Less than a month after the high ransomware attack on Colonial Pipeline, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has released its first set of mandatory cybersecurity standards for pipes and liquefied natural gas (LNG) facilities.
The TSA, which assumed primary responsibility for the safety of pipelines and other oil and gas distribution infrastructure when it was established in 2001, had previously only published voluntary pipeline safety guidelines (the Guidelines). Following the Colonial Pipeline attack, which we talked about in a previous blog post, the TSA faced both criticism for its voluntary approach to pipeline cybersecurity and mandatory rules similar to those in place for the network. electric.
The TSA’s Safety Directive-Pipeline-2021-01 (Safety Directive), which came into force on May 28, 2021, requires owners and operators of gas pipelines and LNG facilities to be “critical” 1 of dangerous liquids and natural gas:
- Within 30 calendar days, conduct a detailed assessment of the gap in their cybersecurity programs using TSA guidelines. Owners and operators need to move quickly, as the Security Directive requires them to analyze a substantial amount of cybersecurity guidelines and create a remediation plan in a very short period of time;
- Report information and physical security incidents affecting your computer or operating technology (OT) systems to the DHS Cyber Security and Infrastructure Agency (CISA) within 12 hours after identification. Notifiable incidents include:
- Unauthorized access;
- Malware discovery;
- Denial of Service (DoS) attacks;
- Physical attacks on network infrastructure; i
- Any other cybersecurity incident that disrupts systems or facilities “or that could cause operational disruptions that adversely affect the safe and efficient transportation of liquids and gases, including, among others, impacts on a large number of customers, critical infrastructure or disrupt government functions or affect national security, economic security or public safety and health “or may disrupt the operations of the system or facilities; i
- Designate a Cybersecurity Coordinator, including a principal coordinator and at least one alternate, and provide their names, titles, telephone numbers and e-mail addresses to TSA within seven days of the effective date of the Security Directive, at the start of new operations or some other changes.
- The cybersecurity coordinator is responsible for coordinating the cybersecurity practices and procedures of the owners / operators, which acts as the main point of contact for TSA and CISA on issues related to cybersecurity and information exchange, and for working with police agencies. The cybersecurity coordinator must be available to TSA and CISA 24 hours a day, seven days a week, and must be an eligible U.S. citizen to obtain a security clearance.
Under the Safety Directive, infrastructure owners and operators have been notified that TSA considers them “critical” that they must comply with the directive. Owners and operators who have received this notification must confirm receipt with the TSA “immediately”.
Cybersecurity assessments: great rise, short term
The TSA published the current version of its Guidelines in 2018 and updated them in April 2021, just before the attack on the colonial pipelines. The new Safety Directive makes some of these guidelines mandatory for owners / operators of critical LNG pipelines and installations when required to do so:
- Review section 7 of the guidelines and determine whether your cyber risk practices are in line with the guidelines. Although only five pages long, section 7 incorporates numerous other guidelines and frameworks for reference: evaluating the cybersecurity program with respect to these is a substantial task;
- Identify any gaps between your current practices and the Guidelines; i
- Identify measures to remedy these gaps and a timetable for implementing these measures.
Section 7, entitled “Cyber Asset Security Measures”, advises owners / operators to:
- Evaluate and classify pipe assets by criticality;
- Evaluate and implement various “basic” and “enhanced” cybersecurity measures to channel assets based on their criticality; the listed measures are organized according to the “functions” identified in the NIST cybersecurity framework: identify, protect, detect, respond, and recover; i
- Refer to numerous sets of cybersecurity guidelines published by industry and government, including the American Chemical Council’s “Guide to Addressing Cybersecurity in the Chemical Industry,” American Petroleum Institute Standard 1164 entitled ” Pipeline SCADA Security “, the NIST Cybersecurity Framework and the
“Guidance for Implementing the U.S. Energy Sector Cybersecurity Framework,” among others.
Incident reports: “Information sharing” on “Notification of breach”
The Safety Directive requires critical owners / operators of LNG pipelines and installations to report a cybersecurity incident to TSA and CISA “as soon as possible, but no later than 12 hours after – a cybersecurity incident has been identified “. The owner / operator must make their report using the CISA reporting system and include the following information:
- The name and contact information of the person making the report and a statement that the report is being made to meet the reporting requirements of the Safety-Pipeline-2021-01 Directive;
- Affected pipes or other facilities;
- Threat identification or compromise indicators, such as attacker IP addresses, domain names, malware, and compromised accounts;
- The impact of the incident on IT or OT systems and operations, including “an assessment of actual, imminent or potential service operations, operational delays and / or data theft that have occurred or are likely to occur “. i
- Response activities planned or under consideration.
The 12-hour deadline to report on the Security Directive echoes the incident reporting provisions of the recent Executive Order on Improving the Nation’s Cybersecurity. The Executive Order, which DWT has discussed in a previous message, orders the government to require some government contractors to report security incidents within three days and to share incident and threat data with CISA and the FBI.
The 12-hour notice period is very tight, especially when compared to state data default notification deadlines, which range from 10 days to 45 days (when a deadline is specified), or the period of notice of non-compliance of 60 days according to the medical insurance. Portability and Accountability Act (HIPAA). The very short term of the Security Directive makes sense when it is understood primarily as a provision for information exchange, not as a data breach notification requirement.
In general terms, information sharing requirements, such as those in the Security Directive and the recent Executive Order, focus on incident detection, containment, and response. These requirements aim to provide the government with information on threats and incidents (and subsequently to potential victims) quickly and to coordinate a public-private response. In contrast, data breach notification is basically restorative: the notification is intended to inform regulators and people affected by an infringement so that steps can be taken to prevent further damage, such as identity theft.
A victim entity usually makes a breach notification only after it has had some opportunity to contain, investigate, assess, and remedy the incident. Improving the exchange of data on cyber incidents and threats between public and private entities is a key part of CISA’s mission, so it is logical that the requirements for reporting incidents to CISA follow a paradigm of information exchange, not a data breach notification.
A DHS press release announcing the Safety Directive stated that “TSA is also considering mandatory monitoring measures to support the plumbing industry in improving its cybersecurity …”, indicating that additional rules may be developed. Several media outlets have reported that the Biden Administration is developing a second, more detailed security directive that will be published in a matter of weeks.2 DWT will continue to monitor developments in this space.
Amid a changing regulatory landscape, DWT is in a unique position to advise oil and natural gas companies facing both ongoing cybersecurity risks and evolving obligations. Our team has experience in information security, critical infrastructure and energy regulatory space. We are ready to help oil and natural gas companies assess the risks to their IT and OT systems and prepare their cybersecurity programs for the new TSA Security Directive and future requirements.
1 As set out in the Safety Directive, Article 1557 (b) of the Recommendations for the Implementation of the Commission Act of 11 September (codified in 6 USC § 1207), requires TSA to review the pipeline safety plans and facilities of the 100 most critical operators. The TSA notes in the directive that it generally bases its determination of criticality “on factors such as the volume of product transported and service to other critical sectors.”
2 Rebecca Smith, The Wall Street Journal, “After Colonial Pipeline Hack, US to Require Operators to Report Cyberattacks”, https://www.wsj.com/articles/tsa-to-require-pipeline-operators-to-notify- it-of-cyberattacks-11621960244? mod = djemCybersecruityPro & tpl = cy; Ellen Nakashima and Lori Aratani, The Washington Post, “DHS to Issue First Cybersecurity Regulations for Pipelines After Colonial Piracy,” https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline – cybersecurity.