The U.S. Department of Homeland Security’s Transportation Security Administration (“TSA”) issued a Security Directive, “Enhancing Pipeline Cybersecurity” on May 28, laying out new cybersecurity requirements for operators of liquids and natural gas pipelines and LNG facilities designated as critical infrastructure.
The Directive can be seen as part of a larger federal effort to augment the nation’s cybersecurity posture in wake of the Colonial Pipeline ransomware attack earlier in May and the SolarWinds incident last year. The Cybersecurity and Infrastructure Security Agency (“CISA”), a unit of the Department of Homeland Security, has already been tasked with producing a cloud-service governance framework and a standard incident response playbook for federal agencies pursuant to the Biden administration’s recently issued Executive Order on cybersecurity. Unlike the Executive Order, which covered government agencies and their suppliers, this Directive focuses on the activity of private sector entities.
The Directive has three primary requirements:
- Pipeline facilities and other covered entities must designate a Cybersecurity Coordinator with TSA by June 4, 2021, who must be available as the primary contact for communications with the TSA and CISA, twenty-four hours a day and seven days a week, regarding cybersecurity and related information. Coordinators are also responsible for working with law enforcement and emergency response agencies and organizing facilities’ internal cybersecurity practices.
- Pipeline facilities are required to provide a detailed report to CISA, within 12 hours, any cybersecurity incidents affecting any Information Technology System (which, as defined, generally covers any platform which processes data maintained by pipeline facilities) and or Operational Technology System (defined to cover the systems used to control the pipeline or other infrastructure). The Directive defines cybersecurity incidents broadly to include: (i) any unauthorized access the Systems; (ii) the existence of malicious software on the Systems; (iii) activity resulting in a denial of service; and (iv) a physical attack against network infrastructure. The definition also has a catch-all category that includes any incident which disrupts, or has the potential to disrupt, the safe and efficient transfer of liquids and gases. Any report to CISA must include, among other things, a description of the incident, its impact on the facility’s systems, and the facility’s planned response.
- Pipeline facilities must assess whether their current practices align with the TSA’s Pipeline Security Guidelines (which were introduced in 2018 but were previously voluntary) and identify remediation measures for addressing gaps in compliance.
The Directive, which utilizes exiting authority granted under the Aviation and Transportation Security Act, will likely be part of a broader shift to requirements for greater reporting and coordination and communication between the government and the private sector. The change from voluntary guidance to required standards for cybersecurity is also likely to become more common.