TSA's Pipeline of Cybersecurity Requirements

The Transportation Security Administration (TSA) on July 20, 2021, reversed two decades of pipeline cybersecurity policies.¹ Having previously advocated for voluntary pipeline cybersecurity standards, the TSA quickly issued mandatory cybersecurity rules on owners and operators of pipelines (hereinafter, pipeline companies) in response to the Colonial Pipeline ransomware attack.²

The latest TSA security directive (Second Directive) was deemed sensitive and was shielded from public disclosure. What is publicly known about the Second Directive is that it requires pipeline companies to immediately implement mitigation measures to protect against cyberattacks, to develop a cybersecurity contingency and recovery plan, and to conduct a cybersecurity architecture design review. These new mandatory cybersecurity rules are backed up with fines, which could be as high as $11,904 per day, per violation.³

These new mandatory rules appear to be burdensome and may not be readily attainable.⁴ Nevertheless, more cybersecurity rules and regulations are likely to follow. Pipeline companies should immediately assess their cybersecurity policies and procedures. Revising such policies and procedures to be consistent with the electric grid's North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards is a good first step to prepare for anticipated forthcoming regulations.⁵

Pipeline Security Background

Cyberattacks against pipeline companies are not new. Along with its announcement of mandatory cybersecurity requirements, the U.S. Department of Homeland Security (DHS) strangely announced a nearly decade old spear-phishing and cyber intrusion campaign against oil and natural gas (ONG) pipeline companies that occurred from December 2011 to 2013.⁶ Although the 2015 and 2016 cyberattacks against Ukraine's electric grid did not target pipeline operations, these cyberattacks demonstrated the threat actors' ability to access operational technologies (OT) through information technology (IT) systems, a critical concern for pipeline companies. Similarly, in 2017, the Triton malware reportedly targeted industrial control systems (ICS) of oil and gas companies.⁷ In 2018, cyberattacks against four of the nation's largest natural gas pipeline companies shutdown their customer communication systems.⁸ In 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) announced that ransomware attacks were impacting pipeline operations.⁹

Despite these attacks, TSA remained steadfast in its support of voluntary pipeline cybersecurity standards. At a 2019 joint congressional hearing on "Securing U.S. Surface Transportation From Cyber Attacks," the TSA confirmed its preference for a voluntary approach because it offered greater flexibility to protect against an evolving threat environment.¹⁰ It is unclear, however, whether the voluntary approach was the result of thorough analysis or simply due to a lack of resources in pipeline cybersecurity. Immediately following the 2011-2013 cyber intrusion campaign, the TSA's Pipeline Security Branch, which is responsible for both physical and cyber security of pipelines, was reduced to one full-time staff member in 2014.¹¹ In 2019, the Pipeline Security Branch consisted of five staff members with zero cybersecurity expertise.¹² These deficiencies, in part, formed the basis of calls to transfer pipeline security to the U.S. Department of Energy.¹³

Under the voluntary approach, TSA issued Pipeline Security Guidelines "to provide explicit agency recommendations for pipeline industry security practices,"¹⁴ which were revised in March 2018.¹⁵ The guidelines recommended that pipeline companies conduct a criticality assessment for all facilities. If a facility was deemed critical, enhanced security measures were recommended; otherwise, baseline security measures should be employed. Further, the guidelines recommended that companies use a risk-based approach to develop a corporate security program, which would include cyber/Supervisory Control and Data Acquisition (SCADA) security measures.

In a December 2018 publication, the U.S. Government Accounting Office (GAO) criticized the TSA's Pipeline Security Guidelines and made 10 significant recommendations.¹⁶ One such recommendation requested clear guidance for identifying "critical facilities" since "at least 34 of the nation's top 100 critical pipeline systems" had identified zero critical facilities. Although the TSA initially estimated completion of this recommendation by May 31, 2019,¹⁷ the agency provided guidance on identifying "critical facilities" approximately 2 1/2 years later (April 2021).¹⁸

Colonial Pipeline and TSA's Security Directives

On May 7, 2021, Colonial Pipeline learned that it was a victim of a ransomware attack.¹⁹ The company immediately halted operations through the pipeline to contain the attack and to ensure that the threat actors did not traverse to the OT network.²⁰ Although the company resumed operations on May 12, gasoline price increases and fuel shortages were reported throughout the East Coast.²¹

Governmental response swiftly followed with President Joe Biden issuing an Executive Order on Improving the Nation's Cybersecurity.²² As part of a growing trend with the current administration, government regulators across industries are issuing cybersecurity regulations and using their enforcement powers to compel companies to develop robust cybersecurity policies and procedures.²³

On May 28, 2021, the TSA issued a Security Directive for Enhancing Pipeline Cybersecurity (First Directive).²⁴ The First Directive placed three mandatory requirements on pipeline owners and operators:

