The Department of Homeland Security’s Transportation Security Administration has formally announced new cybersecurity requirements for critical pipeline owners and operators.

The directive, first reported earlier this week to be coming, requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week.

The order also requires critical pipeline owners and operators to review their current practices and to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” Secretary of Homeland Security Alejandro N. Mayorkas said in a statement. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security.”

The TSA is also considering follow-on mandatory measures that will further support the pipeline industry. The follow-on orders are aimed at enhancing cybersecurity and strengthen the public-private partnership “so critical to the cybersecurity of our homeland.” What exactly those “mandatory measures” would be was not detailed.

As noted when it first reported that the directive was coming, the TSA’s oversight of pipeline security alongside its better-known role in providing airport security is an artifact of a reorganization of the federal government following the 9/11 attacks. The Department of Transportation had previously overseen pipeline security. Muddling things somewhat, DOT is still in charge of pipeline safety, making sure pipelines don’t fail.

“The administration is clearly making cybersecurity modernization a priority,” Daniel Trauner, director of security at cybersecurity asset management platform provider Axonius Inc., told SiliconANGLE. “But in any mandate that asks for bold, sweeping action, there is nuance involved that needs to be considered related to operational reality.”

For example, he said, having two people responsible for reporting all potential incidents within 12 hours isn’t realistic. “Also missing from this mandate are more proactive guidelines designed to prevent security incidents,” he added.

Edgard Capdevielle, chief executive of critical infrastructure security specialist company Nozomi Networks Inc., which works with nine of the top 20 global oil and gas companies, said the new directive is a good start.

“Mandatory breach reporting and security gap assessments are important first steps to address security issues in the oil and gas sector,” Capdevielle said. “As seen with Colonial, the cost of downtime is prohibitive; many in this sector already engage in mature cybersecurity practices.”

But he added that the distributed nature of oil and gas operators — pipelines, rigs and refineries in remote locations — makes securing their physical infrastructure difficult. “We know from our customers that no two operators are alike in terms of the exact processes and systems they’re using,” he said. “These factors make it harder to establish one set of cybersecurity requirements that will work effectively for all.”

Photo: Colonial Pipeline