Hack Exposed Government’s Light-Touch Oversight of Pipelines

aeSolutions' John Cusimano was recently featured in a Washington Post story about new TSA cybersecurity requirements for pipeline operators.

"The TSA is reversing its hands-off approach to overseeing pipeline cybersecurity in the wake of devastating ransomware attack on critical U.S. infrastructure"

In 2018, the TSA began taking steps to ensure more pipeline operators were investing in cybersecurity. The agency issued revised guidelines, with a beefed up cybersecurity section that now included criteria defining a “critical” facility that should have cybersecurity controls.

In recent years, the TSA has included those guidelines in a cybersecurity portion of its on-site corporate security reviews. These assessments of a pipeline owner’s policies and procedures are seen more as a “tabletop exercise,” said John Cusimano, vice president of industrial cybersecurity at aeSolutions, a consulting firm.

“The assessors they send out don’t have a lot of cybersecurity background,” he said, and they accept general answers without follow-up. “Getting through one of these TSA cyber assessments is pretty easy.”

And James Hoecker, a Washington-based lawyer who represents energy companies and is a former chairman of the Federal Energy Regulatory Commission, says, “Since the standards are voluntary, the pipelines can say, ‘Thank you very much we’re doing just fine and we don’t need to disclose this information.’ ”

Read the full story on WashingtonPost.com

Learn more about aeCyberSolutions, a division of aeSolutions