The Transportation Security Administration’s (TSA) new cybersecurity rules, designed to replace post-Colonial Pipeline directives, are facing resistance from the natural gas industry.
Pipeline operators are particularly alarmed by provisions requiring detailed disclosures of their cybersecurity measures. At a recent congressional hearing, industry executives voiced concerns about whether the TSA, or any government agency, could securely handle such sensitive information.
This skepticism, encapsulated in remarks by Kimberly Denbow of the American Gas Association, underscores broader tensions between industry stakeholders and regulatory authorities.
“If we’re going to give all of this to TSA for them to hold on to, we might
Kimberly Denbow – American Gas Association
as well just give it to China or to Russia.”
As public comments on the proposal remain open until February 5, 2025, the challenge for policymakers is balancing effective cybersecurity with protecting proprietary industry data.
Why It Matters: For CIOs and technology leaders, the TSA’s proposed cybersecurity rules spotlight the growing demand for robust cyber risk management and compliance frameworks in critical infrastructure sectors. These rules challenge organizations to safeguard their operational systems while balancing the risk of exposing sensitive data through regulatory disclosures. Understanding and navigating these evolving mandates is crucial for technology leaders to ensure both compliance and security, especially as cyber threats against critical industries continue to escalate.
- Post-Colonial Pipeline Legacy: The TSA’s proposed cybersecurity regulations are a response to vulnerabilities exposed by the 2021 Colonial Pipeline ransomware attack, which disrupted fuel supplies across the U.S. and highlighted weaknesses in critical infrastructure cybersecurity. These rules seek to formalize temporary directives issued after the incident, emphasizing the need for proactive risk management and consistent defense mechanisms to protect vital sectors like energy and transportation.
- Data Privacy Concerns Among Operators: One of the most contentious aspects of the proposed rules is the requirement for operators to disclose extensive details about their cybersecurity programs. Natural gas companie fear that sharing this information with the TSA or other agencies could expose proprietary systems and sensitive operational details, increasing the risk of leaks or cyberattacks. This distrust in the government’s ability to safeguard such information underscores broader tensions between regulators and the private sector.
- Industry Distrust Amplified by Geopolitical Risks: During a congressional hearing, concerns were raised about potential geopolitical consequences, likening the disclosure requirements to inadvertently handing critical security data to adversarial nations like China or Russia. This sentiment reflects caution that centralized data collection could create a single point of vulnerability, potentially exploited by foreign adversaries or malicious actors targeting U.S. infrastructure.
- Balancing Compliance and Practicality: While the TSA aims to implement performance-based cybersecurity programs, industry leaders emphasize the need for regulations to be both achievable and sustainable. Unrealistic compliance expectations could strain operational budgets and divert resources away from innovative cyber defense measures, ultimately diminishing the overall effectiveness of the regulations.
- Open Dialogue and Regulatory Feedback: With public comments open until February 5, 2025, there is a critical opportunity for stakeholders to shape the final version of the rules. Rep. Carlos Gimenez has advocated for private discussions between regulators and industry operators, free from TSA oversight, to gather unfiltered feedback. This collaborative approach could bridge gaps between regulatory intent and operational realities, fostering trust and better outcomes.
Go Deeper -> TSA Cyber Disclosure Requirements Worry Natural Gas Companies – WSJ
New TSA cyber rules leave lawmakers, industry hopeful for happy medium regulations – NEXTGOV