The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity.

The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.

In reaction, the company shut down pipeline operations and IT systems. Next, they brought in FireEye’s Mandiant to conduct cyber forensics.

The event triggered panic in national security circles. After years of talk about whether a state-sponsored cyberattack could shut down major infrastructure or utilities on a massive scale, it seemed like that fear finally came true. In fact, the company was motivated by money and chose to shut down.

Still, the Colonial Pipeline attack mobilized the federal government into action. And that action is what’s still causing lingering problems.

TSA responses to Colonial Pipeline attack

In the aftermath of the attack, the Transportation Security Administration (TSA) issued two major mandatory cybersecurity directives for all U.S. pipeline operators. TSA rules had been voluntary before this. Now, violators could be fined up to $11,904 per day.

Trouble is that the TSA developed these rules without notice-and-comment rulemaking, which would have enabled pipeline companies to contribute to the crafting of rules to make them more feasible. Even Congress wasn’t notified of the rules in advance.

Some pipeline operators are now saying that not only are some rules confusing and too complex, but they might even threaten pipeline operations and safety.

Mandatory cybersecurity rules have constrained power stations for many years. However, lawmakers saw pipeline operators as a special case requiring a lighter touch. By definition, these companies operate IT and OT systems that span vast distances. Compliance with the new directives, for example, often means sending technicians to each far-flung control box and attempting to apply patches, upgrades or changes that don’t always make sense for that kind of hardware.

Struggling to comply

Pipeline operators say they are struggling to comply. While the TSA offered to help companies, the agency also appears overwhelmed. Operators have permission to find other routes to the same objectives, but the TSA has to approve those plans first. And it has become clear that the TSA is understaffed and underfunded for this level of back-and-forth.

The core problem is that TSA is not the right agency for this kind of regulation, according to University of Tulsa professor Ido Kilovaty. Its current staffing and budget are “lacking the expertise and tools needed to effectively regulate cybersecurity in the pipeline context,” he wrote.

A better choice may be the Federal Energy Regulatory Commission (FERC). This is an independent agency within the Department of Energy responsible for cybersecurity regulation of the electric power sector. Moving from TSA to FERC, in fact, has the backing of the Biden Administration.

In general, the TSA rules are overly prescriptive, dictating not only outcomes but methods. And these prescriptions may not consider the variability and complexity of affected systems.

One common complaint is that the directives don’t give enough time. The timelines are too aggressive and overly specific.

What the industry can expect from future regulations

Changes are coming. Pipeline cybersecurity regulations may remain under the TSA, but with expanded funding. Or, the government may move them to another existing agency or to a special-purpose agency yet to be created. And new rules, made in concert with the pipeline industry, are surely coming to replace the old.

It’s ironic that the rushed, overly-prescriptive, top-down directives ended up that way in the interest of time. Now, arriving at a regulatory regime that really works to keep pipelines safe is taking far longer than it could have.

More from Risk Management

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today