In the wake of the ransomware attack on the Colonial Pipeline, the US Transportation Security Agency — the agency that regulates pipelines as well as air travel, railways, highways, and mass transit systems — brought together the CEOs of more than two dozen critical pipeline operators for a top-secret briefing in the White House.
The TSA planned to hand down security directives to drive pipeline operators to enhance security, and they knew those companies' CISOs would have to ask their CEOs for more resources and higher priority, David Pekoske, administrator of the Transportation Security Administration, told attendees at the Hack the Capitol conference in McLean, Va. on May 11.
During that meeting, the TSA and other administration officials outlined the threat to critical infrastructure and why the pipeline operators needed to work with the government to make pipeline operations more resilient, he said.
"We knew we were going to be asking a lot of the industry — we want the CEOs themselves to see what the threat was, or see why we were so concerned about this," Pekoske said. "I would label that as an absolute best practice, because that really paved the way for rapid implementation and really paved the way for continued top-level communications between myself and those CEOs."
The TSA took the same approach to each of its critical infrastructure sectors as well, which resulted in creating a better approach to implementing a concept to which the government has repeatedly referenced for more than a decade: The public-private partnership. Along with cybersecurity experts at the Joint Cyber Defense Collaborative (JCDC) and government officials with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the TSA worked with critical-infrastructure operators and industrial control systems partners to adapt its approach to cybersecurity, Pekoske told attendees.
"We have pivoted over the course of these two years to become, in our view, even more effective in cybersecurity with our partners in the transportation sector," he said. The goal is to "build resiliency within that infrastructure sector, so that if attacked, the services that the critical infrastructure sector provides could come back online quickly."
Performance, Not Prescription
Following the Colonial Pipeline attack, the TSA initially focused on prescribing specific cybersecurity measures, but quickly realized — after listening to industry feedback — that if the agency maintained that approach, the technology would change in the next 12 to 18 months, leaving their recommendations outdated.
"We can't turn the crank on the regulatory process within that time frame," he said. "So instead, we've gone into this performance-based model, which is something that the national cyber strategy calls for and is really, I think, the way to go."
The performance-based model requires that specific outcomes be achieved, including focusing on resiliency, creating a cybersecurity implementation plan, establishing regular cyber assessments, and creating a plan for response, Pekoske said.
Cyber Resiliency Requires Collaboration
Working with industry, meeting with cybersecurity teams and executives, and understanding their business concerns are all critical to creating a resilient cyber infrastructure, he told Hack the Capitol attendees.
"To me, success as the administrator is when something's really bothering a CEO, that person feels like they can call me and just say, 'Hey, I'm hearing this, I'm really concerned about it. Can you help me out here?'" he said. "As a taxpayer, that's kind of really what I think ought to happen in government ... you can always make 10 or 15 minutes, particularly for somebody who's running a critical piece of our national infrastructure."