The Transportation Security Agency (TSA) is in the process of developing another cybersecurity directive for critical infrastructure pipeline owners and operators, following the initial directive it issued to them following the Colonial Pipeline ransomware attack.
Sonya Proctor, the assistant administrator for Surface Operations at TSA, told the House Subcommittees on Transportation and Maritime Security, Cybersecurity, and Infrastructure Protection and Innovation at a June 15 hearing that the second directive will be focused on mitigation measures.
“We are continuing to develop additional measures for pipeline companies,” Proctor said at the hearing. “We are developing a second security directive, which would have the force of a regulation, and that one will require more specific mitigation measures, and it will ultimately include more specific requirements with regard to assessment.”
The second directive would work in conjunction with the first, which requires owners and operators of critical pipeline infrastructure to report any cyberattacks and to have a designated cybersecurity coordinator on staff. The second directive, Proctor said, will be a security sensitive information (SSI) directive and will be more detailed about mitigation measures critical pipeline operators can take.
The second TSA directive will be subject to TSA inspections. Proctor said the agency has a group of inspectors that have been trained in pipeline operations and cybersecurity measures.
“They have both pipeline operations training and cyber training, so they will be the individuals who will be ensuring that the pipeline companies are adhering to what’s required to get those security directives,” Proctor told the subcommittees.
Proctor gave no timeline on when the directive is expected to be released.