DHS rework of pipeline cybersecurity rules placates industry

Driving the news: The Transportation Security Administration, which is part of DHS, issued its first set of cybersecurity rules last year following the ransomware attack on the Colonial Pipeline that shut it down for several days.

• But operators quickly pushed back, arguing that many of the new rules didn’t account for the intricacies of their physical infrastructure and could prompt further disruptions in pipeline operations.

Details: The new rules place more emphasis on the security outcomes TSA wants from operators, rather than the processes operators should enact to achieve those goals.

What they’re saying: “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes,” TSA Administrator David Pekoske said in a statement.

• “TSA has absolutely recognized that, in some instances, outcomes are better suited to mitigate a potential cyberattack than the prescriptive approach,” Jim Guinn, senior managing director of Accenture’s cyber business, told Axios.

Yes, but: Cybersecurity consultants who work with pipeline operators told Axios there’s still some room for improvement as the new rules go into effect.

• Guinn said the rules lack any requirements for pipeline owners and operators to create inventories for the tools and technology they utilize, which could make it harder for them to know what security risks they’re vulnerable to.

What’s next: TSA’s new rules go into effect for one year on July 27. The agency then plans to accept comments from the industry as it starts a formal agency rule-making process for permanent rules.