After not doing anything over the last twenty years to protect the cybersecurity of pipelines, the TSA decided they needed to do something – anything – so that they have the appearance of responding the problem.
If you get the sense that I am not impressed, you are correct.
So what do pipeline operators have to do now?
The first thing, which I suspect that operators are not thrilled about, is that they now have to report both confirmed and POTENTIAL cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
One requirement that probably won’t be too painful is that they are required to designate a cybersecurity coordinator and that person needs to be available 24/7.
They also have to review their current security practices and report risks, gaps and remediation measures to the TSA and CISA within 30 days. What makes this a bit toothless is that there is no guidance in how to conduct this risk assessment.
The Secretary of Homeland Security, Alejandro N Mayorkas said that DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.
I would rather they treat these organizations like businesses that they are regulating and hold them accountable for their horrible security (reminder: the auditor of an audit that Colonial paid for a few years ago said their security was so bad that an 8th grader could hack them). Partners are cozy. Way too cozy. Credit: Bleeping Computer
Nothing in this order requires them to fix any issues, fix them in a particular amount of time or adhere to any standards. Even the electric industry has standards. Credit: Metacurity
While this is designed to give the appearance that the government is doing something, that something is, in reality, not very much.