A trio of Republican senators is seeking information from the Transportation Security Agency (TSA) about its process for developing the two pipeline security directives it issued this summer, according to an Oct. 28 letter sent to Department of Homeland Security (DHS) Inspector General (IG) Joseph Cuffari.
The letter from Sens. Rob Portman, R-Ohio; James Lankford, R-Okla.; and Mike Rounds, R-S.D., does not raise issues with the motives for the directives, but rather the process and results. The senators are taking issue with reports that TSA and the Cybersecurity and Information Security Agency (CISA) did not give proper consideration to industry feedback, and that TSA’s Office of Legislative Affairs reportedly also failed to provide draft copies of the directives with Congress.
“We agree that critical infrastructure must be protected against cyber-attacks, particularly in the wake of the Colonial Pipeline ransomware attack, but the process by which TSA has issued these directives raises concerns,” the senators said. “To address these concerns, we request that you review TSA’s development and issuance of emergency security directives this year.”
In the wake of the Colonial Pipeline ransomware attacks, TSA issued two directives with the help of the Cybersecurity and Infrastructure Security Agency (CISA): one in May and another in July.
The first required all critical pipeline owners and operators to disclose any confirmed or potential cyber incidents to CISA. The second required those same owners and operators to develop cybersecurity contingency and recovery plans, conduct cybersecurity architecture reviews, and implement urgent protections against cyber intrusions. DHS Secretary Alejandro Mayorkas mentioned the possibility of similar directives for airlines and trains last month.
The senators want more information about the basis for the directives, as well as any stakeholder consultation for each, how TSA made the decision to designate any or all of the drafts or final security directives as Sensitive Security Information (SSI), and why the final first security directive was not designated SSI. The lawmakers also want to know why the TSA did not share the drafts of the directives with Congress.