At a joint hearing of the House Homeland Security subcommittees on transportation and cybersecurity, a representative of the Transportation Security Agency outlined what to expect from an upcoming security directive for oil and gas pipelines.
The TSA is the agency tasked with pipeline security. After the Colonial Pipeline ransomware incident, it took a landmark step of mandating security practices at pipeline using its emergency authorities. But it did so saying that the first order would soon be followed by a second. Proctor's glimpse at the second order is the first public preview of that order.
"It will have a lot more detail and be more perscriptive in terms of the mitigation measures required," said Sonya Proctor, assistant administrator for surface operations for the TSA.
Proctor said that order would be specific enough in its perscriptive requirements that it would be marked security sensitive information, not quite classified but still intended to be kept away from the public eye.
Details emerged after chair of the transportation subcommittee Bonnie Watson Coleman, D-N.J., asked if there was any way to enforce the self-reporting requirements put forth in the first order.
"There is a requirement for companies to conduct a self-assessment as part of those requirements in security directive one. However, we are continuing to develop additional measures for companies and we are developing now a second security directive, which would have the force of a regulation that would require more specific mitigation measures. And it will ultimately include more specific requirements with regard to assessment," she said, latter adding that the directive would be subject to inspection by the TSA's principal security investigators.
Elswhere in her testimony, Proctor said that a popular emerging narrative among lawmakers to show Colonial acting abnormally irresponsible was off base. At House and Senate hearings last week as well as the hearing today, lawmakers were particularly incensed by Colonial Pipeline repeatedly rescheduling voluntary security inspections from the TSA before being struck by ransomware. The CEO of Colonial Joseph Blount, explained the delay as the result of COVID-19 and wanting to schedule the inspection for after the company moved locations.
Proctor said delays like this were not out of the ordinary.
"During the pandemic, there were a number of companies that had limited personnel on site, she said. “They considered that personnel on site essential personnel. They did restrict them from a lot of interaction with outsiders.”