New cybersecurity requirements for oil and gas pipelines signal important changes to the regulatory landscape for midstream companies. A new security directive from the Transportation Security Administration (TSA), effective May 28, 2021, mandates immediate action and ongoing compliance protocols for certain energy companies. The security directive also raises many new questions that companies will need to consider in their response efforts and highlights the potential for increased regulation going forward. In particular, media reports indicate that the security directive is a precursor to additional regulations that will include financial penalties for companies that fail to address cybersecurity vulnerabilities.
The security directive is part of an increasingly urgent government effort to strengthen cybersecurity for critical industries in light of the recent Colonial Pipeline shutdown and other security incidents. On June 2, 2021, the White House issued a memorandum to corporate executives and business leaders stating that ransomware in particular is a “top priority” of the Biden administration. It states that “business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure [they] have the ability to continue or quickly restore operations.” In addition to the best practices listed in the June 2 memo, the security directive provides specific steps that oil and gas midstream companies will need to address.
The security directive constitutes a departure from voluntary measures that the Cybersecurity and Infrastructure Security Agency (CISA) and TSA had developed since the inception of the Pipeline Cybersecurity Initiative in 2018. Starting immediately, the security directive requires that “[o]wners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility notified by TSA that their pipeline system or facility is critical” must report cybersecurity incidents to the CISA, designate a cybersecurity coordinator who is available to the TSA and CISA at all times, and conduct internal security assessments for the purpose of reporting the results no later than June 28, 2021. Importantly, although the security directive applies to only “the 100 most critical pipeline operators” and expires on May 28, 2022, media reports cite officials’ statements that additional regulations are forthcoming, and that those regulations will include financial penalties for noncompliance. As a result, companies beyond those directly impacted by the security directive may wish to consider taking steps to anticipate similar requirements, and should consider whether they need additional security protocols to facilitate doing business with regulated companies.
The security directive requires regulated companies to report a potentially vast range of cybersecurity incidents to the CISA. It lists five categories of reportable events: (1) unauthorized access to Information or Operational Technology systems, including non-malicious policy violations such as employees’ use of shared credentials; (2) discovery of malicious software on an Information or Operational Technology system; (3) activity resulting in a denial of service to any Information or Operational Technology system; (4) a physical attack against network infrastructure; and (5) “[a]ny other cybersecurity incident that results in operational disruption to the Owner/Operator’s Information or Operational Technology systems or other aspects of the Owner/Operator’s pipeline systems or facilities, or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases including, but not limited to[,] impacts to a large number of customers, critical infrastructure or core government functions, or impacts national security, economic security or public health and safety.”
Companies must report these incidents quickly – within 12 hours after identification of the incident – followed by supplementation if the required information is not available at the time of the initial report. Reports must be comprehensive; in addition to basic facts, the company must provide an assessment of the incident’s “impact or potential impact” on the company’s systems and operations, as well as “all responses that are planned or under consideration.” The security directive also includes a broad requirement that companies provide “[a]ny additional relevant information.”
In addition to incident reports, companies also must conduct vulnerability assessments to assess their current cybersecurity practices against the TSA’s 2018 Pipeline Security Guidelines (as updated in April 2021). The security directive requires that each company submit a report identifying gaps, along with remediation measures and a timeline, no later than June 28, 2021.
The security directive specifies that it is to be disseminated to senior management of affected companies. It also requires each company to name and maintain a cybersecurity coordinator with security clearance eligibility who will serve as the company’s primary contact with the CISA and TSA concerning cybersecurity, coordinate relevant internal practices and procedures, work with law enforcement and emergency response agencies, and remain available to the CISA and TSA “24 hours a day, seven days a week.” Each company must also maintain at least one alternate cybersecurity coordinator.
Energy regulators, including Federal Energy Regulatory Commission Chairman Richard Glick, have recently called for mandatory pipeline cybersecurity standards. Although they have not revealed specifics, Biden administration officials have made statements to the press saying that new regulations are on the way in the near term, including financial penalty provisions. Congress is also considering several pieces of legislation that would make significant changes to the current energy cybersecurity landscape, including measures to coordinate regulation of pipeline security among the several agencies that currently exercise authority over various aspects of pipeline operations.
 As defined in the security directive, an “Information Technology System” means “any services, equipment, or interconnected systems or subsystems of equipment that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information that fall within the responsibility of the Owner/Operator to operate and maintain.” An “Operational Technology System” is “a general term that encompasses several types of control systems, including industrial control systems, supervisory control and data acquisition systems, distributed control systems, and other control system configurations, such as programmable logic controllers, fire control systems, and physical access control systems, often found in the industrial sector and critical infrastructure. Such systems consist of combinations of programmable electrical, mechanical, hydraulic, pneumatic devices or systems that interact with the physical environment or manage devices that interact with the physical environment.”