* Meg Heyse is a 2021 summer associate at Troutman Pepper. She is not admitted to practice law.
In April 2021, the Department of Energy (DOE) launched a 100-day initiative to strengthen cybersecurity protections in the energy sector. Just one month later, the Transportation Security Administration (TSA), an agency under the purview of the Department of Homeland Security (DHS), issued Security Directive Pipeline 2021-1 (Security Directive or Directive) to implement — for the first time — mandatory requirements for certain pipeline operators with respect to cybersecurity. The Security Directive became effective the day it was issued on May 28, 2021. Although the Security Directive was issued in final, TSA is accepting public comments on the Directive and has indicated that it may amend the Directive based on those comments.
The Security Directive mandates that owners and operators of “critical” hazardous liquid and natural gas pipeline infrastructure comply with certain portions of the DOE’s April 2021 initiative. As defined by the Directive, “critical” pipeline facilities are those that have been previously identified by the TSA as critical pursuant to the Implementing Recommendations of the 9/11 Commission Act of 2007 and as outlined in TSA’s pipeline security guidelines. For these owners and operators, the Directive has three broad mandates.
Cybersecurity Incident Reporting
First, it requires that owners and operators report cybersecurity incidents to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). Under this requirement, owners and operators must report “cybersecurity incidents” (as defined in the Directive) to CISA as soon as practicable, but no later than 12 hours after identifying such an incident. If owners and operators cannot compile all of the required information within 12 hours, they should “submit an initial report within the specified timeframe and supplement as additional information becomes available.” Reportable cybersecurity incidents include:
- Unauthorized access of an Information Technology (IT) or Operational Technology (OT) system;
- Discovery of malicious software on an IT or OT system;
- Activity resulting in a denial of service to any IT or OT system;
- A physical attack against the owner or operator’s network infrastructure; and
- Any other incident that results in operational disruption to the IT or OT systems or other aspects of the pipeline, or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases.
Designation of Cybersecurity Coordinator
Second, the Security Directive requires owners and operators to designate a Cybersecurity Coordinator, who must be available to TSA and CISA 24 hours a day, seven days a week to “coordinate cybersecurity practices and address any incidents that arise.” Within this role, the coordinator will be responsible for internally organizing cybersecurity practices, communicating with TSA and CISA, and working with appropriate law enforcement and emergency response agencies.
Vulnerability Assessment Due by June 27, 2021
Finally, the Security Directive requires owners and operators to conduct a “vulnerability assessment” within 30 days of the Directive. This process requires operators to compare their current practices with TSA’s pipeline security guidelines for pipeline cybersecurity to assess risks, identify any gaps, and develop remediation measures, as well as a timeline for implementing those remediation measures. Operators are required to report findings from this assessment to TSA and CISA.
To the extent an owner or operator of “critical” pipeline facilities cannot meet one of the obligations set forth in the Directive, TSA requires notification via email and suggests the submission of proposed alternatives to compliance for approval.
Additional requirements may be underway. The DHS press release announcing the Directive indicated that “TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity.” Given recent high-profile ransomware attacks, the Biden administration, Congress, and/or other federal agencies are likely considering implementing regulatory requirements to increase mandatory cybersecurity protections, including requirements that would extend to pipeline owners and operators beyond those already designated as “critical” infrastructure by TSA. In light of the anticipated increased regulatory requirements in this area, industry, including those operators not subject to the Security Directive, should continue to implement TSA’s pipeline security guidelines and cybersecurity industry standards. While the Security Directive expires on May 28, 2022, the Directive may get renewed, and it and/or other requirements may be codified into formal regulations before then.