On July 20, 2021, the Department of Homeland Security’s Transportation Security Administration (“TSA”) announced the issuance of a second Security Directive regarding further enhancements to pipeline cybersecurity (the “July Directive”). The July Directive applies to owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas and requires such pipeline systems to implement additional protections against cyber intrusions.
The May Directive
We previously discussed the TSA’s announcement of Security Directive Pipeline-2021-01 on May 27, 2021 (the “May Directive”). Issued against the backdrop of the Colonial Pipeline cybersecurity incident, the May Directive requires select critical pipeline owners and operators to (1) designate a Cybersecurity Coordinator who must be available to TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) 24-hours a day, seven days a week, (2) review current practices to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA within 30 days, and (3) report cybersecurity incidents to CISA no more than 12 hours after an incident is identified.
The July Directive
The July Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems. Additionally, covered pipeline owners and operators must develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review. Because the July Directive requires the covered pipeline owners and operators to implement specific cybersecurity practices, this directive is designated as “security sensitive,” and a DHS spokesperson has reported that its distribution will be limited to those with a need to know.
Enforcement
Although news outlets have reported that TSA officials plan to assess fines of up to $7,000 per day on operators and owners that fail to adhere to TSA’s new requirements, neither the May Directive nor the July Directive detail any penalties for noncompliance. Nonetheless, operators and owners should be prepared for TSA to use any of its powers to penalize noncompliance, including potential denial or revocation of necessary permits.
What This Means For You
This second directive, issued just two months after the first, signals the government’s heightened focus on cybersecurity protections for critical infrastructure systems. Regulators of pipeline systems, such as the Federal Energy Regulatory Commission, have recently issued statements calling for the examination of mandatory pipeline cybersecurity standards. This multi-agency effort to enhance cybersecurity measures of pipeline systems is a strong indication that operators and owners should continue assessing current practices and begin developing, and implementing, comprehensive cybersecurity programs.
*Bree Sinclair is a law clerk in our Houston office.
