TSA’s new directive mandating pipeline operators take cybersecurity seriously is being met with skepticism by experts. That includes rumors of a $7,000 penalty for each day that a breach goes unreported.
Last week, the US Department of Homeland Security’s Transportation Security Administration announced a directive to “better identify, protect against, and respond to threats to critical companies in the pipeline sector.”
The directive mandates that critical pipelines report cybersecurity incidents, including potential incidents, to the Cybersecurity and Infrastructure Security Agency (CISA). Operators must also now have a Cybersecurity Coordinator on hand and report incidents to the CISA.
More recent reports say pipeline operators who fail to comply with the new requirements stand to incur penalties, even though the directive doesn’t mention fines explicitly. Officials who asked to remain unidentified told Bloomberg that “the directive will impose fines on pipeline companies that fail to report incidents within 12 hours.”
“This is the first time there’s mandatory reporting of cybersecurity incidents,” according to one of the officials who spoke to journalists ahead of the directive’s unveiling.
A CSO report even mentions actual numbers:
“Although not appearing anywhere in the directive, pipeline companies that fail to meet the security requirements would be subject to financial fines, starting at $7,000 per day,” the report notes, back-linking to the same Bloomberg piece. It is worth noting that Bloomberg’s sources didn’t mention actual numbers.
Oil and gas companies reportedly met the directive with skepticism, with many calling the move rushed out to show that steps are being taken in the wake of the Colonial Pipeline ransomware attack.
Former Justice Department and Navy Department lawyer Robert Cattanach tells CSO that imposing strict fines means going through lengthy rulemaking proceedings.
“That’s a years-long process. There’s no way they could actually impose fines without going to comment,” Cattanach said.