WASHINGTON — Fuel pipeline operators must implement new safeguards to better defend against ransomware and other cyberattacks, according to a federal security directive issued Tuesday.

The move, coming two months after the Colonial Pipeline hack, is part of the Biden administration’s efforts to protect critical infrastructure from the growing threat of cybercrime. The security directive issued by the Transportation Security Administration, a unit of Homeland Security, short-circuits the traditional rulemaking process, which is subject to a lengthy public comment process.

“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Homeland Security Secretary Alejandro Mayorkas said in a statement announcing the new rules.

The TSA announcement provides few details on the order or how it will be enforced. Much of it is classified to prevent hackers from learning too much about pipeline operators’ cyber-defenses. It’s unclear whether the directive will include fees for companies that fail to meet standards.

In any case, the announcement gives the TSA a stronger hand in regulating the private-sector entities that are largely responsible for their own cyber-defenses. And it adds to a patchwork of federal agencies that already includes the DHS’s Cybersecurity and Infrastructure Security Agency, the Department of Energy, and the Coast Guard. The FBI also has a new task force meant to go after cybercriminals.

According to the announcement, the TSA will now require owners of important fuel pipelines to implement specific mitigation measures to protect against ransomware attacks. These mitigation measures, which were not detailed in the release, are meant to protect not only the IT systems most commonly targeted by cybercriminals, but also the physical systems that control the flow of fuel. It also requires pipeline operators to review their IT infrastructure and develop plans for how to respond to a hack.


The regulation in and of itself is not a silver bullet, said one U.S. official, who spoke on the condition of anonymity to discuss regulation that is not public. However, the official said, implementing regulation through a security directive as opposed to a traditional rulemaking with public notice and a comment period is “tricky” because the agency must justify it as “immediately needed to protect the security of the sector” or risk litigation.

“It’s as good and robust and forward-leaning as it could be given the instrument [the agency is] working with,” the official said.

In May, the Colonial Pipeline was knocked off line after a brazen ransomware attack, setting off days of panic buying. The massive network, which supplies the East Coast with 45 percent of its fuel, was taken down after a hacker group known as DarkSide infiltrated the Georgia-based company’s servers and encrypted its data, demanding a fee to restore access. Several cybersecurity experts said the incident was the biggest known cyberattack on U.S. energy infrastructure.

— — —

The Washington Post’s Ellen Nakashima contributed to this report.