Following the May 2021 ransomware attack on a major U.S. oil pipeline, the Department of Homeland Security (DHS) has issued a safety directive1 (the “TSA Directive”). to “identify, protect against, and respond to threats to critical companies in the pipeline industry.” The TSA Directive was published on May 27, 2021 and went into effect the next day.
The TSA Directive is addressed only to “owners and operators of a hazardous natural gas and liquid pipeline or liquefied natural gas facility” that TSA notifies that its system or pipeline installation is “critical.” “. The TSA Directive requires a critical owner or operator of pipelines or facilities to take several actions:
- Immediately acknowledge receipt of the TSA Directive.
- Before June 4, 2021, designate a primary cybersecurity coordinator and at least one “corporate-level” alternative. The cybersecurity coordinator must be a U.S. citizen who can obtain a security clearance and serve as the primary contact for intelligence information related to cybersecurity and other activities and communications with the Security and Cybersecurity Agency. Infrastructure (CISA) of TSA and DHS. The cybersecurity coordinator must be available to TSA and CISA “24 hours a day, seven days a week,” to internally coordinate cybersecurity and related practices and procedures, and to work with law enforcement agencies and emergency response. The names of the designated coordinator and alternate and their titles, telephone numbers and email addresses must be submitted in writing to TSA.
- Within 12 hours of identifying any cybersecurity incident (ranging from attempted intrusion to malicious software discovery) or physical attack on a pipeline’s network infrastructure, report the details of the incident and the company’s response to CISA through its online or telephone information system.
- Within 30 days, conduct a vulnerability assessment using the TSA2 2018 Pipe Safety Guidelines as a benchmark and submit a report on this assessment to TSA and CISA.
While TSA may consider and accept an alternative compliance proposal from a critical pipe owner or operator and will accept comments on the TSA Directive, TSA has indicated that the effective date of May 28, 2021 will not be extended. The TSA Directive remains in effect until May 28, 2022, unless revoked or amended earlier.
Critical pipelines are likely to face issues and challenges in responding to the TSA Directive. The extent of incidents that can be reported can pose challenges to companies, for example, as they work to inform the government quickly and accurately. Incidents that result in operational disruptions affecting a large number of customers have a full scope, but the TSA Directive also seems to impose its strict reporting requirements, even in the event of minor incidents or possible incidents that continue to be investigated. Similarly, a company may find it challenging to identify a single person to serve as a cybersecurity coordinator, especially if the identified functions are currently of several people in the organization. A critical oil pipeline also cannot have any means of determining which of its personnel is or is not eligible for a U.S. government safety clearance and the TSA Directive does not provide pipelines with a mechanism for determining whether a possible laundry list it could be an authorization. apt.
The Natural Gas Act and the amended and re-enacted 1995 version of the Interstate Trade Act, which provides for the regulation of oil and some chemical pipelines, do not establish any cybersecurity safety requirements or similar operating practices and do not authorize the regulator. main industry, the Federal Commission for Energy Regulation (FERC) to adopt any. In contrast, in the electricity sector, FERC has adopted extensive and granular cybersecurity, operational safety and reliability requirements following the amendments to the Federal Power Act of 2005. In the pipeline sector, apart from the guidelines 2018 TSA pipe safety volunteers, no particular binding rules have been created and there are no particular rules of practice and procedure applicable to violations. Neither TSA nor CISA function primarily as an energy regulator, and the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has no function specified under the TSA Directive. The TSA Directive means that the operating practices of a particular pipeline may be subject to simultaneous regulation by FERC, one or more state utility commissions, TSA, CISA, and PHMSA. It remains to be seen whether TSA and CISA will adopt adapted regulations and whether TSA will use the effective one-year period of the TSA Directive to perfect the state of play. Similarly, time will tell whether the approach to the TSA Directive, and in particular mandatory reporting of incidents in the short term, collaboration with federal agencies, and the shift to mandatory cybersecurity regimes, will be adopted. by federal agencies with responsibility for other areas of the energy sector or the economy more broadly.
1 See, Safety Directive, Gas Pipeline 2021-01, Transportation Safety Administration, effective May 28, 2021; https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators
2 See, https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf