The Transportation Security Administration (TSA) issued two pipeline security directives in FY 2021 following the Colonial Pipeline ransomware attack. Now, the Office of Inspector General (OIG) has assessed whether these security directives addressed cyber threats and stakeholder concerns and strengthened pipeline security.
OIG found that while the directives should strengthen pipeline operators’ posture against cyber threats, TSA did not ensure all pipeline operators adhered to security requirements contained in the directives in a timely manner. For example, OIG found that several critical pipeline operators did not meet one or more requirements in Security Directive Pipeline–2021– 02 Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing (SD-02). Additionally, TSA used action plans and warning notices to bring pipeline operators into compliance with SD-02, but TSA could not easily provide related information, such as which SD-02 requirements remained unresolved.
OIG found that TSA did not follow up and track the pipeline operators’ assessments of the effectiveness of their cybersecurity practices. This occurred, the watchdog said, because TSA does not have standard operating procedures or a formal system to track and follow up on pipeline operators’ implementation of the security directives. Without additional oversight, OIG is concerned that TSA cannot ensure full implementation of security directives, which can leave pipelines vulnerable to cyber attacks.
In light of the audit’s findings, OIG has made three recommendations:
- Complete rulemaking that will permanently codify critical cybersecurity requirements for pipelines.
- Develop standard operating procedures and a formal tracking system to ensure consistent tracking and follow-up of the implementation of security directives and eventual regulations.
- Include a requirement to conduct follow-up inspections that ensure pipeline operators have completed mitigation activities to address cybersecurity vulnerabilities.
TSA concurred with each recommendation and is currently working to issue a regulation that will codify critical cybersecurity requirements for pipelines. The target for publication of the final rule is the fourth quarter of fiscal year 2024.