for 6 days in May 2021, drew pushback from businesses that argued the standards were overly prescriptive and in some cases risked disrupting the flow of oil and gas.
Lobbyists say that updated versions of the two yearlong directives could hint at how the agency intends to write permanent cyber regulations for pipelines and other surface transportation.
“We’re encouraged by the changes they’ve made,” said Suzanne Lemieux, director of operations security and emergency response policy at the American Petroleum Institute, an oil and gas trade group. “There were a lot of things that weren’t well thought out in the urgency of getting this out [last year].”
Designated pipeline operators are now required to report hacks to the government within 24 hours, double the previously mandated timeline, according to a new version of the first directive that went into effect on 29 May. An update to the second directive, set to be released by 26 July, is expected to focus less on forcing companies to install particular security measures, pipeline lobbyists and a TSA spokesperson said.
The goal is to move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology,” the TSA spokesperson said. “TSA is consulting with industry stakeholders and federal partners while modifying this security directive.”
Following the second directive’s release last July, the TSA said it received more than 380 requests from pipeline operators to fulfill the requirements in different ways than the order outlined. The agency, which called the number unprecedented in a fact sheet reviewed by WSJ Pro Cybersecurity, didn’t respond to a question about how many of those requests it granted.