[co-author: Bree Sinclair]
On May 27, 2021, against the backdrop of the Colonial Pipeline cybersecurity incident, the Department of Homeland Security’s Transportation Security Administration (“TSA”) announced Security Directive Pipeline-2021-01 regarding enhancements to pipeline cybersecurity (the “Directive”). The Directive applies to owners and operators of a hazardous liquid and natural gas pipeline or a liquified natural gas facility that have been notified by TSA that their pipeline system or facility is critical. In general, criticality is determined based on factors such as the volume of product transported, service to other critical sectors, etc.
The Colonial Pipeline Incident
On May 7, 2021, Colonial Pipeline Co. shut down its entire 5,500 mile system in response to a ransomware attack by the hacking group, Darkside. Colonial Pipeline Co., whose pipeline extends from the Gulf Coast to New Jersey and carries an estimated 45% of the East Coast’s fuel supplies, later announced that it paid roughly 75 Bitcoin –or nearly $5 million – to recover its stolen data and end the six-day shutdown. This shutdown prompted several government participants, including the TSA, to take a closer look at cybersecurity requirements for critical infrastructure.
Three Central Requirements
At a high level, the Directive requires three central actions:
Appoint a Cybersecurity Coordinator
First, the Directive requires the TSA-specified owners or operators to designate a Cybersecurity Coordinator who must be available to TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) 24-hours a day, seven days a week to coordinate cybersecurity practices and address any incidents that arise. The Cybersecurity Coordinator must be a corporate level individual that is responsible for coordinating cyber and related security practices and procedures internally and working with the appropriate law enforcement and emergency response agencies.
Perform a Cybersecurity Assessment
Second, the owners and operators must review their current activities against TSA’s recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA. This review must include a vulnerability assessment and comply with the procedural requirements set forth in the Directive.
Report Cybersecurity Incidents to CISA
Third, the Directive requires the owners or operators to report cybersecurity incidents to CISA. This reporting obligation applies to cybersecurity incidents that involve systems the owner or operator has responsibility to operate and maintain and which impact or affect an information or operational technology system. Such incidents also include a physical attack against the owner’s or operator’s network infrastructure. The owners or operators will have, at most, 12 hours after a cybersecurity incident is identified to report the information required to CISA.
Although news outlets have reported that TSA officials plan to assess fines of up to $7,000 per day on operators and owners that fail to adhere to these new requirements, the Directive and the underlying process memorandum do not detail any penalties for noncompliance. However, operators and owners should be prepared for TSA to use any of its powers to penalize noncompliance, including potential denial or revocation of necessary permits.
What This Means For You
Even pipeline operators and owners that do not fall within the direct scope of the Directive should view it as a strong indication of a trend toward increased cybersecurity compliance requirements. We recommend assessing your current cybersecurity practices against the requirements of the Directive and begin or buildout out a comprehensive cybersecurity program. Some of the first steps could include performing a gap assessment based on the NIST Framework for Improving Critical Infrastructure Cybersecurity and allocating funds for this work.
*Bree Sinclair is a law clerk in our Houston office.