TSA, DHS Announce Cyber Protection Orders

The TSA and Department of Homeland Security announced new rules for critical pipelines. But, the cyber protection order begs the question, why stop there?

Cybersecurity attacks continue to rise and plague businesses worldwide. Supply chain attacks are becoming a trend as threat actors look to disrupt our economy for financial gain. There has long been a need for more stringent legislation and regulations around cybersecurity, especially for private companies, and the Department of Homeland Security in conjunction with the Transportation Security Administration seem to agree. Sort of. Last week, the TSA announced new rules around cyber protection and cybersecurity and for critical pipelines.

The announcement marks the first time a federal agency has mandated cybersecurity protocols for privately-owned companies. The idea has been proposed in the past, but private companies lobbied to get rid of it, and economists warned that it could set the U.S. behind other countries if implemented. Now, though, life looks very different. We’re still in the middle of an incredibly deadly pandemic that’s affected the way the world functions. Threat actors, bored with scanning IP addresses and needing a new challenge, have adopted attacking supply chain providers. The recent attack on the Colonial Pipeline is the main propagator of this move, though, because it specifically targets chemical and liquid pipelines.

The cyber protection order mandates “owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyberintrusions.” Right now, the only affected industry is the pipeline industry, which must adhere to the following:

• Develop and implement a “contingency and recovery” plan for cyberintrusions;

• Compare the plan with DHS standards, identify gaps, develop measures to fill them, and gain approval for them from the Cybersecurity and Infrastructure Security Agency, or CISA;*

• Appoint and identify, within seven days, a cyber coordinator (and a backup cyber coordinator) who is available to the DHS’s CISA officials “24/7”; and

• Report all cyberintrusions to CISA within 12 hours of the incident.

These new requirements were previously guidance issued by the TSA in 2018, but now are mandated. This shows that the federal government is ready to move away from its previously hands-off approach and is now willing to take action and set standards for cyber protections that businesses are required to follow.

This is another instance of the government making a great first step, but is also not quite enough. Why is this strictly limited to the pipeline industry? That’s certainly not the only place that our economy can be impacted by a cyber attack, ransomware or otherwise. The SolarWinds hack is another example of a supply chain attack, and while tech companies should be among those with the highest levels of security, that’s not always the case. Which is why standardized regulations are so important, regulations that apply to every business.

Still, this opens the door for additional federal action in the cyber realm. Whether it’s setting additional standards in other industries or adjusting the punishment doled out to those who are caught perpetuating the cycle, the government is getting involved. So far, while past administrations remained at a distance, the Biden administration seems to be taking a different direction. And it’s a much needed direction as threat actors become more bold and look to escalate attacks farther than ever.

Any new rule, regulation, law or compliance guideline must be thoroughly understood to ensure that your business is following the rules. The fines and punishments for breaking those rules can be costly. Make sure your business is ready for the regulations that might be coming. Do an audit of your business, look for gaping holes and fix them. Then bring in an outsider, an expert who can review your business practices and security protocols. Make sure your internal team doesn’t miss anything. And make sure that you’re adhering to the most up-to-date regulations, laws and compliance guidelines to avoid those costly penalties.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY