The U.S. Department of Homeland Security (DHS) announced the issuance of a second security directive (Directive) that requires owners and operators of certain critical pipelines carrying hazardous liquids and natural gas to “implement a number of urgently needed protections against cyber intrusions.” The July 20, 2021 Directive, issued by DHS’s Transportation Security Administration (TSA), enhances the requirements announced in the TSA’s May 28, 2021 security directive in which the TSA first outlined mandatory cybersecurity measures that pipeline owners and operators must take in response to the ongoing cybersecurity threat to pipeline systems.
The new Directive requires owners and operators of TSA-designated critical pipelines to:
- Implement specific mitigation measures and technical countermeasures to guard against ransomware attacks and similar cyberattacks;
- Develop and implement a cybersecurity recovery plan; and
- Review existing cybersecurity-architecture designs.
There are few details explaining how the TSA will enforce the Directive, because the agency has not published the confidential Directive for security reasons. Nonetheless, the TSA’s announcement reaffirms and bolsters its security directive issued in May (the May Directive). The May Directive requires owners and operators to notify the Cybersecurity and Infrastructure Security Administration (CISA) within 12 hours of discovering a possible cybersecurity breach, even when the owner or operator is merely investigating the possibility of a security breach. It also requires owners and operators to designate a primary and alternate Cybersecurity Coordinator to be available 24 hours a day, seven days a week, to liaise with the TSA and CISA regarding possible cybersecurity breaches. In the event companies are unable to comply with the TSA’s mandates, the May Directive instructs them to notify the TSA in writing, seek approval for alternative cybersecurity measures, and provide a rationale for those alternative measures. For a full list of requirements contained in the May Directive, please see Hogan Lovells’s June 4, 2021 client alert “DHS announces cybersecurity obligations for pipeline companies.”
TSA’s two Directives are aimed at proactively preventing cyberthreats similar to the recent and highly publicized Colonial Pipeline ransomware attack in May 2021. This new Directive indicates TSA’s commitment to enforcing mandatory pipeline cybersecurity protections and protocols, which, until the issuance of the May Directive, had largely been voluntary and collaborative for pipeline owners and operators.
Owners and operators of TSA-designated critical pipelines should continue to monitor developments associated with the new Directive and the May Directive. And, depending on the scope of the new Directive, they also should consider whether to provide input to the TSA through the agency’s feedback system to improve or adjust the requirements imposed on owners and operators. Hogan Lovells’s cross-practice cybersecurity policy and compliance team is prepared to assist you in complying with all aspects of the new Directive and the May Directive as you navigate and implement the newest cybersecurity requirements issued by the TSA.