The government’s first attempt to require pipeline companies to meet basic cybersecurity standards is floundering — a worrisome sign as the U.S. tries to strengthen cyber defenses for the sprawling collection of critical infrastructure seen as a prime target for foreign hackers.
Oil and gas pipeline operators say the TSA’s cyber regulations are full of unwieldy or baffling requirements that could actually jeopardize pipeline safety and fuel supplies. Others in the energy sector, and cyber experts who help defend these systems, agree with these objections and say the TSA’s small cyber team has been overwhelmed by a flood of industry requests for workarounds.
“In every sense, TSA has screwed this up,” said Robert M. Lee, the CEO of Dragos, a cybersecurity firm that works with critical infrastructure companies. “It is a giant cluster and in many ways is a perfect example of what not to do with a regulatory process.”
The Biden administration has been scrambling to upgrade the digital security of U.S. critical infrastructure, from water utilities to power plants, amid heightened concerns about Russian cyberattacks stemming from the war in Ukraine. But few of the 16 critical infrastructure sectors have mandatory cyber standards, and many are regulated by agencies with little experience in this area. The TSA pipeline rules are an early test of the government’s ability to craft regulations that balance the security needed to keep out hackers with the flexibility needed to accommodate complex, idiosyncratic equipment.
Though the TSA is best known for airport security, it has a sprawling remit including mass transit systems, ports and pipelines.
Many of the TSA’s new requirements are based on protections for personal computers, not pipeline control systems, frustrating companies that aren’t sure how to comply with them. Other rules could require months or even years of painstaking upgrades that could interrupt pipeline operations. The result, companies and security experts say, is a confusing mess that has strained a once-harmonious partnership between the industry and its regulator.
Frustration with the TSA’s pipeline security efforts has reached Congress. Last year, the leaders of the House Energy and Commerce Committee proposed bipartisan legislation shifting pipeline cyber oversight to the Energy Department.
The TSA acknowledges that its pipeline cyber program has had a rocky start. “We’ve learned lessons here,” said a senior agency official. A senior DHS official added that Biden administration officials have “gone out of our way to consult with industry” after realizing the depth of the dissatisfaction. Both officials were granted anonymity to discuss the sensitive dialogue between industry and government.
Pipelines are among the United States’ most critical infrastructure: The oil and gas they deliver powers roughly two-thirds of American life. Without them, cars would be stranded, and hospitals, homes and military bases would all go dark. More than 2.6 million miles of pipelines crisscross the country, operated by companies such as Enbridge, Kinder Morgan and Williams Cos. — names that most Americans never hear unless there’s a major protest, accident or cyberattack.
The May 2021 hack of Colonial Pipeline, which caused temporary gasoline shortages across much of the East Coast, prompted outrage at Colonial’s lax security and led to the TSA’s first compulsory cyber regulations, replacing earlier voluntary guidelines. But the Colonial attack was a minor inconvenience compared with nightmare scenarios that worry U.S. intelligence officials. After Russia’s invasion of Ukraine, addressing those concerns carries greater urgency than ever.
The nation’s extensive pipeline network was built without cybersecurity in mind. And the pipeline industry says the TSA is making it harder for them to put new cybersecurity protections in place.
One pipeline industry executive, who requested anonymity to avoid blowback from publicly lambasting their regulator, said the TSA’s rules “were issued in such haste” that they risk disrupting fuel supplies by forcing companies to meet poorly thought-out requirements.
It’s not surprising that pipeline companies want more flexible regulations. But even others outside their industry agree that the TSA’s regulations are too rigid and full of procedures not applicable to pipeline systems. Among those critics are people like Lee, cyber experts with experience in the intelligence community that informs their understanding of how infrastructure can be hacked.
In July, the TSA issued rules requiring companies to deploy more than three dozen common cybersecurity defenses, including weekly antivirus scans, prompt security patching, strict firewalls to block malware and adoption of multifactor authentication, a technology that asks users for a second proof of identity in addition to a password, in order to block unauthorized access.
But many of these practices were designed for information technology systems found on traditional computer networks, not operational technology — the industry term for hardware or software that monitors or controls equipment such as pipeline safety valves and water pumps. Industry representatives say the TSA and CISA failed to craft rules that take into account the unique features of industrial control systems — and particularly those for pipelines.
“You can’t use standard security tools to secure an OT environment,” said Marty Edwards, vice president of operational technology security at the cyber firm Tenable. He previously headed DHS’ Industrial Control Systems Cyber Emergency Response Team.
The regulations are “overly prescriptive in nature,” Lee said, “with a lot of IT security control stuff copy-and-pasted into OT that would be disruptive.”
Asked about this criticism, the senior TSA official said, “I would concede that some of that is true.”
“There are some [requirements] that, as originally written, could cause operational disruptions,” the official added.
Still, the TSA has asked companies to tell it about rules that could cause harm, and so far the agency has received fewer than 10 such notifications, the official said.
One executive from an energy industry group said that rapid patching and multifactor authentication requirements were inappropriate for industrial technology. Patching “cannot be driven by arbitrary timelines,” said the executive, who requested anonymity to speak candidly.
The rules gave operators just a few months to reset the passwords for all of their industrial equipment, which includes thousands of control boxes that tell pipeline valves and pumps when to open and close. But many of these boxes can’t be controlled remotely, requiring physical site visits, and replacing antiquated boxes is difficult because few vendors make them. As a result, many companies have been given extra time to comply with this requirement.
The TSA is letting companies request permission to meet the agency’s security goals using their own techniques if they believe the required methods are impractical. But while companies have submitted 370 requests to use these “alternative measures,” the TSA has approved only five of those requests, the senior agency official confirmed.
Industry executives say that’s partly because the TSA doesn’t have enough employees to quickly process the requests. Only one person at TSA headquarters and a handful of people in its regional offices have been reviewing these applications, according to Lee and the pipeline executive.
“They don't have the staff,” the pipeline executive said. “We can go weeks or months without hearing back from them.”
The TSA official said the agency has approximately 24 full-time and contract employees dedicated to reviewing alternative measures requests. They said the volume of requests is “unprecedented” and much higher than in TSA’s aviation program.
“Is it moving as fast as I would like it to? Probably no,” the official said. “But it's moving at a pace that ensures that whatever we approve or deny has been fully evaluated.”
The agency has reviewed more than 170 requests and is still reviewing approximately 200 others. In addition to the five approvals, the agency closed several dozen requests by changing the directive itself to address the concerns, the official said. However, according to the pipeline executive, TSA staffers will sometimes tell a company that they’ve reviewed a request but won’t make a decision on it without more information — but without specifying what extra information they want.
“There is not a single pipeline operator who has felt positive about the interactions that I’m aware of,” Lee said. “This has derailed lots of other valuable security efforts.”
During a meeting with pipeline companies on Feb. 16, TSA Administrator David Pekoske acknowledged that, given how few alternative measures the TSA has approved, the agency needs to do better at sharing information about those creative workarounds with the rest of the industry, according to the energy executive.
Pipeline operators want entirely new, “outcome-based” rules that would allow them to meet the government’s expectations through measures of their choosing. For example, instead of requiring specific practices for separating operational networks from computers used for other purposes, such as email, web browsing or payroll processing, the TSA would simply direct companies to ensure that those systems are sufficiently separated, so a hacker couldn’t jump from a human resources system into a pipeline’s control panel. Companies would then develop their own plans for achieving that goal.
Pekoske agreed on the need to adopt this more flexible model during the Feb. 16 meeting, the energy industry executive said.
The senior DHS official said the administration was carefully considering lessons from other regulatory programs as it crafts new permanent rules for pipelines and other infrastructure under the TSA’s purview. But it will take a long time to replace the pipeline regulations with the more flexible rules that the industry wants.
A full, thorough rulemaking process with ample time for industry consultation would likely take 18 to 24 months, Lee said, while a rushed but still adequate process could take a year. This would involve the government identifying its security expectations, companies suggesting ways to achieve those goals and both parties collaborating to write the final rules.
The government could still require specific practices, such as employing a chief information security officer or maintaining and regularly practicing an incident response plan. “Those are prescriptive,” Lee said, “but they're prescriptive in such a way that it's allowing [companies] to still do the right things.” The electric sector’s Critical Infrastructure Protection cyber standards provide a model for these types of outcome-based rules, he said.
The senior TSA official said the agency has been talking to energy regulators about modeling its rules after the electric sector’s standards, but they cautioned that creating similar rules could take years. “In some cases,” they said, “we don't have that length of time.”
Industry representatives argue it’s worth taking the time to create a better process.
“We want TSA to take the time to be thoughtful and get this right,” said the pipeline executive.