Login | April 20, 2024
TSA mandates pipeline cybersecurity measures
RICHARD WEINER
Technology for Lawyers
Published: September 3, 2021
The federal Transportation Safety Administration (TSA) has recently mandated that pipelines (I’m assuming that this means companies that run pipelines) install security measures to obviate the risk of ransomware attacks.
According to the Washington Post, “this is the first time that the government has mandated specific cyber protections for pipelines.”
This order follows the May ransomware attack on Colonial pipeline that drove everyone crazy because nobody seems to understand the difference between a hack and ransomware and everybody thought that the hack shut down the pipeline when, in fact, it did not. Colonial shut down the pipeline in order to try to prevent an outside attacker from shutting it down.
The shutdown caused gas shortages in the Southeast for almost two weeks, causing all those people to declare that the world was coming to an end. It was not. Not yet.
This order follows a previous May 2021 order from the TSA mandating that pipeline companies report any cyber attack.
Secretary of Homeland Security Alejandro N. Mayorkas said: “The lives and livelihoods of the American people are reliant upon secure critical infrastructure. Through this security directive, the department can ensure that the pipeline sector takes the necessary steps to safeguard their operations from rising cyber threats and thereby better protect our national and economic security.”
Although this goes without saying, I’ll say it anyway, especially to those of you who thought that a hack shut down the pipeline. All this is at least 5 years late. The previous administration didn’t seem to care about cybersecurity and so it didn’t impose any of these mandates and you got what you got out of that. Heaven only knows what else is going on out there because the government shined cybersecurity on for four years.
The TSA is not revealing what the specific details of these mandates are, other than to say that they include specific mitigation measures “to protect against ransomware and other known threats.”
In other words, “you should have known this was going to happen because literally everyone knows what these threats are.”
So bon chance, until another critical industry gets ransomwared.