Securing the Surface: TSA’s Role in Pipeline and Transportation Security with Sonya Proctor
Season 1 Episode 44 •Show Notes
In this episode of Cyber Focus, host Frank Cilluffo sits down with Sonya Proctor, Assistant Administrator for Surface Operations at TSA (Transportation Security Administration). Proctor discusses TSA’s evolving role in securing pipelines and other surface transportation sectors, emphasizing the agency’s expanded cybersecurity focus following the Colonial Pipeline ransomware attack. The conversation delves into TSA’s partnerships with industry, other federal agencies, and state and local law enforcement to enhance critical infrastructure protection, as well as the challenges and opportunities in integrating physical and cyber security efforts.
Main Topics Covered:
- TSA’s role in pipeline and surface transportation security
- The Colonial Pipeline ransomware attack and its impact
- Integration of physical and cyber security for critical infrastructure
- Collaborations with federal and industry partners
- Challenges with operational technology (OT)
Key Quotes:
“[The general public does] not typically think of TSA as having a role for pipeline security. And actually, TSA role in pipeline security goes back to the beginning of TSA.” – Sonya Proctor
“I have no question that we are in this together. This is one fight. Because this threat is unlike anything they’ve ever seen before.” – Sonya Proctor
“Our resources will grow along with the threat… They have to.”- Sonya Proctor
“I was fortunate to have a relationship with [Colonial Pipeline] and to be able to communicate with them and to be able to get information from them that we were then able to share with other companies.” – Sonya Proctor
“We have provided classified briefings to more operators than ever in the in the history of TSA… it was important for us to make sure that they understood the threat. – Sonya Proctor
Relevant Links and Resources:
Guest Bio: Sonya Proctor is the Assistant Administrator for Surface Operations at TSA, overseeing the security of pipelines, mass transit, freight rail, and highways. She previously served as Director of the Surface Division in Policy, Plans, and Engagement, and Deputy Federal Security Director at Ronald Reagan Washington National Airport. Proctor started her law enforcement career with the Washington, D.C. Metropolitan Police Department and also served as Chief of Police for the Amtrak Police Department.
Transcript
1
00:00:00,240 –> 00:00:05,960
Frank Cilluffo: Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping
2
00:00:06,040 –> 00:00:10,232
Frank Cilluffo: and defending our digital world. I’m your host, Frank Cilluffo, and this week have the
3
00:00:10,256 –> 00:00:17,352
Frank Cilluffo: privilege to sit down with Sonja Proctor. Sonia is the Assistant Administrator at tsa, or
4
00:00:17,376 –> 00:00:26,840
Frank Cilluffo: the Transportation Security Administration for surface operations. Basically everything TSA does but aviation security. So
5
00:00:26,880 –> 00:00:34,570
Frank Cilluffo: responsible for mass transit, freight rail, highways, and what we’ll discuss most today, pipelines.
6
00:00:38,750 –> 00:00:42,518
Frank Cilluffo: Sonya, thank you for joining us today. It’s a real privilege to have you. You’ve
7
00:00:42,534 –> 00:00:48,502
Frank Cilluffo: spent 25 years prior to your TSA role in senior positions in law enforcement, including
8
00:00:48,606 –> 00:00:53,902
Frank Cilluffo: here in our city of Washington, D.C. mPD. So thank you for joining us today.
9
00:00:54,046 –> 00:00:58,334
Sonya Proctor: Thanks so much for having me, Frank. This is a great opportunity. Well, we’re privileged
10
00:00:58,382 –> 00:01:03,582
Frank Cilluffo: to have you. And I thought we could maybe start with, I think until, what
11
00:01:03,606 –> 00:01:09,550
Frank Cilluffo: was it, 2021 when Colonial Pipeline hit, I don’t think most Americans were aware that
12
00:01:09,670 –> 00:01:16,302
Frank Cilluffo: TSA played a significant role in cybersecurity. And I’d be curious if you can maybe
13
00:01:16,366 –> 00:01:22,184
Frank Cilluffo: just paint a picture and then we’ll go deep into Colonial pipeline. But first, TSA’s
14
00:01:22,232 –> 00:01:28,488
Frank Cilluffo: role. Sure. And I think you’re right. Most Americans think of TSA as the people
15
00:01:28,544 –> 00:01:34,664
Sonya Proctor: at the checkpoint in the airport. And if they thought anything about TSA outside of
16
00:01:34,672 –> 00:01:39,592
Sonya Proctor: the airport, they might have thought about mass transit. But by the way, you were
17
00:01:39,616 –> 00:01:44,200
Frank Cilluffo: also head of security at Amtrak, right? Correct? Yeah. That they might also. Yes. So
18
00:01:44,240 –> 00:01:50,444
Sonya Proctor: when I was the chief of police at Amtrak, they. They did associate passenger rail,
19
00:01:50,572 –> 00:01:55,292
Sonya Proctor: mass transit. If TSA has any role outside of the airport, it would probably be
20
00:01:55,316 –> 00:02:03,240
Sonya Proctor: there. They do not typically think of TSA as having a role for pipeline security.
21
00:02:04,180 –> 00:02:11,036
Sonya Proctor: And actually, TSA’s role in pipeline security goes back to the beginning of tsa. And
22
00:02:11,108 –> 00:02:19,920
Sonya Proctor: if you recall, when TSA stood up, it really took from the Department of Transportation
23
00:02:20,000 –> 00:02:29,888
Sonya Proctor: the security aspect of oversight of the transportation modes. So faa, that
24
00:02:29,944 –> 00:02:37,952
Sonya Proctor: security focus, transfer to tsa, fra, fta, all of those pieces. But they don’t think
25
00:02:37,976 –> 00:02:47,850
Sonya Proctor: about pipelines. Exactly. PHMSA has primarily the safety focus for pipelines, and TSA has
26
00:02:47,890 –> 00:02:56,234
Sonya Proctor: the security focus for pipelines. So back when TSA stood up, there was some direction
27
00:02:56,282 –> 00:03:03,786
Sonya Proctor: from Congress about looking at the top, what they called the top 100 pipelines and
28
00:03:03,858 –> 00:03:10,458
Sonya Proctor: conducting some assessments on them. And so that was one of the first things that
29
00:03:10,594 –> 00:03:19,674
Sonya Proctor: TSA did in the. In the pipeline arena. We conducted some assessments on roughly the
30
00:03:19,762 –> 00:03:25,670
Sonya Proctor: top 100 pipelines at the time. There’s been a lot of change in Ownerships and
31
00:03:26,450 –> 00:03:35,036
Sonya Proctor: mergers and acquisitions kind of changed that ranking. But to kind of take TSA’s role
32
00:03:35,108 –> 00:03:43,436
Sonya Proctor: back to the beginning, that’s around 2003. Wow. And after that, TSA maintained a relationship
33
00:03:43,468 –> 00:03:51,260
Sonya Proctor: with the pipeline community and started offering what we call. We now call structured oversight,
34
00:03:51,420 –> 00:04:01,210
Sonya Proctor: which was then called voluntary programs. And these programs included corporate security reviews, and they
35
00:04:01,250 –> 00:04:08,234
Sonya Proctor: grew into critical facility security reviews, which are the reviews in the field of field
36
00:04:08,322 –> 00:04:17,034
Sonya Proctor: assets. So our relationship with pipeline goes back 20 years. Awesome. Yeah. And to the
37
00:04:17,042 –> 00:04:25,050
Frank Cilluffo: very standup of TSA. Absolutely. So I’d be curious. I mean, I think it’s fair
38
00:04:25,090 –> 00:04:30,778
Frank Cilluffo: to say that Colonial Pipeline was a watershed event, and it brought to the average
39
00:04:30,874 –> 00:04:37,302
Frank Cilluffo: citizen in our great country awareness around some of these issues. Can you sort of
40
00:04:37,486 –> 00:04:42,486
Frank Cilluffo: go back if you can roll back the tape a little bit, as George Michael
41
00:04:42,518 –> 00:04:48,086
Frank Cilluffo: used to say in D.C. and take a look at where we were at that
42
00:04:48,158 –> 00:04:57,090
Frank Cilluffo: time and how you thought it played out. So Colonial happened in May of 2021.
43
00:04:57,720 –> 00:05:06,608
Sonya Proctor: But prior to that, we had already started our focus on cybersecurity. In 2019, we
44
00:05:06,664 –> 00:05:11,696
Sonya Proctor: started our, what we call PSAT teams, Pipeline Security Assessment teams. Not to be confused
45
00:05:11,728 –> 00:05:21,180
Frank Cilluffo: with the PSATs as. Correct. So we had 20 members that were broken up into
46
00:05:21,720 –> 00:05:29,854
Sonya Proctor: our PSAT teams. And when we made a decision to establish these teams so that
47
00:05:29,862 –> 00:05:38,414
Sonya Proctor: we could focus our efforts on pipeline, both physical and cyber, this was before any
48
00:05:38,502 –> 00:05:47,406
Sonya Proctor: of the hyper focus that came along with the major ransomware attack. And these individuals,
49
00:05:47,598 –> 00:05:52,142
Sonya Proctor: we set up a great training regimen for them. We work with Idaho National Labs
50
00:05:52,206 –> 00:05:58,350
Sonya Proctor: to help them get a good security focus in cyber. We had them work with
51
00:05:58,390 –> 00:06:06,734
Sonya Proctor: some of our Pipeline partners to help them gain more experience in physical security. So
52
00:06:06,742 –> 00:06:13,630
Sonya Proctor: these teams were already in place, and we had actually started doing what we then
53
00:06:13,670 –> 00:06:19,406
Sonya Proctor: called architectural design reviews. We did our first one, actually. I think it was around
54
00:06:19,478 –> 00:06:26,972
Sonya Proctor: 2018. Wow. Okay. So that actually was the start of the PSAT teams there. And
55
00:06:27,076 –> 00:06:34,040
Sonya Proctor: by having those teams in place, by the time we had this major cyber attack,
56
00:06:34,820 –> 00:06:42,764
Sonya Proctor: ransomware attack, on what I refer to as a major pipeline company, our PSAT teams,
57
00:06:42,812 –> 00:06:48,990
Sonya Proctor: thankfully, were in place. Jumped in. Yeah. And they were able to help us make
58
00:06:49,030 –> 00:06:53,214
Sonya Proctor: sure that we were getting information out to other pipeline companies. That was one of
59
00:06:53,222 –> 00:06:58,062
Sonya Proctor: the most important things for us to do to make sure that we were sharing
60
00:06:58,126 –> 00:07:05,918
Sonya Proctor: the information that we obtained and that we learned from the company as they were
61
00:07:05,974 –> 00:07:13,278
Sonya Proctor: working through this attack. I was fortunate to have a relationship with the company and
62
00:07:13,334 –> 00:07:18,112
Sonya Proctor: to be able to communicate with them and to be able to get Information from
63
00:07:18,136 –> 00:07:23,328
Sonya Proctor: them that we were then able to share with other companies. And I think that’s
64
00:07:23,424 –> 00:07:28,624
Frank Cilluffo: so essential. I mean, anyone in the law enforcement business knows trust is the coin
65
00:07:28,672 –> 00:07:33,616
Frank Cilluffo: of the realm. Everything hinges upon that. And if you don’t have. If you’re exchanging
66
00:07:33,648 –> 00:07:37,920
Frank Cilluffo: business cards when the bomb goes off or something bad happens, that’s a pretty bad
67
00:07:37,960 –> 00:07:42,608
Frank Cilluffo: situation to be in. Right. You’re lost. Yeah, you’re. You’re already lost before you start.
68
00:07:42,664 –> 00:07:47,896
Frank Cilluffo: Yes. And. And I do think that that is important. And. And I like the
69
00:07:47,968 –> 00:07:54,792
Frank Cilluffo: concept around physical and cyber. I have a very difficult time discerning what is physical
70
00:07:54,856 –> 00:08:00,120
Frank Cilluffo: inside because they’re converging so rapidly so quickly. And I think that that is an
71
00:08:00,160 –> 00:08:06,440
Frank Cilluffo: important element to look at it in its totality. And it sounds like that was
72
00:08:06,480 –> 00:08:10,792
Frank Cilluffo: part of the mindset and the ethos of some of your efforts. Is that fair?
73
00:08:10,896 –> 00:08:17,584
Sonya Proctor: It was, and it’s grown since then. We really do recognize the connection between physical
74
00:08:17,632 –> 00:08:26,048
Sonya Proctor: and cyber. Physical attacks can have an impact on cyber and vice versa. So we
75
00:08:26,104 –> 00:08:33,952
Sonya Proctor: recognize that, and we do address both. In industry, sometimes you’ve got people who focus
76
00:08:34,056 –> 00:08:43,036
Sonya Proctor: primarily on physical CSO or a cis. Exactly. And most of their cyber individuals have
77
00:08:43,108 –> 00:08:49,740
Sonya Proctor: a high degree of training, lots of experience, so their focus is usually primarily on
78
00:08:49,780 –> 00:08:57,740
Sonya Proctor: the cyber piece. But we keep our focus on both because we know that a
79
00:08:57,780 –> 00:09:02,252
Sonya Proctor: successful physical. Attack on a cyber infrastructure will have the same impact. Could have the
80
00:09:02,276 –> 00:09:07,836
Sonya Proctor: same impact either way. You could be without this critical asset. And that’s what we’re
81
00:09:07,868 –> 00:09:15,132
Sonya Proctor: concerned about, you. Know, going back to Colonial pipeline just quickly. I think it was
82
00:09:15,156 –> 00:09:19,532
Frank Cilluffo: Winston Churchill who said, never let a good crisis go to waste. What were some
83
00:09:19,556 –> 00:09:23,292
Frank Cilluffo: of the initial lessons we learned, and what does it mean for some of our
84
00:09:23,316 –> 00:09:29,276
Frank Cilluffo: activities? Kind of TSA’s activities going forward in terms of working with, what is it?
85
00:09:29,348 –> 00:09:38,614
Frank Cilluffo: Approximately 3,000 pipeline companies in the U.S. approximately 3,000. And currently, based on that ransomware
86
00:09:38,662 –> 00:09:48,598
Sonya Proctor: attack, TSA issued security directives. The administrator used his authority, his unique authority, to
87
00:09:48,654 –> 00:09:58,530
Sonya Proctor: issue security directives, which are regulatory documents to address this imminent threat
88
00:09:58,830 –> 00:10:07,804
Sonya Proctor: to pipelines. That group that is covered by the security directives is a much smaller
89
00:10:07,852 –> 00:10:14,780
Sonya Proctor: group. We use the number roughly around 100. Okay. And those companies are the ones
90
00:10:14,860 –> 00:10:22,812
Sonya Proctor: who have the most impact on national security, our national economy, and in our way
91
00:10:22,836 –> 00:10:29,548
Sonya Proctor: of life. So, you know, we look at those in a slightly different way. They
92
00:10:29,604 –> 00:10:35,552
Sonya Proctor: are regulated in a way that the remainder are not. Now, it doesn’t mean that
93
00:10:35,576 –> 00:10:45,260
Sonya Proctor: we don’t take the same approach with the other 2,900, because we issue something
94
00:10:45,880 –> 00:10:51,616
Sonya Proctor: similar to those security directives, except they don’t have the regulatory impact and they don’t
95
00:10:51,648 –> 00:10:57,952
Sonya Proctor: have. The resources necessarily in the same way. Correct, Correct. They don’t always have the
96
00:10:57,976 –> 00:11:04,282
Sonya Proctor: resources, but we give them the same guidance. And instead of it being called a
97
00:11:04,306 –> 00:11:11,658
Sonya Proctor: security directive, we call it a security circular. Okay, so it’s not regulatory, it’s not
98
00:11:11,714 –> 00:11:16,890
Sonya Proctor: enforceable. But we want to make sure that we are sharing with them what we
99
00:11:16,930 –> 00:11:24,330
Sonya Proctor: have learned about how they can better protect themselves against the major cyber threats. Which
100
00:11:24,370 –> 00:11:31,832
Frank Cilluffo: is essential because local. I mean, as we know in the counterterrorism business, all crime
101
00:11:31,896 –> 00:11:35,960
Frank Cilluffo: is local, all threats are local. And at the end of the day, you need
102
00:11:36,000 –> 00:11:41,000
Frank Cilluffo: to make sure that the women and men on the very front lines are aware.
103
00:11:41,080 –> 00:11:47,208
Frank Cilluffo: I’d be curious. Are you concerned in a post Chevron environment that the ruling could
104
00:11:47,264 –> 00:11:52,856
Frank Cilluffo: be sort of questioned or held up, or do you feel like you built the
105
00:11:53,008 –> 00:12:01,688
Frank Cilluffo: partnerships with some of the pipeline companies that maybe it withstands? We have incredible partnerships
106
00:12:01,864 –> 00:12:07,032
Sonya Proctor: and you do. I’ve heard this from the pipeline companies and associations. I’ve recently testified
107
00:12:07,096 –> 00:12:14,180
Frank Cilluffo: with one, I think. And we have worked hard to earn that trust. So despite
108
00:12:15,120 –> 00:12:24,724
Sonya Proctor: any decisions, any court decisions, these operators understand the threat. We have provided classified briefings
109
00:12:24,872 –> 00:12:32,924
Sonya Proctor: to more operators than ever in the history of tsa. We have had classified briefings
110
00:12:33,052 –> 00:12:38,316
Sonya Proctor: with certainly there at tsa, at the Office of the Director of National Intelligence. We’ve
111
00:12:38,348 –> 00:12:44,236
Sonya Proctor: had briefings at FBI. So it was important for us to make sure that they
112
00:12:44,308 –> 00:12:50,060
Sonya Proctor: understood the threat. Absolutely. And we knew that once they understood the threat, they’d take
113
00:12:50,100 –> 00:12:56,010
Sonya Proctor: action, that this would be something that they would follow through on. We are in
114
00:12:56,050 –> 00:13:04,842
Sonya Proctor: this together, and I meet regularly with the pipeline industry and we have very open,
115
00:13:05,026 –> 00:13:12,282
Sonya Proctor: transparent discussions. And I like to think that’s part of how we have earned our
116
00:13:12,306 –> 00:13:22,244
Sonya Proctor: trust in this community. The threat is unlike any cyber threat that
117
00:13:22,252 –> 00:13:30,740
Sonya Proctor: we have faced in recent times. Last week, the Department of Homeland Security published its
118
00:13:30,780 –> 00:13:38,052
Sonya Proctor: Homeland Threat Assessment. I made a note on that. I want to share this because
119
00:13:38,076 –> 00:13:47,090
Sonya Proctor: I think it’s really important. It’s the 2025 Homeland DHS Homeland Threat Assessment. It’s online,
120
00:13:47,210 –> 00:13:50,242
Sonya Proctor: so it is available publicly. And I really. And we’ll make it available in our
121
00:13:50,266 –> 00:13:55,010
Frank Cilluffo: show notes. Good. I really do recommend that people take a look at this. And
122
00:13:55,050 –> 00:14:03,090
Sonya Proctor: under Critical Infrastructure Security, there’s a specific piece and I think this is so important
123
00:14:03,210 –> 00:14:12,144
Sonya Proctor: for us and for critical infrastructure owners and operators. And it says disruptive and destructive
124
00:14:12,282 –> 00:14:18,740
Sonya Proctor: cyber attacks targeting critical infrastructure. That’s kind of the subtitle there the People’s Republic of
125
00:14:18,780 –> 00:14:28,100
Sonya Proctor: China state sponsored cyber actors have pre positioned cyber exploitation and attack
126
00:14:28,220 –> 00:14:38,142
Sonya Proctor: capabilities for disruptive or destructive cyber attacks against U.S. critical infrastructure in
127
00:14:38,166 –> 00:14:44,430
Sonya Proctor: the event of a major crisis or conflict. With the US which is very bold
128
00:14:44,510 –> 00:14:51,310
Frank Cilluffo: and very strong and in a post Volt Typhoon environment should be that wake up
129
00:14:51,350 –> 00:15:00,974
Frank Cilluffo: call. Yes, absolutely. To have this in a document, having an intelligence agency to provide
130
00:15:01,062 –> 00:15:09,032
Sonya Proctor: this information, it is telling you how significant this is. But to speak of a
131
00:15:09,056 –> 00:15:18,472
Sonya Proctor: nation state adversary having pre positioned capabilities is pretty significant. So if you’ve looked at
132
00:15:18,496 –> 00:15:24,696
Sonya Proctor: any of the advisories about living off the land about Volt Typhoon, then you understand
133
00:15:24,848 –> 00:15:32,798
Sonya Proctor: what that means. Essentially that they’re sleeping in the systems. And in April of this
134
00:15:32,854 –> 00:15:40,958
Sonya Proctor: year, in one of the interviews that FBI Director Ray had at Vanderbilt University, he
135
00:15:41,014 –> 00:15:47,742
Sonya Proctor: spoke about the Chinese Communist Party and said the immense size and expanding nature of
136
00:15:47,766 –> 00:15:56,836
Sonya Proctor: the Chinese Communist Party’s hacking program isn’t just aimed at stealing America’s intellectual property property.
137
00:15:57,028 –> 00:16:03,620
Sonya Proctor: It’s using that mass, those numbers to give itself the ability to physically wreak havoc
138
00:16:03,780 –> 00:16:11,076
Sonya Proctor: on our critical infrastructure at a time of its choosing. Yeah, yeah. He spoke about
139
00:16:11,148 –> 00:16:20,420
Sonya Proctor: pre positioning that we now know occurred in 2011 targeting 23 different pipeline companies. Wow.
140
00:16:20,500 –> 00:16:26,518
Frank Cilluffo: Wow. So I mean we recently had Dave Luber on who talked about living off
141
00:16:26,574 –> 00:16:34,582
Frank Cilluffo: the land at nsa and I think that the reality is if you can exploit,
142
00:16:34,646 –> 00:16:41,702
Frank Cilluffo: you can attack if the intent is there. And the fact that they publicly identified
143
00:16:41,846 –> 00:16:48,854
Frank Cilluffo: pipeline companies, that’s a pretty significant statement. I didn’t catch that part. So that’s a
144
00:16:48,862 –> 00:16:53,578
Frank Cilluffo: pretty big deal. And it’s a pretty big deal and it’s not one that has
145
00:16:53,634 –> 00:17:02,150
Sonya Proctor: been ignored by our pipeline owners and operators. So assuming that the
146
00:17:03,250 –> 00:17:10,426
Frank Cilluffo: need to build resilience into our pipelines is at the very top of the list
147
00:17:10,498 –> 00:17:16,234
Frank Cilluffo: because basically if you’re owned, you’ve got to at least minimize the consequence and impact
148
00:17:16,322 –> 00:17:24,678
Frank Cilluffo: of a potential attack. Absolutely. And our goal as a sector risk management agency is
149
00:17:24,734 –> 00:17:33,974
Sonya Proctor: to create a resilient transportation critical infrastructure community that in light of these
150
00:17:34,062 –> 00:17:41,382
Sonya Proctor: facts is positioned to continue critical support to national security, to the nation’s economy and
151
00:17:41,406 –> 00:17:49,400
Sonya Proctor: to our way of life. And say things do pop in Taiwan and
152
00:17:50,900 –> 00:17:57,052
Frank Cilluffo: clearly we’ll be looking for indicators in advance, would this be something you see working
153
00:17:57,156 –> 00:18:02,188
Frank Cilluffo: hand in glove with industry? Would you be in a combined soc or would this
154
00:18:02,244 –> 00:18:08,972
Frank Cilluffo: be sort of pick up the phone which is going at pre cyberspeed? How would
155
00:18:08,996 –> 00:18:13,742
Frank Cilluffo: you envision this playing out in the event something goes south? This would be one
156
00:18:13,766 –> 00:18:22,942
Sonya Proctor: of the most Collaborative ever. Exactly. It would be intel agencies, it would be the
157
00:18:22,966 –> 00:18:31,438
Sonya Proctor: FBI in addition to its intel, the investigative perspective, because they conduct the investigations for
158
00:18:31,494 –> 00:18:39,694
Sonya Proctor: cyber security events. It would be CISA and the expertise that they bring to cybersecurity
159
00:18:39,742 –> 00:18:47,306
Sonya Proctor: and infrastructure security in terms of threat hunting and being able to identify intrusions into
160
00:18:47,378 –> 00:18:53,130
Sonya Proctor: systems. Certainly it would be with operators to make sure that they know what we
161
00:18:53,170 –> 00:18:59,834
Sonya Proctor: know. And that’s important because. Absolutely. You need a rich picture. The Brits call their
162
00:19:00,002 –> 00:19:04,058
Frank Cilluffo: intelligent. You need the rich picture to be able to make those decisions. And private
163
00:19:04,114 –> 00:19:08,122
Frank Cilluffo: sector is on the front lines here, and we want to make. Sure that they
164
00:19:08,146 –> 00:19:13,750
Sonya Proctor: have the information so that they can better protect themselves. And we believe that the
165
00:19:13,790 –> 00:19:20,374
Sonya Proctor: guidance, the direction that’s been included in the security directives is one of the best
166
00:19:20,462 –> 00:19:29,558
Sonya Proctor: ways to potentially minimize the impact if there is a successful attack. We’re not naive
167
00:19:29,734 –> 00:19:36,410
Sonya Proctor: and we’re talking about. Everything everywhere, all the time. They are committed, they are persistent,
168
00:19:36,910 –> 00:19:43,512
Sonya Proctor: and they have capability. So is it possible that one of these companies will be
169
00:19:43,536 –> 00:19:49,480
Sonya Proctor: a successful target? That’s always possible. It’s inevitable. But that doesn’t mean game over. But
170
00:19:49,520 –> 00:19:54,136
Sonya Proctor: we believe that if they have applied the measures that we’ve identified in the security
171
00:19:54,208 –> 00:20:01,304
Sonya Proctor: directives, that they will be less likely to be completely disabled as a result of
172
00:20:01,312 –> 00:20:06,688
Sonya Proctor: an attack. And we believe that they will be in a position because of the
173
00:20:06,744 –> 00:20:13,920
Sonya Proctor: preparation, the advanced preparation, to be resilient, that they will be able to resume a
174
00:20:13,960 –> 00:20:20,080
Sonya Proctor: necessary level of operation. Because remember, if they’re under the security directives, they have a
175
00:20:20,120 –> 00:20:26,700
Sonya Proctor: national security responsibility. Absolutely. Absolutely. That’s not optional for them to be out of business.
176
00:20:27,080 –> 00:20:34,642
Frank Cilluffo: You mentioned cisa. I would like to have a short discussion around how you collaborate
177
00:20:34,706 –> 00:20:41,330
Frank Cilluffo: with the, I mean, this endearingly, the Alphabet Soup of Washington, D.C. whether it’s FBI
178
00:20:41,410 –> 00:20:48,210
Frank Cilluffo: on the law enforcement side, the Cybersecurity Collaboration center at Fort Meade, and NSA on
179
00:20:48,250 –> 00:20:55,634
Frank Cilluffo: some of the overseas. And clearly CISA within the Department of Homeland Security, which TSA
180
00:20:55,682 –> 00:21:00,430
Frank Cilluffo: is part of. And while we’re at it, let’s talk Caesar as well. Sort of.
181
00:21:00,970 –> 00:21:06,574
Frank Cilluffo: Correct. So can you help us paint that picture? Little bit. And where TSA fits
182
00:21:06,622 –> 00:21:14,542
Frank Cilluffo: into all of. That in terms of protecting critical infrastructure? It’s one picture. It’s a
183
00:21:14,566 –> 00:21:21,214
Sonya Proctor: window with lots of panes in it. We all work together. You can pull anyone
184
00:21:21,262 –> 00:21:26,510
Sonya Proctor: from those agencies. We all know one another. Absolutely. We all communicate, and we all
185
00:21:26,550 –> 00:21:33,072
Sonya Proctor: communicate with our industry partners. So all of us are in the same position in
186
00:21:33,096 –> 00:21:38,352
Sonya Proctor: terms of understanding the nature of this threat. And it’s Unlike any threat we have
187
00:21:38,376 –> 00:21:44,560
Sonya Proctor: ever seen before. And that means that it is incumbent upon us as federal agencies
188
00:21:44,720 –> 00:21:50,992
Sonya Proctor: to be coordinated, to be communicating with each other, to be sharing information, all in
189
00:21:51,016 –> 00:21:58,264
Sonya Proctor: the interest of first, hopefully preventing an attack and secondly, if an attack does occur,
190
00:21:58,432 –> 00:22:03,976
Sonya Proctor: to be able to help mitigate the impact of that attack. And when I think
191
00:22:04,048 –> 00:22:11,368
Frank Cilluffo: of the Department of Homeland Security, you also have lessons that can be gleaned in
192
00:22:11,424 –> 00:22:17,320
Frank Cilluffo: responding to what we’re seeing today, horrific hurricanes. And I think that is part of
193
00:22:17,360 –> 00:22:23,672
Frank Cilluffo: that. The DNA and the ethos that TSA can bring to this fight. Yes. Is
194
00:22:23,696 –> 00:22:31,550
Frank Cilluffo: that fair? Absolutely. And it can be a weather related event like the hurricanes that
195
00:22:32,570 –> 00:22:39,506
Sonya Proctor: our colleagues are struggling with in the south and southeast right now, the second hurricane
196
00:22:39,538 –> 00:22:46,114
Sonya Proctor: in two weeks that has its own impact. On critical infrastructure, so massive regional and
197
00:22:46,282 –> 00:22:53,106
Frank Cilluffo: nationally. So that is something that we monitor very carefully in every mode of transportation,
198
00:22:53,218 –> 00:23:01,012
Sonya Proctor: whether it’s airports, airlines, pipelines, mass transit, freight, rail. All of them are impacted when
199
00:23:01,036 –> 00:23:08,020
Sonya Proctor: we have a significant weather event. And not to be trite, but I’ve often said
200
00:23:08,060 –> 00:23:15,172
Frank Cilluffo: that policy without resources is sometimes rhetoric. Do you have the resources you need to
201
00:23:15,196 –> 00:23:23,006
Frank Cilluffo: get the job done? Would you like to see those growing? Our resources will grow
202
00:23:23,158 –> 00:23:29,150
Sonya Proctor: along with the threat. I’m confident. They have to, right? They have to. As we
203
00:23:29,190 –> 00:23:38,350
Sonya Proctor: stand now, we are resourced to conduct the work that we’re doing with our pipeline
204
00:23:38,430 –> 00:23:45,902
Sonya Proctor: partners. We have regular engagements with them because of the security directives. We also have
205
00:23:45,926 –> 00:23:53,458
Sonya Proctor: a responsibility to conduct inspections to ensure that they are actually complying with the requirements
206
00:23:53,634 –> 00:24:01,202
Sonya Proctor: in the security directives to ensure that they are developing the necessary plans that are
207
00:24:01,226 –> 00:24:07,154
Sonya Proctor: required by the security directives. They’re required to have critical incident response plans. They’re required
208
00:24:07,202 –> 00:24:14,034
Sonya Proctor: to have what we call a cybersecurity assessment plan, which is actually their own assessment
209
00:24:14,082 –> 00:24:19,616
Sonya Proctor: of their original plan. So it’s a self assessment that they have to do. They’re
210
00:24:19,648 –> 00:24:23,504
Frank Cilluffo: going to know their systems better than anyone from the outside, but they. Have to
211
00:24:23,512 –> 00:24:30,080
Sonya Proctor: share that with us. Are there lessons that others could learn for other, whether it’s
212
00:24:30,160 –> 00:24:37,712
Frank Cilluffo: sector risk management agencies or other critical infrastructures, anything that from the security directives that
213
00:24:37,736 –> 00:24:43,242
Frank Cilluffo: you think can be applied to other sectors or is it unique to pipeline? I
214
00:24:43,266 –> 00:24:51,482
Sonya Proctor: don’t think it’s unique to pipelines. I think the biggest lesson that we’ve learned and
215
00:24:51,506 –> 00:25:01,498
Sonya Proctor: that others can learn is communicate early and often. Transparency works because if you share
216
00:25:01,554 –> 00:25:07,754
Sonya Proctor: the information and industry understands what the issue really is, they’ll do it. They’re patriotic.
217
00:25:07,802 –> 00:25:13,806
Sonya Proctor: You’re in it together. Yep. I have no question that we are in this together.
218
00:25:13,878 –> 00:25:21,422
Sonya Proctor: This is one fight. Because this threat is unlike anything they’ve ever seen before and
219
00:25:21,446 –> 00:25:29,870
Sonya Proctor: they understand the impact. Yeah, yeah. And sort of stepping back into your old role
220
00:25:29,990 –> 00:25:36,526
Frank Cilluffo: of Now, D.C. is a major metropolitan city, obviously, but where do you see state,
221
00:25:36,598 –> 00:25:42,710
Frank Cilluffo: local, tribal, territorial. Where do you see law enforcement fitting into this equation? And for
222
00:25:42,750 –> 00:25:47,318
Frank Cilluffo: transparency and a bit of an infomercial, we do some work through the Secret Service
223
00:25:47,374 –> 00:25:52,582
Frank Cilluffo: and the National Cyber Forensics Institute, which is purely focused on sltt. But I’d be
224
00:25:52,606 –> 00:25:57,558
Frank Cilluffo: curious, how do we get those women and men on the front line to be
225
00:25:57,614 –> 00:26:01,974
Frank Cilluffo: part of this solutions or a bigger part of the solution set? I think they’re
226
00:26:02,022 –> 00:26:06,512
Sonya Proctor: definitely a part of the solution set here. And one of the things, when we
227
00:26:06,536 –> 00:26:13,760
Sonya Proctor: talk to industry, we talk about building those partnerships locally, the reality is if they
228
00:26:13,800 –> 00:26:19,232
Sonya Proctor: have an event, particularly a physical event at their facility, the first people that are
229
00:26:19,256 –> 00:26:22,752
Sonya Proctor: going to be there are going to be their local law enforcement. Always. Or a
230
00:26:22,776 –> 00:26:27,056
Frank Cilluffo: paramedic or a firefighter. Yes. But they’re going to be the locals. Prevent a responder.
231
00:26:27,088 –> 00:26:31,632
Frank Cilluffo: Yep. So that’s a relationship that they need to have. That relationship needs to be
232
00:26:31,656 –> 00:26:34,960
Sonya Proctor: in place. I always call it the best cup of coffee you can have every
233
00:26:35,000 –> 00:26:42,528
Sonya Proctor: month. If you’re having a meeting with the chief or with your local commander, that’s
234
00:26:42,544 –> 00:26:48,544
Sonya Proctor: a relationship that’s really critical. And when we talk about physical security, those are going
235
00:26:48,552 –> 00:26:53,740
Sonya Proctor: to be the first ones there. So I think there is clearly a role, but
236
00:26:54,040 –> 00:27:01,412
Sonya Proctor: there’s a mutual responsibility there. And we encourage operators to get out. And if, if
237
00:27:01,436 –> 00:27:05,572
Sonya Proctor: the local law enforcement hasn’t reached out to you, don’t be shy, go reach out
238
00:27:05,596 –> 00:27:09,428
Sonya Proctor: to them. Yeah, well said. And invite them in. Invite them in, Let them tour
239
00:27:09,484 –> 00:27:15,188
Sonya Proctor: your property, help them understand what’s really critical on that property so that if they
240
00:27:15,244 –> 00:27:18,676
Sonya Proctor: end up getting a call there at 3:00 in the morning, they know what they’re
241
00:27:18,708 –> 00:27:23,732
Sonya Proctor: looking at. Exactly. They know what they know what they should be particularly interested in
242
00:27:23,836 –> 00:27:26,724
Sonya Proctor: if they’re responding there at 3 o’clock in the morning and you don’t want to
243
00:27:26,732 –> 00:27:30,632
Sonya Proctor: be the one who’s standing on the other side of the yellow tape. 10. Because
244
00:27:30,656 –> 00:27:34,712
Sonya Proctor: they don’t know who you are. Absolutely. And I think that is one of the
245
00:27:34,736 –> 00:27:41,240
Frank Cilluffo: big lessons we learned post 911 is I just feel like it hasn’t fully translated
246
00:27:41,320 –> 00:27:48,392
Frank Cilluffo: in cyber in part because you’ve got responsibilities that are not always shared by the
247
00:27:48,416 –> 00:27:53,352
Frank Cilluffo: same individuals. In terms of. We talked about the separation between if you look, in
248
00:27:53,376 –> 00:27:58,728
Frank Cilluffo: a corporate setting, sometimes you’ll have a chief security officer, chief information security officer, chief
249
00:27:58,784 –> 00:28:06,728
Frank Cilluffo: risk officer, and rarely do they all sort of come together. But I think going
250
00:28:06,864 –> 00:28:13,080
Frank Cilluffo: forward, the essential nature of, of, of all of that is, is tantamount. It’s, it’s
251
00:28:13,160 –> 00:28:19,224
Frank Cilluffo: should be priority 1, 2, 3, I think, and I think TSA is well positioned
252
00:28:19,352 –> 00:28:25,352
Frank Cilluffo: to drive that, just given the mission set. And, you know, because TSA has so
253
00:28:25,376 –> 00:28:32,404
Sonya Proctor: many former law enforcement people there, we do encourage building those relationships, and we often
254
00:28:32,492 –> 00:28:38,724
Sonya Proctor: help to broker those relationships. If they haven’t gotten started, we can plant some seeds
255
00:28:38,772 –> 00:28:45,524
Sonya Proctor: and water them and get those relationships started. It’s absolutely critical when we talk about
256
00:28:45,692 –> 00:28:53,604
Sonya Proctor: physical security. Most companies have a director of security. Typically that person is more physical
257
00:28:53,652 –> 00:29:02,816
Sonya Proctor: security than cyber. Usually it’s their ciso, that’s their, that’s their primary cybersecurity person. So
258
00:29:02,968 –> 00:29:09,088
Sonya Proctor: often it’s the director of security that meets with local law enforcement. But I really
259
00:29:09,144 –> 00:29:13,632
Sonya Proctor: believe that is one relationship that they absolutely want to make sure that they have
260
00:29:13,736 –> 00:29:18,512
Sonya Proctor: and that they sustain. So since you sort of jumped into this a little bit,
261
00:29:18,536 –> 00:29:24,596
Frank Cilluffo: what about operational technology? So when you look at some of the technology that’s fielded
262
00:29:24,628 –> 00:29:33,012
Frank Cilluffo: in an OT environment is 30 years old, so, but essential from both the cyber
263
00:29:33,076 –> 00:29:36,932
Frank Cilluffo: and a physical perspective. And I think if you look at a lot of the
264
00:29:36,956 –> 00:29:41,988
Frank Cilluffo: OT community, it kind of grew up with a public safety mindset, which is really
265
00:29:42,044 –> 00:29:46,852
Frank Cilluffo: important, don’t get me wrong, but not necessarily a security mindset. And I’d be curious
266
00:29:46,916 –> 00:29:51,558
Frank Cilluffo: what you’re thinking there, because when I think pipelines, there’s a big OT element in
267
00:29:51,604 –> 00:29:59,474
Frank Cilluffo: this, is there not? There’s a huge OT element, and that’s the element that we
268
00:29:59,562 –> 00:30:04,802
Sonya Proctor: most want to protect. And if you go back to where we started with the
269
00:30:04,826 –> 00:30:13,314
Sonya Proctor: major pipeline company who had the ransomware attack, that attack occurred on their IT side.
270
00:30:13,402 –> 00:30:18,482
Sonya Proctor: It occurred on their business side, not on the operational industrial control systems or something.
271
00:30:18,506 –> 00:30:26,834
Sonya Proctor: But they were not confident of the segmentation, and they did not want to risk
272
00:30:27,002 –> 00:30:34,274
Sonya Proctor: allowing that ransomware attack to migrate into their ot, which resulted in their very. You
273
00:30:34,282 –> 00:30:38,050
Frank Cilluffo: could have loss of life potential decisions right out of the gate. Right. So that
274
00:30:38,090 –> 00:30:45,260
Sonya Proctor: resulted in them making a decision to shut down and to confirm the segmentation. But
275
00:30:45,300 –> 00:30:54,120
Sonya Proctor: that’s one of the most important requirements in the Security Directive, is ensuring segmentation between
276
00:30:54,820 –> 00:31:02,040
Sonya Proctor: IT and ot, between critical cyber systems. I’m glad you recognize the significance of that.
277
00:31:02,340 –> 00:31:10,108
Frank Cilluffo: TSA can play a significant role in all of that. Sonia, before I ask my
278
00:31:10,164 –> 00:31:18,800
Frank Cilluffo: final question in terms of Looking forward, how do you keep pace, obviously, with your
279
00:31:18,840 –> 00:31:25,344
Frank Cilluffo: partners inside the broader interagency, inside the Department of Homeland Security, in itself with cisa,
280
00:31:25,392 –> 00:31:30,944
Frank Cilluffo: but how do you keep pace? So we’re not always just reacting to the crisis
281
00:31:30,992 –> 00:31:34,832
Frank Cilluffo: du jour, but we try to sort of get out in front of some of
282
00:31:34,856 –> 00:31:41,596
Frank Cilluffo: the issues that may not be here today, but we know they’re coming tomorrow. That’s
283
00:31:41,628 –> 00:31:50,156
Sonya Proctor: a really good question. Part of that happens in the intelligence world because they do
284
00:31:50,228 –> 00:31:59,852
Sonya Proctor: tend to be forward leaning. It also helps to
285
00:32:00,036 –> 00:32:04,252
Sonya Proctor: talk to the industry partners. What are they seeing, what are they thinking, what are
286
00:32:04,276 –> 00:32:09,380
Sonya Proctor: they planning? Because they have capital budgets. Absolutely. So what are they planning for over
287
00:32:09,420 –> 00:32:15,236
Sonya Proctor: the next 10 years? And I would make a case that for every IT spend
288
00:32:15,268 –> 00:32:21,236
Frank Cilluffo: or infrastructure spend, there should be a security tax or dollars at least 10 cents
289
00:32:21,268 –> 00:32:26,996
Frank Cilluffo: on the dollar spent on securing it. But that’s me. So. But that’s a, that’s
290
00:32:27,028 –> 00:32:32,484
Sonya Proctor: a good way of really getting a sense of where they’re looking because they have
291
00:32:32,492 –> 00:32:42,206
Sonya Proctor: a business and often they have an interest in ensuring that their capital
292
00:32:42,278 –> 00:32:48,606
Sonya Proctor: dollars are well spent and that they’re building on a larger program. So they’ve often
293
00:32:48,678 –> 00:32:53,678
Sonya Proctor: done a lot of research about where they should be in the next 10 years.
294
00:32:53,814 –> 00:33:00,058
Sonya Proctor: AI is going to change a lot of things for industry. It’s going to change
295
00:33:00,114 –> 00:33:07,066
Sonya Proctor: the way virtually everyone does business. But how’s that really going to work? Exactly. What’s
296
00:33:07,098 –> 00:33:13,914
Sonya Proctor: that going to mean in terms of the threats that we’re seeing today? And I’m
297
00:33:13,962 –> 00:33:20,762
Frank Cilluffo: reminded of Wayne Gretzky quote, skate to where the puck’s going to be. And the
298
00:33:20,786 –> 00:33:26,538
Frank Cilluffo: reality is the adversary has a vote. They’re going to base their actions in part
299
00:33:26,594 –> 00:33:33,312
Frank Cilluffo: on our actions, always seeking a vulnerability. And I think TSA doesn’t get a lot
300
00:33:33,336 –> 00:33:38,720
Frank Cilluffo: of credit for this, but after some of the aviation threats out of the uk,
301
00:33:38,840 –> 00:33:45,040
Frank Cilluffo: they were able to move pretty quickly. And that is a slow, difficult infrastructure because
302
00:33:45,080 –> 00:33:49,920
Frank Cilluffo: it affects so many people. I just hope that some of those lessons can be
303
00:33:49,960 –> 00:33:59,130
Frank Cilluffo: pulled into the pipeline side as well. Because granted, we have to always use empirically
304
00:33:59,210 –> 00:34:03,722
Frank Cilluffo: based evidence to focus on what we see now. But that doesn’t mean that’s what
305
00:34:03,746 –> 00:34:10,202
Frank Cilluffo: we’re going to see tomorrow. And, and that’s hard. That’s because it’s disruptive. The cyber
306
00:34:10,266 –> 00:34:15,498
Sonya Proctor: threat is constantly evolving. The cyber threat we see today is not the cyber threat
307
00:34:15,554 –> 00:34:20,474
Sonya Proctor: we saw three. Literally six months ago. Yeah, yeah. So. And we know that. And
308
00:34:20,482 –> 00:34:25,770
Sonya Proctor: it’s going to, it’s not gonna be the same come January that it. Is Today,
309
00:34:26,790 –> 00:34:32,142
Frank Cilluffo: Sonia, what questions didn’t I ask that I should have asked? Gosh, Frank, I think
310
00:34:32,166 –> 00:34:37,518
Sonya Proctor: you were pretty good. Well, I wanna make sure that we capture for our show
311
00:34:37,574 –> 00:34:44,446
Frank Cilluffo: notes any documents that you think our viewers and listeners should read. And most importantly,
312
00:34:44,478 –> 00:34:49,262
Frank Cilluffo: I wanna thank you for your service not only at tsa, but for your entire
313
00:34:49,326 –> 00:34:55,079
Frank Cilluffo: career to. To keep our country safe and better. So, Sonia, thank you for the
314
00:34:55,119 –> 00:34:59,751
Frank Cilluffo: time today and thank you for your many years of distinguished service in law enforcement
315
00:34:59,815 –> 00:35:05,699
Frank Cilluffo: and homeland security. So thank you. Well, thank you, Frank. Thanks for this opportunity to
316
00:35:05,999 –> 00:35:12,359
Sonya Proctor: allow me to share much about TSA that many people really don’t realize because they
317
00:35:12,399 –> 00:35:16,519
Sonya Proctor: think about TSA in airports. And so it’s the other side which. Is essential, but
318
00:35:16,559 –> 00:35:21,223
Frank Cilluffo: it is essential, and. It’S the big part. But this is a really, really critical
319
00:35:21,271 –> 00:35:26,644
Sonya Proctor: part. And the opportunity to share this information today, it’s really important. So thank you
320
00:35:26,652 –> 00:35:31,380
Sonya Proctor: for the opportunity. Thank you, Sonya. Thank you for joining us for this episode of
321
00:35:31,420 –> 00:35:36,612
Frank Cilluffo: Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help
322
00:35:36,636 –> 00:35:40,740
Frank Cilluffo: us reach more listeners. Drop us a line if you have any ideas in terms
323
00:35:40,780 –> 00:35:46,260
Frank Cilluffo: of topics, themes or individuals you’d like for us to host. Until next time, stay
324
00:35:46,300 –> 00:35:48,990
Frank Cilluffo: safe, stay informed, and stay curious.