from the here's-a-bunch-of-copy-pasted-boilerplate-said-TSA-security-experts dept
Formed less than a month after the 9/11 attacks in 2001, the TSA has yet to get a firm grip on “transportation security,” the thing that makes up two-thirds of its acronym. Audit after audit has found TSA screeners are incapable of finding explosives and other dangerous contraband. If auditors can rack up a 90-95% success rate smuggling in explosives, no doubt terrorists can do it, too.
But terrorists haven’t. Why? Because terrorists have better options than hijacking planes, something the TSA admitted years ago but somehow still feels justifies it hoovering up billions in funding every year. The “successes” the TSA tends to tout are its ability to fully participate in asset forfeiture programs and sniff out novelty “weapons” carried by passengers with no terroristic plans or desires.
The TSA doesn’t just handle planes. It also handles other forms of mass transit, including trains and buses. And it’s similarly disinterested in security when handling those vehicles. Most of its time is wasted the same way it’s wasted at airports: looking for cash or things that aren’t actually contraband.
What you may not know is the TSA is also in charge of overseeing the many gas pipelines that cross the nation. True, pipelines do transport stuff, but not the kind of stuff that can be handled in the “fondle your genitals” sort of way TSA agents are used to. The threat to pipelines has mostly been theoretical, which has largely allowed the TSA to do this job without having its failures detailed by journalists and activists.
Since the threat has mostly been theoretical, the TSA has been able to coast along for several years without having its competency questioned or challenged. Unfortunately for the TSA, the threat went from “theoretical” to “incipient” to “underway” when the Colonial Pipeline (which supplies gas to much of the southeast United States) was hit with ransomware, resulting in shutdowns and gas shortages.
Rather than place the cybersecurity of the pipeline (given the hackers had no genitals to be fondled) in the hands of an actual cybersecurity entity (of which the federal government has several), this security job was handed to the least qualified candidate. As Eric Geller reports for Politico, the TSA has approached this new job with the same level of competence it’s approached everything else.
Oil and gas pipeline operators say the TSA’s cyber regulations are full of unwieldy or baffling requirements that could actually jeopardize pipeline safety and fuel supplies. Others in the energy sector, and cyber experts who help defend these systems, agree with these objections and say the TSA’s small cyber team has been overwhelmed by a flood of industry requests for workarounds.
“In every sense, TSA has screwed this up,” said Robert M. Lee, the CEO of Dragos, a cybersecurity firm that works with critical infrastructure companies. “It is a giant cluster and in many ways is a perfect example of what not to do with a regulatory process.”
Now, to be fair, the TSA was incredibly ill-equipped to handle this new directive. Given the heightened threat of Russian cyberattacks following the Russian government’s regular attacks of Ukraine, some agency was going to be saddled with securing pipelines and it sort of made sense to hand it off the entity allegedly handling the physical security of the pipelines.
But the TSA is not only under-equipped to handle this new directive, it has apparently done little to make it better equipped. While TSA officials are currently working with industry reps to iron out the OOPS! ALL WRINKLES rollout of the agency’s apparently copy-pasted security “plan,” the agency apparently only has one official and a handful of part-timers handling questions and applications from pipeline companies attempting to comply with the TSA’s carelessly assembled mandates.
The mandates handed down by the TSA’s cybersecurity team appear to be direct copies of mandates applied to the tech handling the government’s clerical work, rather than the specialized computers and systems that actually control gas pipelines.
In July, the TSA issued rules requiring companies to deploy more than three dozen common cybersecurity defenses, including weekly antivirus scans, prompt security patching, strict firewalls to block malware and adoption of multifactor authentication, a technology that asks users for a second proof of identity in addition to a password, in order to block unauthorized access.
You can’t just apply office software fixes to hardware running on specialized, often proprietary software. The patching demanded by the TSA’s copy-pasted mandates meant companies would need to send people to each physical control box and attempt to do whatever roughly aligned with the TSA directive to comply. And months after this first directive went out, operators are still struggling to carry out the TSA’s mandates.
The TSA has, at least, admitted it has screwed up this cybersecurity rollout. But apologies aren’t going to make pipelines more secure. Counterproductive efforts like these are actually making it more difficult to secure pipelines from cyberattacks. Gas production and transportation are heavily regulated industries and the to-do list for companies is often topped by federal compliance demands. An inadequate, thoroughly inapplicable set of regulatory demands means companies first have to find something that works that is still compliant and then wait around for the TSA’s understaffed pipeline cybersecurity office to institute changes that better reflect the hardware and software being used by oil companies.
Companies want outcome-based targets that allow them to institute fixes that address the end goals without being tied to ridiculous demands like, I don’t know, purchasing the full version of Norton Antivirus. Given what “help” it’s been so far, it makes far more sense for those handling the equipment to figure out how to best secure the equipment. If the TSA wants to blunder in later to spot check things, then I guess it will give those employees something to do that won’t involve separating people from their medical equipment and/or constitutional rights.