Pipeline operators raise concerns over aggressive TSA cybersecurity directives
https://www.utilitydive.com/news/pipeline-cyber-security-tsa-requirements/604216/July 30, 2021
The TSA has been pushing for cybersecurity modernization following the Colonial Pipeline ransomware attack in May. "I'm happy to tell you that we had 100% response from the critical pipeline security operators identified in the first security directive," Pekoske said. The TSA initially gave pipeline owners and operators a 30-day timeline to submit gaps in their cybersecurity posture in the May directive.
The TSA did not make the requirements public, they are only available to pipeline owners and operators. If compliance is not reached, companies could be subjected to civil penalties. While TSA will not make the raw data submitted by pipeline owners and operators public to protect discovered vulnerabilities, the TSA intends to release summary data.
Companies running pipelines are, for the first time, working under required cybersecurity measures. Speaking with pipeline owners based in Tennessee, "they say that the directive could require them to replace thousands of pieces of equipment all over the country. Not only would it be expensive, take a long time, [but] supply chain shortages are an issue," Sen. Marsha Blackburn, R-Tenn., said during the hearing.
Pekoske, however, confirmed that many of the directives' cybersecurity procedures are rooted in basic cybersecurity hygiene, not necessarily lengthy digital transformation efforts.
Cybercriminals' points of entry tend to capitalize on "fairly basic" issues, said Polly Trottenberg, deputy secretary of the Department of Transportation, during the hearing. For example, Colonial was hacked through an outdated VPN profile, which lacked multifactor authentication....