The U.S. Department of Homeland Security’s Transportation Security Administration (“TSA”) issued a Security directive, “Improving Pipers Cybersecurity” on May 28, establishing new cybersecurity requirements for operators of liquid and natural gas pipelines and LNG facilities designated as critical infrastructure.
The Directive can be seen as part of a larger federal effort to increase the country’s cybersecurity stance following the Colonial Pipeline ransomware attack in early May and the SolarWinds incident last year. The Cyber Security and Infrastructure Agency (“CISA”), a unit of the Department of Homeland Security, has already commissioned a cloud service governance framework and a standard incident response gamebook for federal agencies according to the recent executive of the Biden administration. Order on cybersecurity. Unlike the executive order, which provided for government agencies and their suppliers, this Directive focuses on the activity of private sector entities.
The Directive has three main requirements:
- Pipe facilities and other covered entities must designate a cybersecurity coordinator with TSA by June 4, 2021, who must be available as the primary contact for communications with TSA and CISA, the twenty-first -four hours a day and seven days a week, in relation to cybersecurity and security. related information. Coordinators are also responsible for working with law enforcement and emergency response agencies and organizing internal facility cybersecurity practices.
- Pipeline facilities are required to provide a detailed report to CISA, within 12 hours, of any cybersecurity incidents affecting any information technology system (which, as defined, generally covers any platform that process the data maintained to cover the systems used to control the pipeline or other infrastructure). The Directive defines cybersecurity incidents broadly to include: (i) any unauthorized access to systems; (ii) the existence of malware on the systems; (iii) activity resulting in a denial of service; and (iv) a physical attack on the network infrastructure. The definition also has a catch-all category that includes any incident that disrupts or may disrupt the safe and efficient transfer of liquids and gases. Any report to CISA must include, among other things, a description of the incident, its impact on the facility’s systems, and the facility’s intended response.
- Pipe installations must assess whether their current practices are in line with the TSA Pipe Safety Guidelines (which were introduced in 2018 but were previously voluntary) and identify remedial measures to address the shortcomings. in compliance.
The Directive, which uses the exit authority granted under the Aviation and Transport Security Act, is likely to be part of a broader shift towards requirements for greater information and coordination and communication between government. and the private sector. Changing voluntary orientation to the standards required for cybersecurity is likely to be more frequent.