In the wake of the May 2021 ransomware attack on a major US oil pipeline, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has released a security directive1 (the “TSA Directive”) to better “identify, protect against, and respond to threats to critical companies in the pipeline sector.” The TSA Directive was released on May 27, 2021, and effective the next day.
The TSA Directive is addressed only to “owners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility” that are notified by TSA that their pipeline system or facility is “critical.” A critical pipeline or facility owner/operator is required by the TSA Directive to take several actions:
- Immediately acknowledge receipt of the TSA Directive.
- By June 4, 2021, designate a primary and at least one alternate cybersecurity coordinator “at the corporate level.” The cybersecurity coordinator must be a US citizen who is eligible for a security clearance and serve as the primary contact of cyber-related intelligence information and other activities and communications with TSA and DHS’ Cybersecurity and Infrastructure Security Agency (CISA). The cybersecurity coordinator will be required to be available to TSA and CISA “24 hours a day, seven days a week,” to coordinate cyber and related security practices and procedures internally and to work with law enforcement and emergency response agencies. The names of the appointed coordinator and the alternate and their titles, phone numbers and email addresses must be submitted in writing to TSA.
- Within 12 hours of identification of any cybersecurity incident (ranging from attempted intrusion to the discovery of malicious software) or physical attack on a pipeline’s network infrastructure, report particulars of the incident and the company’s response to CISA through its online reporting system or by phone.
- Within 30 days, conduct a vulnerability assessment using the TSA’s 2018 Pipeline Security Guidelines2 as the reference standard and submit a report on that assessment to TSA and CISA.
While TSA may consider and accept an alternative compliance proposal from a critical pipeline owner or operator and will accept comments concerning the TSA Directive, TSA has indicated that the May 28, 2021, effective date will not be extended. The TSA Directive remains in effect until May 28, 2022, unless sooner revoked or amended.
Critical pipelines are likely to face questions and challenges in responding to the TSA Directive. The scope of reportable incidents may raise challenges for companies, for example, as they work to report information to the government both promptly and accurately. Incidents that result in operational disruption that affects a large number of customers are squarely in scope, but the TSA Directive also appears to impose its strict reporting requirements even on minor incidents or possible incidents that remain under investigation. Likewise, a company may find it challenging to identify a single individual to serve as the cybersecurity coordinator, particularly if the identified functions are currently held by multiple individuals within the organization. A critical pipeline also may have no means of determining which of its personnel is or is not eligible for a US government security clearance, and the TSA Directive does not provide pipelines with a mechanism to determine whether a possible laundry list of personnel might be clearance-eligible.
The Natural Gas Act and the 1995 amended and readopted version of the Interstate Commerce Act, which provides for the regulation of petroleum and some chemical pipelines, do not set forth any cybersecurity or similar operational-practice security requirements and do not authorize the industry’s primary regulator, the Federal Energy Regulatory Commission (FERC) to adopt any. By contrast, in the electric power sector, FERC has adopted extensive and granular cybersecurity, operational security and reliability requirements following 2005 amendments to the Federal Power Act. In the pipeline sector, apart from the TSA’s voluntary 2018 Pipeline Security Guidelines, no particular binding standards have been created, and there are no particular rules of practice and procedure applicable to violations. Neither TSA nor CISA functions primarily as an energy regulator, and the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has no specified role under the TSA Directive. The TSA Directive means that the operational practices of a particular pipeline might be subject to regulation simultaneously by FERC, one or more state utility commissions, TSA, CISA and PHMSA. It remains to be seen whether TSA and CISA adopt tailored regulations and whether TSA uses the TSA Directive’s one-year-effective period to refine the state of play. Likewise, time will tell whether the TSA Directive’s approach—and particularly its mandatory incident reporting on short deadlines, required collaboration with federal agencies and shift to mandatory cybersecurity regimes—will be adopted by federal agencies with responsibility for other areas of the energy sector or the economy more broadly.
1 See, Security Directive Pipeline 2021-01, Transportation Security Administration, Effective May 28, 2021; https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators
2 See, https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf