DHS rework of pipeline cybersecurity rules placates industry
The Department of Homeland Security rolled out new cybersecurity rules for pipeline owners and operators Friday — marking a win for the pipeline industry, which spent the last year criticizing the directive that these new rules replace.
Why it matters: The pipeline business is among those with the strictest cybersecurity regulations, and agencies for other industries are following this saga closely before drafting their own cyber regulations.
Driving the news: The Transportation Security Administration, which is part of DHS, issued its first set of cybersecurity rules last year following the ransomware attack on the Colonial Pipeline that shut it down for several days.
- But operators quickly pushed back, arguing that many of the new rules didn’t account for the intricacies of their physical infrastructure and could prompt further disruptions in pipeline operations.
Details: The new rules place more emphasis on the security outcomes TSA wants from operators, rather than the processes operators should enact to achieve those goals.
What they’re saying: “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes,” TSA Administrator David Pekoske said in a statement.
- “TSA has absolutely recognized that, in some instances, outcomes are better suited to mitigate a potential cyberattack than the prescriptive approach,” Jim Guinn, senior managing director of Accenture’s cyber business, told Axios.
Yes, but: Cybersecurity consultants who work with pipeline operators told Axios there’s still some room for improvement as the new rules go into effect.
- Guinn said the rules lack any requirements for pipeline owners and operators to create inventories for the tools and technology they utilize, which could make it harder for them to know what security risks they’re vulnerable to.
What’s next: TSA’s new rules go into effect for one year on July 27. The agency then plans to accept comments from the industry as it starts a formal agency rule-making process for permanent rules.