TSA Requires Pipeline Operators to Meet Cybersecurity Requirements, Threatens Fines

The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued a Security Directive last week intended to protect and respond to cyber threats posed to pipeline companies. This latest action, which may be followed by additional mandatory measures, is designed to strengthen earlier informational notices and voluntary guidelines from the DHS Cybersecurity and Infrastructure Agency (CISA) by setting mandatory baseline cybersecurity requirements for the pipeline industry. Additionally, even though the Security Directive does not state so explicitly, government officials noted that violating the Security Directive’s requirements could be penalized with a fine.

The measures are part of a broader government effort to be more proactive in combatting cyber threats, including the Biden administration’s recently issued cybersecurity executive order, which creates a series of initiatives designed to help the U.S. government better respond to cybersecurity threats. They are also a direct response to the Colonial Pipeline ransomware attack in May 2021, which led Colonial Pipeline Company to shut down more than 5,000 miles of its pipeline that carries fuel to customers throughout the southern and eastern regions of the United States. Even though Colonial Pipeline Company was able to restore its operations a few days after it publicly disclosed the attack, the incident caused over 10,000 gas stations to run out of fuel and highlighted the unique vulnerability of critical infrastructure systems to relatively common cyber threats.

The Security Directive requires three key actions on the part of TSA-identified pipeline owners and operators:

• First, it requires owners and operators of pipelines to report cybersecurity incidents to the CISA “no later than 12 hours after a cybersecurity event is identified.” The standard for notification is broad and includes: unauthorized access to information or operational technology systems; discovery of malicious software on an information or operational technology system; activity that results in a denial of service to an information or operational technology system; and any other “cybersecurity incident that results in operational disruption” to informational or operational technology systems (or that has the “potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases”).
• Second, it requires owners and operators to designate within their organization a primary and alternate cybersecurity coordinator, who should be available to TSA and CISA 24 hours a day, seven days a week to help respond to security incidents and to manage cyber and security-related procedures at the organization.
• Third, it requires pipeline owners and operators to review their current security practices against Section 7 of TSA’s existing pipeline security guidelines in order to evaluate risks, highlight any gaps, and identify remediation activities the organization will take to resolve those issues (and to identify and provide to TSA and CISA an anticipated remediation schedule). Section 7 covers cyber asset classification and provides a table with baseline security measures pipeline operators should implement based on an asset’s criticality classification. Pipeline owners and operators must report the results of their assessment to TSA and CISA within 30 days of May 28, 2021, the effective date of the Security Directive.

In short, this new Security Directive is yet another signal that the U.S. government is seeking to take bold actions to defend against cyber threats, including by relying on existing legal authority to make voluntary guidance mandatory for critical sectors. On the heels of the recent executive order on cybersecurity, which applied to the U.S. government and federal government contractors, the new guidance also shows some of the ways that the U.S. government will seek to implement minimum cybersecurity requirements for private-sector entities. It remains unclear to what extent TSA will act to enforce these new requirements, but this Security Directive is a noteworthy step to address the cyber defenses of the pipeline sector and may be a sign of what is to come for other critical infrastructure sectors.