The Department of Homeland Security (DHS) in the US is set to regulate cybersecurity in the pipeline industry following the Colonial Pipeline attack.
According to The Washington Post, a senior DHS official has stated that security regulations will be issued this week from the Transportation Security Administration, and will require pipeline companies to report all cybersecurity incidents to federal authorities.
A fuller set of regulations are due to be released in a few weeks’ time, which will lay out in further detail the actions pipeline operators will be expected to take to protect their systems from cyber-attacks. For those companies that are infiltrated by cyber-attacks, post-breach behaviour will also be regulated.
The new regulations are mandatory, and replace voluntary guidelines previously issued by the DHS. The new regulations will require companies to address cybersecurity issues, or face financial penalties.
“This is a first step, and the department views it as a first step, and it will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes,” said a senior DHS official.
The regulatory changes mark a shift in the TSA’s approach, who have previously relied on collaboration, rather than mandatory requirements. These changes are as a result of the growing debate about how the government should handle cyber threats against critical U.S infrastructure. The Biden administration and Congress members have been criticised for lacking strict cybersecurity regulations for gas and oil pipelines.
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck said in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”