Skip to main content
Top Button
Pipeline Operators Face Stricter Cybersecurity Requirements Post-Colonial Pipeline Pipeline Operators Face Stricter Cybersecurity Requirements Post-Colonial Pipeline

Pipeline Operators Face Stricter Cybersecurity Requirements Post-Colonial Pipeline

In the wake of the Colonial Pipeline attack, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued a directive to impose mandatory cybersecurity requirements on pipeline owners and operators. TSA’s directive is a sea change in the regulation of cybersecurity for the pipeline industry, moving from a largely voluntary approach to one that imposes mandatory requirements and possibly to a transfer of responsibility from TSA, which is not well suited for this role, to a different agency of the federal government, most likely the Department of Energy.

Effective May 28, 2021, TSA now requires pipeline owners and operators to comply with three cybersecurity directives to reduce the risks of cyberattacks targeting the nation’s critical infrastructure. To address the directives discussed in detail below, companies should be moving quickly to: (1) create incident response policies before an attack occurs, (2) identify a cybersecurity response lead, and (3) begin assessing their cyber-hygiene to improve security. These three components are basic steps intended, in our view, to begin to scale up cybersecurity in a sector that has not been subject to requirements or to a certain extent, comprehensive industry best practices.

The first directive requires pipeline owners and operators to report “cybersecurity incidents” within 12 hours of discovery to the Cybersecurity and Infrastructure Security Agency (CISA). This is an exceptionally demanding reporting requirement. For example, the Defense Department and many data breach laws impose a 72-hour reporting requirement. While certain cybersecurity incidents such as the ransomware attack on the Colonial Pipeline attack might be obvious enough to trigger effective knowledge of a “cybersecurity incident,” TSA’s new reporting requirement applies to a range of incidents. For example, TSA requires companies to report on, among other things, the following:
 
  • Discovery of malware;
  • Denial of service attacks;
  • Unauthorized access to system and network; and
  • Physical or virtual sabotage or disruption to infrastructure.
As with any incident response workflow, companies must have a protocol, well exercised, to follow when determining whether a reportable incident has occurred and begin to respond appropriately. Companies should review their existing incident response plans and revise these to incorporate the need to make decisions at an early point in their timeline as to whether the 12-hour reporting obligation applies and develop clear decision points at which point they would make reports as necessary.

Second, the directive orders pipeline owners and operators to designate a “Cybersecurity Coordinator” to provide 24/7 liaison duties between the company and the government when cybersecurity incidents occur. Similar to the new 12-hour reporting requirement, companies should not wait until after a cyberattack to identify someone to fill this role. Instead, the Cybersecurity Coordinator should be intimately familiar with any incident response plan, as hopefully practiced in table-top exercises, in order to effectively communicate the company’s issues and interests. In line with our recommendations for best practices, the “Cybersecurity Coordinator” should be part of an incident response team that includes internal response resources and external advisors such as outside counsel and forensic responders.

Lastly, the directive requires pipeline companies to undergo a vulnerability assessment based on the 2018 TSA Pipeline Security Guidelines. This requirement aims to “assess whether current practices and activities to address cyber risks to owner/operators Information and Operational Technology systems align with the guidelines; identify any gaps; and identify remediation measures that will be taken to fill those gaps and a timeline for implementing these remediation measures.” We expect that in the aftermath of the Colonial Pipeline incident, and considerable renewed attention to cybersecurity in the pipeline sector, that these vulnerability assessments will be scrutinized by regulators. We recommend these reports be reviewed by outside experts when possible.
 
Connect with Ice Miller for More Details

In the midst of cybersecurity attacks, companies should not have to scramble to determine how best to respond. By creating incident response plans and identifying cybersecurity response points of contact, companies can triage issues more effectively should they fall victim to a cyberattack. If you have questions concerning the directive or other federal government cybersecurity requirements, Ice Miller has extensive experience assisting companies to comply with cybersecurity requirements. Our team includes Guillermo Christensen, Office Managing Partner, Washington DC, and a former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State; and Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on federal cybersecurity compliance issues.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
View Full Site View Mobile Optimized