Department of Homeland Security Announces New Cybersecurity Requirements for Pipelines

Faegre Drinker Biddle & Reath LLP


The Department of Homeland Security (DHS) recently announced a new Security Directive requiring companies in the pipeline sector “to better identify, protect against, and respond to” cyber threats. Among other things, the Security Directive requires pipeline operators to report cyberattacks against their pipelines to DHS. This new requirement replaces the voluntary reporting guidelines that had been in place since 2010.

The new Security Directive is a response to the May 2021 ransomware attack on Colonial Pipeline that shut down much of the oil and gas distribution to the East Coast of the United States for approximately six days. According to various media reports, Colonial Pipeline ultimately elected to pay a Russian ransomware gang that claimed responsibility for the attack over four million dollars to re-open the crippled pipeline.

Under the new Security Directive, which is implemented by the Transportation Security Administration (TSA), pipeline operators will be required to take the following steps:

  1. Report attempted and confirmed cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA);
  2. Designate a “Cybersecurity Coordinator” who must be available on a 24/7 basis in the event of a cyberattack; and
  3. Immediately review current cyber-hygiene practices and identify and report any gaps and related remediation measures to TSA and CISA within 30 days of the implementation of the Security Directive.

TSA is also currently considering additional “follow on” measures to further support the pipeline industry and to assist the industry in strengthening its cybersecurity posture.

The ransomware attack against Colonial Pipeline appears to have spurred the federal government to recognize and take steps to combat the significant cybersecurity threats facing critical infrastructure in the United States. DHS’s Security Directive is an effort to tighten the agency’s previously lax oversight of the nation’s pipeline system, which TSA has been responsible for overseeing since the terrorist attacks of September 11, 2001. In addition, the Federal Energy Regulatory Commission (FERC), which also oversees and regulates natural gas and gas pipelines, has publicly called for mandatory and uniform cybersecurity standards throughout the entire oil and gas industry.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.