The Department of Homeland Security (DHS) announced the issuance of the Transportation Security Administration's (TSA) second Security Directive (Directive) creating mandatory cybersecurity rules for owners and operators of TSA-designated "critical" pipelines and liquified natural gas (LNG) facilities "to implement a number of urgently needed protections against cyber intrusions."
The Directive, officially titled "Security Directive Pipeline-2021-02: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing," was sent directly to designated owners and operators and is restricted from public disclosure. DHS's July 20, 2021, announcement of the Directive and a July 27 Government Accountability Office (GAO) report say that the Directive requires designated owners and operators to:
- (1) [I]mplement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology systems (OT);
- (2) [D]evelop and implement a cybersecurity contingency and response plan; and
- (3) [U]ndergo an annual cybersecurity architecture design review.
Although the details regarding potential penalties for noncompliance have not been made public, the TSA's most recent enforcement sanction guidance policy allows for fines up to $11,904 per violation of TSA's security regulations for surface transportation modes.
According to the July 2021 GAO report, the Directive "was developed in consultation with [the Cybersecurity & Infrastructure Security Agency, also part of DHS, to include many of the cybersecurity mitigation measures noted in recent alerts." In the last year, CISA has issued multiple alerts on cybersecurity measures for critical infrastructure generally and OT specifically.1
The Directive was announced about two months after TSA's initial Security Directive for critical pipeline and LNG facilities, which DWT discussed in a prior blog post. Both directives come shortly after the high-profile May 2021 ransomware attack against Colonial Pipeline, which caused significant disruptions to fuel supplies on the East Coast. Following that attack, the TSA faced criticism for having taken a purely voluntary approach to pipeline cybersecurity after assuming oversight authority after 9/11.
The TSA's initial Security Directive was TSA's first-ever mandatory set of cybersecurity rules for pipelines or LNG facilities. But both directives apply only to owners and operators of pipelines and LNG facilities that TSA deems "critical," meaning that cybersecurity for many pipelines and LNG facilities is still addressed only through voluntary guidelines.
The GAO report notes that TSA intends to continue developing its voluntary Pipeline Security Guidelines, which the GAO has criticized as partially outdated or incomplete on several occasions.2 TSA now reportedly intends to update those guidelines to address mitigations for current cybersecurity threats.
It remains to be seen whether TSA's two Security Directives will quiet demands for mandatory pipeline cybersecurity regulation. Following the Colonial Pipeline attack, Chairman Richard Glick and Commissioner Allison Clements of the Federal Energy Regulatory Commission (FERC) called for the development of mandatory cybersecurity regulations for pipelines, similar to those in place for the electrical grid.
Because the two security directives are not comprehensive regulatory schemes, demands for additional cybersecurity requirements—including those that apply across the pipeline industry—may continue. Moreover, some lawmakers have questioned whether authority to regulate pipeline cybersecurity rightly lies with the TSA.3 In May 2021, the U.S. House of Representatives' Energy and Commerce Committee reintroduced the Pipeline and LNG Facility Cybersecurity Preparedness Act, which would require the Department of Energy to create a program for regulating pipeline and LNG facility cybersecurity. DWT will continue to monitor these developments.
1 See, e.g., "NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems," Alert (AA20-205A), July 23, 2020; "DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks," Alert (AA21- 131A), May 11, 2021; "Rising Ransomware Threat to Operational Technology Assets," June 09, 2021.
2 The July 2021 GAO report is the third such report by the GAO in recent years on the TSA's oversight of pipeline cybersecurity. The GAO's previous reports were issued in December 2018 and May 2019. Those two reports set forth 15 recommendations to strengthen TSA's oversight of pipeline cybersecurity. According to the July 2021 report, TSA has so far addressed 12 of those.
3 Ellen Nakashima, and Lori Aratani, The Washington Post, "DHS to issue first cybersecurity regulations for pipelines after Colonial hack."