TSA Official: Feds Improved Cybersecurity Response Post-Colonial Pipeline

US Transportation Security Agency (TSA) administrator reflects on how the Colonial Pipeline incident has moved the needle in public-private cooperation.

3 Min Read
an oil pipeline
Source: Christian42 via Adobe Stock

In the wake of the ransomware attack on the Colonial Pipeline, the US Transportation Security Agency — the agency that regulates pipelines as well as air travel, railways, highways, and mass transit systems — brought together the CEOs of more than two dozen critical pipeline operators for a top-secret briefing in the White House.

The TSA planned to hand down security directives to drive pipeline operators to enhance security, and they knew those companies' CISOs would have to ask their CEOs for more resources and higher priority, David Pekoske, administrator of the Transportation Security Administration, told attendees at the Hack the Capitol conference in McLean, Va. on May 11.

During that meeting, the TSA and other administration officials outlined the threat to critical infrastructure and why the pipeline operators needed to work with the government to make pipeline operations more resilient, he said.

"We knew we were going to be asking a lot of the industry — we want the CEOs themselves to see what the threat was, or see why we were so concerned about this," Pekoske said. "I would label that as an absolute best practice, because that really paved the way for rapid implementation and really paved the way for continued top-level communications between myself and those CEOs."

The TSA took the same approach to each of its critical infrastructure sectors as well, which resulted in creating a better approach to implementing a concept to which the government has repeatedly referenced for more than a decade: The public-private partnership. Along with cybersecurity experts at the Joint Cyber Defense Collaborative (JCDC) and government officials with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the TSA worked with critical-infrastructure operators and industrial control systems partners to adapt its approach to cybersecurity, Pekoske told attendees.

"We have pivoted over the course of these two years to become, in our view, even more effective in cybersecurity with our partners in the transportation sector," he said. The goal is to "build resiliency within that infrastructure sector, so that if attacked, the services that the critical infrastructure sector provides could come back online quickly."

Performance, Not Prescription

Following the Colonial Pipeline attack, the TSA initially focused on prescribing specific cybersecurity measures, but quickly realized — after listening to industry feedback — that if the agency maintained that approach, the technology would change in the next 12 to 18 months, leaving their recommendations outdated.

"We can't turn the crank on the regulatory process within that time frame," he said. "So instead, we've gone into this performance-based model, which is something that the national cyber strategy calls for and is really, I think, the way to go."

The performance-based model requires that specific outcomes be achieved, including focusing on resiliency, creating a cybersecurity implementation plan, establishing regular cyber assessments, and creating a plan for response, Pekoske said.

Cyber Resiliency Requires Collaboration

Working with industry, meeting with cybersecurity teams and executives, and understanding their business concerns are all critical to creating a resilient cyber infrastructure, he told Hack the Capitol attendees.

"To me, success as the administrator is when something's really bothering a CEO, that person feels like they can call me and just say, 'Hey, I'm hearing this, I'm really concerned about it. Can you help me out here?'" he said. "As a taxpayer, that's kind of really what I think ought to happen in government ... you can always make 10 or 15 minutes, particularly for somebody who's running a critical piece of our national infrastructure."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights