Coming two months after the ransomware attack on the Colonial Pipeline, the U.S. Transportation Security Administration (TSA), a unit of the U.S. Department of Homeland Security, issued new safeguard guidelines on Tuesday that fuel pipeline operators must implement to better guard their operations from ransomware and other cyberattacks and mitigate the damages caused by any such attacks.
For now, the TSA is keeping many of the specifics of the new directive under lock and key, presumably in an effort to keep hackers from gleaning valuable information about pipeline operators’ networks and associated cyber defenses. Nonetheless, the announcement that the TSA has issued these new guidelines previews that the TSA and presumably Homeland Security if not other divisions of the executive branch are going to take a more active role in regulating private-sector entities' cybersecurity efforts if national security or commerce are at risk.
Undoubtedly, challenges to the new guidelines are likely forthcoming, as in issuing the directive, the TSA bypassed the traditional rulemaking required by the Administrative Procedures Act. Typically, an agency seeking to promulgate a rule (or change to existing rule) must follow an open public process with multiple rounds of public notice and public comment periods before a rule is finalized.
Nixon Peabody’s Cybersecurity and Privacy Team will continue to monitor developments.