DHS Pipes Up Again: Issues Second Directive On Pipeline Security

Vinson & Elkins LLP

Vinson & Elkins LLP

On July 20, 2021, the Department of Homeland Security’s Transportation Security Administration (“TSA”) announced the issuance of a second Security Directive regarding further enhancements to pipeline cybersecurity (the “July Directive”). The July Directive applies to owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas and requires such pipeline systems to implement additional protections against cyber intrusions.

The May Directive

We previously discussed the TSA’s announcement of Security Directive Pipeline-2021-01 on May 27, 2021 (the “May Directive”). Issued against the backdrop of the Colonial Pipeline cybersecurity incident, the May Directive requires select critical pipeline owners and operators to (1) designate a Cybersecurity Coordinator who must be available to TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) 24-hours a day, seven days a week, (2) review current practices to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA within 30 days, and (3) report cybersecurity incidents to CISA no more than 12 hours after an incident is identified.

The July Directive

The July Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems. Additionally, covered pipeline owners and operators must develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review. Because the July Directive requires the covered pipeline owners and operators to implement specific cybersecurity practices, this directive is designated as “security sensitive,” and a DHS spokesperson has reported that its distribution will be limited to those with a need to know.


Although news outlets have reported that TSA officials plan to assess fines of up to $7,000 per day on operators and owners that fail to adhere to TSA’s new requirements, neither the May Directive nor the July Directive detail any penalties for noncompliance. Nonetheless, operators and owners should be prepared for TSA to use any of its powers to penalize noncompliance, including potential denial or revocation of necessary permits.

What This Means For You

This second directive, issued just two months after the first, signals the government’s heightened focus on cybersecurity protections for critical infrastructure systems. Regulators of pipeline systems, such as the Federal Energy Regulatory Commission, have recently issued statements calling for the examination of mandatory pipeline cybersecurity standards. This multi-agency effort to enhance cybersecurity measures of pipeline systems is a strong indication that operators and owners should continue assessing current practices and begin developing, and implementing, comprehensive cybersecurity programs.

*Bree Sinclair is a law clerk in our Houston office.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Vinson & Elkins LLP | Attorney Advertising

Written by:

Vinson & Elkins LLP

Vinson & Elkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide