More than two dozen critical pipeline operators in the US were summoned by the Transportation Security Agency (TSA) for a top-secret briefing in response to the ransomware attack on the Colonial Pipeline. The TSA, the agency that regulates pipelines, as well as air travel, railways, highways, and mass transit systems, planned to issue security directives to enhance pipeline operators’ security. David Pekoske, administrator of the TSA, explained that the TSA wanted to see CEOs of pipeline operators attending the meeting to understand the threat to critical infrastructure and the need to work with the government to boost pipeline operations’ resilience.
The meeting was held under high-security precautions in the White House where TSA and other administration officials delivered a presentation and outlined the threat posed to critical infrastructure. Pekoske, during his speech at the Hack the Capitol conference, praised the opportunity to meet with the pipeline CEOs, saying it was an “absolute best practice” and was critical to paving the way for continued top-level communications.
The approach to the pipeline industry was taken to all of the TSA’s critical infrastructure sectors, resulting in a fine-tuned approach to implementing a concept that government’s have repeatedly referred to for more than a decade, known as public-private partnership. Along with cybersecurity experts at the Joint Cyber Defense Collaborative (JCDC) and government officials with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the TSA worked with critical-infrastructure operators and industrial control systems partners to adapt its approach to cybersecurity to build resiliency within that infrastructure sector, so that if attacked, the services that the critical infrastructure sector provides could come back online quickly.
Following the Colonial Pipeline cyberattack, the TSA initially focused on prescribing specific cybersecurity measures, but quickly realized, after listening to industry feedback, that the technology would change in the next 12 to 18 months, leaving their recommendations outdated. Therefore, it pivoted to a performance-based model, which requires specific outputs to be achieved, focusing on resiliency, creating a cybersecurity implementation plan, establishing regular cyber assessments, and creating a response plan.
Pekoske emphasized that collaboration was critical to creating a resilient cyber infrastructure. Working with industry and meeting with cybersecurity teams and executives and understanding their business concerns are all essential. He believes that success as the administrator is when CEOs can approach him if they feel worried or concerned about cybersecurity. To prevent future cyberattacks, pipelines’ regulation requires a concerted effort from both the government and private sector.