The U.S. Department of Homeland Security is preparing to issue a directive that will require all pipeline companies to report cybersecurity incidents following the ransomware attack on Colonial Pipeline Co. earlier this month.

The Washington Post reported today that the Transportation Security Administration, a unit of the DHS, will issue the reporting directive later this week. The TSA will then follow up in the coming weeks with a “more robust set” of mandatory rules for how pipeline companies must safeguard systems and the steps they should take if they are hacked.

“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokesperson Sarah Peck said in a statement. “TSA, in close collaboration with CISA [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”

That the TSA oversees pipeline security alongside its better-known role in providing airport security is an artifact of a reorganization of the federal government following the 9/11 attacks. The Department of Transport had previously overseen pipeline security. Muddling things somewhat, DOT is still in charge of pipeline safety, making sure pipelines don’t fail.

The new directive will require pipeline companies to report cyber incidents to the TSA and CISA and to have a cyber official — such as the company’s chief information security officer — with a 24/7 direct line to report an attack. Pipeline companies will also be required to assess their systems as measured against existing cyber guidelines.

The proposed directive has drawn mixed responses from cybersecurity professionals.

Tyler Shields, chief marketing officer at cyber asset management and governance solutions provider JupiterOne Inc., told SiliconANGLE that the regulationshould have a positive impact on security at pipeline companies, since government fines and other damages are a strong incentive for security improvement.

Hank Schless, senior manager, security solutions at mobile security solutions provider Lookout Inc., was also positive, noting that “implementing new regulations could be very effective in the battle against cybercriminals so long as organizations actually take action to align with them.”

“It takes time and resources to align with new regulations, but this should at least serve as motivation for similar companies to get the ball rolling,” Schless added.

Others were more skeptical. Monti Knode, director of customer & partner success at automated security assessment and validation startup Horizon3.AI Inc., argued that “unless the federal government is appointing a new regulatory lead or new enforcement mechanisms, this regulation already exists, specifically for oil or gas refineries as defined within Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act.”

Tim Wade, technical Director, chief technology officer Team at AI cybersecurity firm Vectra AI Inc., warned that although the proposal “indicates modest, common-sense measures,” the “risk of regulatory action is always overreach, a disconnect between the regulatory requirements and the desired outcomes, the law of unintended consequences and the introduction or perpetuation of a framework that long outlives its usefulness.”

Indeed, John Bambenek, threat intelligence adviser at the information technology services management company Netenrich Inc., warned that the proposal might not work at all.

“Notification to the federal government of cyberattacks is less significant than whatever protective regulations they issue, but the facts are, we have thousands of pages of policies, regulations and studies on security for the federal government and they still get breached,” Bambenek said. “A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing future incidents.”

Photo: Colonial Pipeline