ROUNDTABLE: Experts react to DHS assigning TSA to keep track of cyber attacks on pipelines

By Byron V. Acohido

The same federal agency that makes you take your shoes off and examines your belongings before boarding a flight will begin monitoring cyber incidents at pipeline companies.

Related: DHS begins 60-day cybersecurity sprints

The Department of Homeland Security on Thursday issued a directive requiring all pipeline companies to report cyber incidents to DHS’s Transportation Security Administration (TSA.)

This, of course, follows a devastating ransomware attack that resulted in a shutdown of Colonial Pipeline.

It can be argued that this is one small step toward the true level of federal oversight needed to protect critical infrastructure in modern times. I covered the aviation industry in the 1980s and 1990s when safety regulations proved their value by compelling aircraft manufacturers and air carriers to comply with certain standards, at a time when aircraft fleets were aging and new fly-by-wire technology introduced complex risks.

We’re a long way from having regulatory frameworks for data privacy and network security needed for critical infrastructure — akin to what we have to keep aviation and ground transportation safe and secure. However, the trajectory of ransomware attacks, supply chain corruption, denial of service attacks and cyber espionage is undeniable.

It seems clear we’re going to need more regulations to help guide the private sector into doing the right things. The discussion is just getting started, as you can see by this roundtable of comments from industry experts:

Edgard Capdevielle, CEO, Nozomi Networks


Most critical infrastructure sectors don’t have mandatory cyber standards, and until now that included oil and gas. The requirement for mandatory breach reporting will help shine a light on the extent of the problem in this sector.  Cybersecurity is a team sport. Pipeline operators, security vendors and the government alike need to work together as a community to share threat intelligence and breach data in real time.  An open approach to information sharing will play a big part in building a more mature cyber defense.

While there’s a place for regulated security requirements, we need to be careful not to put all the burden on the victim(s). Tax incentives, and government-funded centers of excellence will help ensure critical infrastructure operators can build and maintain effective cybersecurity programs over time. And it’s time to take aggressive steps to hold sophisticated criminal rings and threat actors accountable for their crimes.

Rosa Smothers, senior vice president, KnowBe4 


We need to do more and this is a start, but why single out pipeline delivery? These pipelines are one component of our overall critical infrastructure — but what about power, water, oil, transportation and communications? Cybersecurity requirements should be levied throughout these critical industries to ensure the same level of readiness and prevent a far greater crisis than what occurred with the Colonial pipeline ransomware incident.

There are fundamental cybersecurity tenets that often go ignored by industries responsible for our critical infrastructure. We must also consider who is best suited to handle this effort — since its establishment post-9/11, TSA has been focused on airline security. CISA must be enabled to handle the critical infrastructure cybersecurity mission.

Jerome Becquart, COO of Axiad:


Cybersecurity is no longer a priority for just the IT team and the CIO.  In the oil and gas and other industries, physical infrastructure and operational assets are now highly connected to our global networks, making them vulnerable to the same type of attacks that previously only occurred on cloud-based applications and digital assets.

As operations digitalized, many organizations failed to do one thing: prioritize security. This is compounded by the fact that organizations often lagged behind in adapting their processes and still operate with an analog mindset.

It’s critical to reassess and take a more dynamic approach to security:  identify what connects to our infrastructure, validate these are legitimate entities, and ensure the right level of access. We need to leverage the identity management best practices we are using in the IT space and extend them to the operational side of our businesses.”

Chris Clements, vice president of solutions architecture, Cerberus Sentinel


For critical infrastructure cyber security must be one of the highest priorities, perhaps second only to personnel safety.  As we become ever more reliant on technology to deliver vital services and resources to our country, we must ensure that the added efficiency does not also carry with it increased risk.

The problem is that technology isn’t just one thing, but a whole sphere of different specific disciplines, each of which can take years to master.  Security is one such domain that requires deep experience and expertise to approach even adequate levels of protection.  The same way you wouldn’t want a heart surgeon rooting around in your brain (or vice versa), effective security programs can’t be an “in addition to” responsibility of IT staff


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone