Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week have the privilege to sit down with Sonja Proctor. Sonia is the Assistant Administrator at tsa, or the Transportation Security Administration for surface operations. Basically everything TSA does but aviation security. So responsible for mass transit, freight rail, highways, and what we'll discuss most today, pipelines.
Sonya, thank you for joining us today. It's a real privilege to have you. You've spent 25 years prior to your TSA role in senior positions in law enforcement, including here in our city of Washington, D.C. mPD. So thank you for joining us today.
Thanks so much for having me, Frank. This is a great opportunity. Well, we're privileged
to have you. And I thought we could maybe start with, I think until, what was it, 2021 when Colonial Pipeline hit, I don't think most Americans were aware that TSA played a significant role in cybersecurity. And I'd be curious if you can maybe just paint a picture and then we'll go deep into Colonial pipeline. But first, TSA's role. Sure. And I think you're right. Most Americans think of TSA as the people
at the checkpoint in the airport. And if they thought anything about TSA outside of the airport, they might have thought about mass transit. But by the way, you were
also head of security at Amtrak, right? Correct? Yeah. That they might also. Yes. So
when I was the chief of police at Amtrak, they. They did associate passenger rail, mass transit. If TSA has any role outside of the airport, it would probably be there. They do not typically think of TSA as having a role for pipeline security. And actually, TSA's role in pipeline security goes back to the beginning of tsa. And if you recall, when TSA stood up, it really took from the Department of Transportation the security aspect of oversight of the transportation modes. So faa, that
security focus, transfer to tsa, fra, fta, all of those pieces. But they don't think about pipelines. Exactly. PHMSA has primarily the safety focus for pipelines, and TSA has the security focus for pipelines. So back when TSA stood up, there was some direction from Congress about looking at the top, what they called the top 100 pipelines and conducting some assessments on them. And so that was one of the first things that
TSA did in the. In the pipeline arena. We conducted some assessments on roughly the top 100 pipelines at the time. There's been a lot of change in Ownerships and mergers and acquisitions kind of changed that ranking. But to kind of take TSA's role back to the beginning, that's around 2003. Wow. And after that, TSA maintained a relationship with the pipeline community and started offering what we call. We now call structured oversight,
which was then called voluntary programs. And these programs included corporate security reviews, and they grew into critical facility security reviews, which are the reviews in the field of field assets. So our relationship with pipeline goes back 20 years. Awesome. Yeah. And to the
very standup of TSA. Absolutely. So I'd be curious. I mean, I think it's fair to say that Colonial Pipeline was a watershed event, and it brought to the average citizen in our great country awareness around some of these issues. Can you sort of go back if you can roll back the tape a little bit, as George Michael used to say in D.C. and take a look at where we were at that time and how you thought it played out. So Colonial happened in May of 2021.
But prior to that, we had already started our focus on cybersecurity. In 2019, we started our, what we call PSAT teams, Pipeline Security Assessment teams. Not to be confused
with the PSATs as. Correct. So we had 20 members that were broken up into
our PSAT teams. And when we made a decision to establish these teams so that we could focus our efforts on pipeline, both physical and cyber, this was before any of the hyper focus that came along with the major ransomware attack. And these individuals, we set up a great training regimen for them. We work with Idaho National Labs to help them get a good security focus in cyber. We had them work with
some of our Pipeline partners to help them gain more experience in physical security. So these teams were already in place, and we had actually started doing what we then called architectural design reviews. We did our first one, actually. I think it was around 2018. Wow. Okay. So that actually was the start of the PSAT teams there. And by having those teams in place, by the time we had this major cyber attack, ransomware attack, on what I refer to as a major pipeline company, our PSAT teams,
thankfully, were in place. Jumped in. Yeah. And they were able to help us make sure that we were getting information out to other pipeline companies. That was one of the most important things for us to do to make sure that we were sharing the information that we obtained and that we learned from the company as they were working through this attack. I was fortunate to have a relationship with the company and to be able to communicate with them and to be able to get Information from
them that we were then able to share with other companies. And I think that's
so essential. I mean, anyone in the law enforcement business knows trust is the coin of the realm. Everything hinges upon that. And if you don't have. If you're exchanging business cards when the bomb goes off or something bad happens, that's a pretty bad situation to be in. Right. You're lost. Yeah, you're. You're already lost before you start. Yes. And. And I do think that that is important. And. And I like the
concept around physical and cyber. I have a very difficult time discerning what is physical inside because they're converging so rapidly so quickly. And I think that that is an important element to look at it in its totality. And it sounds like that was part of the mindset and the ethos of some of your efforts. Is that fair?
It was, and it's grown since then. We really do recognize the connection between physical and cyber. Physical attacks can have an impact on cyber and vice versa. So we recognize that, and we do address both. In industry, sometimes you've got people who focus primarily on physical CSO or a cis. Exactly. And most of their cyber individuals have a high degree of training, lots of experience, so their focus is usually primarily on the cyber piece. But we keep our focus on both because we know that a
successful physical. Attack on a cyber infrastructure will have the same impact. Could have the same impact either way. You could be without this critical asset. And that's what we're concerned about, you. Know, going back to Colonial pipeline just quickly. I think it was
Winston Churchill who said, never let a good crisis go to waste. What were some of the initial lessons we learned, and what does it mean for some of our activities? Kind of TSA's activities going forward in terms of working with, what is it? Approximately 3,000 pipeline companies in the U.S. approximately 3,000. And currently, based on that ransomware
attack, TSA issued security directives. The administrator used his authority, his unique authority, to issue security directives, which are regulatory documents to address this imminent threat to pipelines. That group that is covered by the security directives is a much smaller group. We use the number roughly around 100. Okay. And those companies are the ones who have the most impact on national security, our national economy, and in our way
of life. So, you know, we look at those in a slightly different way. They are regulated in a way that the remainder are not. Now, it doesn't mean that we don't take the same approach with the other 2,900, because we issue something similar to those security directives, except they don't have the regulatory impact and they don't have. The resources necessarily in the same way. Correct, Correct. They don't always have the
resources, but we give them the same guidance. And instead of it being called a security directive, we call it a security circular. Okay, so it's not regulatory, it's not enforceable. But we want to make sure that we are sharing with them what we have learned about how they can better protect themselves against the major cyber threats. Which
is essential because local. I mean, as we know in the counterterrorism business, all crime is local, all threats are local. And at the end of the day, you need to make sure that the women and men on the very front lines are aware. I'd be curious. Are you concerned in a post Chevron environment that the ruling could be sort of questioned or held up, or do you feel like you built the partnerships with some of the pipeline companies that maybe it withstands? We have incredible partnerships
and you do. I've heard this from the pipeline companies and associations. I've recently testified
with one, I think. And we have worked hard to earn that trust. So despite
any decisions, any court decisions, these operators understand the threat. We have provided classified briefings to more operators than ever in the history of tsa. We have had classified briefings with certainly there at tsa, at the Office of the Director of National Intelligence. We've had briefings at FBI. So it was important for us to make sure that they understood the threat. Absolutely. And we knew that once they understood the threat, they'd take
action, that this would be something that they would follow through on. We are in this together, and I meet regularly with the pipeline industry and we have very open, transparent discussions. And I like to think that's part of how we have earned our trust in this community. The threat is unlike any cyber threat that we have faced in recent times. Last week, the Department of Homeland Security published its Homeland Threat Assessment. I made a note on that. I want to share this because
I think it's really important. It's the 2025 Homeland DHS Homeland Threat Assessment. It's online, so it is available publicly. And I really. And we'll make it available in our
show notes. Good. I really do recommend that people take a look at this. And
under Critical Infrastructure Security, there's a specific piece and I think this is so important for us and for critical infrastructure owners and operators. And it says disruptive and destructive cyber attacks targeting critical infrastructure. That's kind of the subtitle there the People's Republic of China state sponsored cyber actors have pre positioned cyber exploitation and attack capabilities for disruptive or destructive cyber attacks against U.S. critical infrastructure in
the event of a major crisis or conflict. With the US which is very bold
and very strong and in a post Volt Typhoon environment should be that wake up call. Yes, absolutely. To have this in a document, having an intelligence agency to provide
this information, it is telling you how significant this is. But to speak of a nation state adversary having pre positioned capabilities is pretty significant. So if you've looked at any of the advisories about living off the land about Volt Typhoon, then you understand
what that means. Essentially that they're sleeping in the systems. And in April of this year, in one of the interviews that FBI Director Ray had at Vanderbilt University, he spoke about the Chinese Communist Party and said the immense size and expanding nature of the Chinese Communist Party's hacking program isn't just aimed at stealing America's intellectual property property. It's using that mass, those numbers to give itself the ability to physically wreak havoc
on our critical infrastructure at a time of its choosing. Yeah, yeah. He spoke about pre positioning that we now know occurred in 2011 targeting 23 different pipeline companies. Wow.
Wow. So I mean we recently had Dave Luber on who talked about living off the land at nsa and I think that the reality is if you can exploit, you can attack if the intent is there. And the fact that they publicly identified pipeline companies, that's a pretty significant statement. I didn't catch that part. So that's a pretty big deal. And it's a pretty big deal and it's not one that has
been ignored by our pipeline owners and operators. So assuming that the
need to build resilience into our pipelines is at the very top of the list because basically if you're owned, you've got to at least minimize the consequence and impact of a potential attack. Absolutely. And our goal as a sector risk management agency is
to create a resilient transportation critical infrastructure community that in light of these facts is positioned to continue critical support to national security, to the nation's economy and to our way of life. And say things do pop in Taiwan and
clearly we'll be looking for indicators in advance, would this be something you see working hand in glove with industry? Would you be in a combined soc or would this be sort of pick up the phone which is going at pre cyberspeed? How would you envision this playing out in the event something goes south? This would be one
of the most Collaborative ever. Exactly. It would be intel agencies, it would be the FBI in addition to its intel, the investigative perspective, because they conduct the investigations for cyber security events. It would be CISA and the expertise that they bring to cybersecurity and infrastructure security in terms of threat hunting and being able to identify intrusions into systems. Certainly it would be with operators to make sure that they know what we
know. And that's important because. Absolutely. You need a rich picture. The Brits call their
intelligent. You need the rich picture to be able to make those decisions. And private sector is on the front lines here, and we want to make. Sure that they
have the information so that they can better protect themselves. And we believe that the guidance, the direction that's been included in the security directives is one of the best ways to potentially minimize the impact if there is a successful attack. We're not naive and we're talking about. Everything everywhere, all the time. They are committed, they are persistent, and they have capability. So is it possible that one of these companies will be
a successful target? That's always possible. It's inevitable. But that doesn't mean game over. But we believe that if they have applied the measures that we've identified in the security directives, that they will be less likely to be completely disabled as a result of an attack. And we believe that they will be in a position because of the preparation, the advanced preparation, to be resilient, that they will be able to resume a
necessary level of operation. Because remember, if they're under the security directives, they have a national security responsibility. Absolutely. Absolutely. That's not optional for them to be out of business.
You mentioned cisa. I would like to have a short discussion around how you collaborate with the, I mean, this endearingly, the Alphabet Soup of Washington, D.C. whether it's FBI on the law enforcement side, the Cybersecurity Collaboration center at Fort Meade, and NSA on some of the overseas. And clearly CISA within the Department of Homeland Security, which TSA is part of. And while we're at it, let's talk Caesar as well. Sort of.
Correct. So can you help us paint that picture? Little bit. And where TSA fits into all of. That in terms of protecting critical infrastructure? It's one picture. It's a
window with lots of panes in it. We all work together. You can pull anyone from those agencies. We all know one another. Absolutely. We all communicate, and we all communicate with our industry partners. So all of us are in the same position in terms of understanding the nature of this threat. And it's Unlike any threat we have
ever seen before. And that means that it is incumbent upon us as federal agencies to be coordinated, to be communicating with each other, to be sharing information, all in the interest of first, hopefully preventing an attack and secondly, if an attack does occur, to be able to help mitigate the impact of that attack. And when I think
of the Department of Homeland Security, you also have lessons that can be gleaned in responding to what we're seeing today, horrific hurricanes. And I think that is part of that. The DNA and the ethos that TSA can bring to this fight. Yes. Is that fair? Absolutely. And it can be a weather related event like the hurricanes that
our colleagues are struggling with in the south and southeast right now, the second hurricane in two weeks that has its own impact. On critical infrastructure, so massive regional and
nationally. So that is something that we monitor very carefully in every mode of transportation,
whether it's airports, airlines, pipelines, mass transit, freight, rail. All of them are impacted when we have a significant weather event. And not to be trite, but I've often said
that policy without resources is sometimes rhetoric. Do you have the resources you need to get the job done? Would you like to see those growing? Our resources will grow
along with the threat. I'm confident. They have to, right? They have to. As we stand now, we are resourced to conduct the work that we're doing with our pipeline partners. We have regular engagements with them because of the security directives. We also have a responsibility to conduct inspections to ensure that they are actually complying with the requirements in the security directives to ensure that they are developing the necessary plans that are
required by the security directives. They're required to have critical incident response plans. They're required to have what we call a cybersecurity assessment plan, which is actually their own assessment of their original plan. So it's a self assessment that they have to do. They're
going to know their systems better than anyone from the outside, but they. Have to
share that with us. Are there lessons that others could learn for other, whether it's
sector risk management agencies or other critical infrastructures, anything that from the security directives that you think can be applied to other sectors or is it unique to pipeline? I
don't think it's unique to pipelines. I think the biggest lesson that we've learned and that others can learn is communicate early and often. Transparency works because if you share the information and industry understands what the issue really is, they'll do it. They're patriotic. You're in it together. Yep. I have no question that we are in this together. This is one fight. Because this threat is unlike anything they've ever seen before and
they understand the impact. Yeah, yeah. And sort of stepping back into your old role
of Now, D.C. is a major metropolitan city, obviously, but where do you see state, local, tribal, territorial. Where do you see law enforcement fitting into this equation? And for transparency and a bit of an infomercial, we do some work through the Secret Service and the National Cyber Forensics Institute, which is purely focused on sltt. But I'd be curious, how do we get those women and men on the front line to be part of this solutions or a bigger part of the solution set? I think they're
definitely a part of the solution set here. And one of the things, when we talk to industry, we talk about building those partnerships locally, the reality is if they have an event, particularly a physical event at their facility, the first people that are going to be there are going to be their local law enforcement. Always. Or a
paramedic or a firefighter. Yes. But they're going to be the locals. Prevent a responder. Yep. So that's a relationship that they need to have. That relationship needs to be
in place. I always call it the best cup of coffee you can have every month. If you're having a meeting with the chief or with your local commander, that's a relationship that's really critical. And when we talk about physical security, those are going to be the first ones there. So I think there is clearly a role, but there's a mutual responsibility there. And we encourage operators to get out. And if, if the local law enforcement hasn't reached out to you, don't be shy, go reach out
to them. Yeah, well said. And invite them in. Invite them in, Let them tour your property, help them understand what's really critical on that property so that if they end up getting a call there at 3:00 in the morning, they know what they're looking at. Exactly. They know what they know what they should be particularly interested in if they're responding there at 3 o'clock in the morning and you don't want to be the one who's standing on the other side of the yellow tape. 10. Because
they don't know who you are. Absolutely. And I think that is one of the
big lessons we learned post 911 is I just feel like it hasn't fully translated in cyber in part because you've got responsibilities that are not always shared by the same individuals. In terms of. We talked about the separation between if you look, in a corporate setting, sometimes you'll have a chief security officer, chief information security officer, chief risk officer, and rarely do they all sort of come together. But I think going
forward, the essential nature of, of, of all of that is, is tantamount. It's, it's should be priority 1, 2, 3, I think, and I think TSA is well positioned to drive that, just given the mission set. And, you know, because TSA has so
many former law enforcement people there, we do encourage building those relationships, and we often help to broker those relationships. If they haven't gotten started, we can plant some seeds and water them and get those relationships started. It's absolutely critical when we talk about physical security. Most companies have a director of security. Typically that person is more physical security than cyber. Usually it's their ciso, that's their, that's their primary cybersecurity person. So
often it's the director of security that meets with local law enforcement. But I really believe that is one relationship that they absolutely want to make sure that they have and that they sustain. So since you sort of jumped into this a little bit,
what about operational technology? So when you look at some of the technology that's fielded in an OT environment is 30 years old, so, but essential from both the cyber and a physical perspective. And I think if you look at a lot of the OT community, it kind of grew up with a public safety mindset, which is really important, don't get me wrong, but not necessarily a security mindset. And I'd be curious what you're thinking there, because when I think pipelines, there's a big OT element in
this, is there not? There's a huge OT element, and that's the element that we
most want to protect. And if you go back to where we started with the major pipeline company who had the ransomware attack, that attack occurred on their IT side. It occurred on their business side, not on the operational industrial control systems or something. But they were not confident of the segmentation, and they did not want to risk allowing that ransomware attack to migrate into their ot, which resulted in their very. You
could have loss of life potential decisions right out of the gate. Right. So that
resulted in them making a decision to shut down and to confirm the segmentation. But that's one of the most important requirements in the Security Directive, is ensuring segmentation between IT and ot, between critical cyber systems. I'm glad you recognize the significance of that.
TSA can play a significant role in all of that. Sonia, before I ask my final question in terms of Looking forward, how do you keep pace, obviously, with your partners inside the broader interagency, inside the Department of Homeland Security, in itself with cisa, but how do you keep pace? So we're not always just reacting to the crisis du jour, but we try to sort of get out in front of some of the issues that may not be here today, but we know they're coming tomorrow. That's
a really good question. Part of that happens in the intelligence world because they do tend to be forward leaning. It also helps to talk to the industry partners. What are they seeing, what are they thinking, what are they planning? Because they have capital budgets. Absolutely. So what are they planning for over the next 10 years? And I would make a case that for every IT spend
or infrastructure spend, there should be a security tax or dollars at least 10 cents on the dollar spent on securing it. But that's me. So. But that's a, that's
a good way of really getting a sense of where they're looking because they have a business and often they have an interest in ensuring that their capital dollars are well spent and that they're building on a larger program. So they've often done a lot of research about where they should be in the next 10 years. AI is going to change a lot of things for industry. It's going to change the way virtually everyone does business. But how's that really going to work? Exactly. What's
that going to mean in terms of the threats that we're seeing today? And I'm
reminded of Wayne Gretzky quote, skate to where the puck's going to be. And the reality is the adversary has a vote. They're going to base their actions in part on our actions, always seeking a vulnerability. And I think TSA doesn't get a lot of credit for this, but after some of the aviation threats out of the uk, they were able to move pretty quickly. And that is a slow, difficult infrastructure because it affects so many people. I just hope that some of those lessons can be
pulled into the pipeline side as well. Because granted, we have to always use empirically based evidence to focus on what we see now. But that doesn't mean that's what we're going to see tomorrow. And, and that's hard. That's because it's disruptive. The cyber
threat is constantly evolving. The cyber threat we see today is not the cyber threat we saw three. Literally six months ago. Yeah, yeah. So. And we know that. And it's going to, it's not gonna be the same come January that it. Is Today,
Sonia, what questions didn't I ask that I should have asked? Gosh, Frank, I think
you were pretty good. Well, I wanna make sure that we capture for our show
notes any documents that you think our viewers and listeners should read. And most importantly, I wanna thank you for your service not only at tsa, but for your entire career to. To keep our country safe and better. So, Sonia, thank you for the time today and thank you for your many years of distinguished service in law enforcement and homeland security. So thank you. Well, thank you, Frank. Thanks for this opportunity to
allow me to share much about TSA that many people really don't realize because they think about TSA in airports. And so it's the other side which. Is essential, but
it is essential, and. It'S the big part. But this is a really, really critical
part. And the opportunity to share this information today, it's really important. So thank you for the opportunity. Thank you, Sonya. Thank you for joining us for this episode of
Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.