1. report all cybersecurity incidents to CISA within 12 hours
2. designate a primary and alternative Cybersecurity Coordinator, at the corporate level, who is accessible 24/7 to TSA and CISA, and
3. conduct a cybersecurity vulnerability assessment and provide a report of this assessment to TSA and CISA within 30 days

Within 2 1/2 months of the Colonial Pipeline ransomware attack, TSA issued the Second Directive on July 20, 2021.²⁵ According to the DHS announcement, the Second Directive requires pipeline companies to do the following:

1. implement immediate mitigation measures to protect against cyberattacks
2. develop a cybersecurity contingency and recovery plan, and
3. conduct a cybersecurity architecture design review

What little is publicly known about the Second Directive indicates that it may be overly burdensome and not readily attainable.²⁶ According to Sen. Marsha Blackburn (R-Tenn.), pipeline companies have expressed "some concerns" with the Second Directive, and "companies might have to upgrade thousands of pieces of equipment that they can't even get due to supply chain shortages."²⁷ Nevertheless, failure to comply with these directives can result in fines, which could be as high as $11,904 per day, per violation.²⁸

Notably, these security directives skipped the rulemaking process, which would have permitted broader stakeholder input through notice and comment. TSA may issue a directive, if the agency determines that it "must be issued immediately in order to protect transportation security."²⁹ Upon taking nearly 2 1/2 years to provide guidance on identifying critical facilities and having a pipeline security staff of five members without any cybersecurity expertise as recently as 2019, the TSA may find it difficult to defend this immediacy determination to forgo notice-and-comment rulemaking should a company challenge the security directives under the Administrative Procedures Act (APA).

Pipeline Cybersecurity: What's Next

Regardless of whether the security directives can withstand an APA challenge, mandatory pipeline cybersecurity regulations appear to be forthcoming.³⁰ The Federal Energy Regulatory Commission has long required electric power systems to comply with mandatory NERC CIP cybersecurity regulations.³¹ Since electric grids require the security of both IT and OT systems, the NERC CIP cybersecurity standards provide an informative framework of what forthcoming pipeline cybersecurity regulations may entail.

Nevertheless, pipeline cybersecurity is uniquely challenging. Unlike many industries that use ICS, pipelines traverse long distances, which requires IT and OT systems to communicate across vast geographic space through the use of long-distance telecommunication infrastructure.³² Thus, in addition to IT and OT security, a robust pipeline cybersecurity program needs to assess cyber risks associated with, and develop cybersecurity policies concerning, the telecommunication infrastructure and the demilitarized zone (DMZ), which is the intermediary zone between IT and OT systems.

With cybersecurity regulations anticipated, pipeline companies may want to consider using attorneys with strong technical understanding to assist in revising cybersecurity policies and procedures, particularly to make those policies and procedures consistent with the NERC CIP cybersecurity standards across IT systems, OT systems, DMZs and any telecommunication infrastructure. Such policies and procedures may enhance safeguards to pipeline operations from pervasive cyberattacks, help identify vulnerabilities and prepare a pipeline company to meet its compliance obligations with regard to the forthcoming cybersecurity regulations.

Notes

¹ Congress, through the Aviation and Transportation Security Act (P.L. 107-71), designated pipeline security to the TSA on Nov. 19, 2001. The Implementing Recommendation of the 9/11 Commission Act of 207 (P.L. 110-53) directs TSA to promulgate pipeline security regulations.

² "DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators," U.S. Department of Homeland Security, July 20, 2021.

³ "China hacking threat prompts rare U.S. pipeline warning," E&E News, Energy Wire, July 21, 2021.

⁴ "Sen. Blackburn Says Pipe Operators Concerned About Cyber Rules," Bloomberg Law, July 27, 2021.

⁵ Although energy grids involve different infrastructure, the NERC CIP standards address cybersecurity of informational and operational technologies.

⁶ "Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013," DHS-CISA, Joint Cybersecurity Advisory, July 20, 2021.

⁷ "Attackers Deploy New ICS Attack Framework 'Triton' and Cause Operational Disruptions to Critical Infrastructure," FireEye, Dec. 14, 2017; "Triton industrial malware group still active, researchers warn," ComputerWeekly, April 11, 2019.

⁸ "Cyberattack Shows Vulnerability of Gas Pipeline Network," The New York Times, April 4, 2018.

⁹ Alert: Ransomware Impacting Pipeline Operations, DHS-CISA, Feb. 18, 2020.

¹⁰ Securing U.S. Surface Transportation From Cyber Attacks, Joint Hearing, Feb. 26, 2019, Serial No. 11602, at 23-24.

¹¹ Critical Infrastructure Protection: Actions Needed to Address Significant Weakness in TSA's Pipeline Security Program Management, U.S. Government Accountability Office, Report to Congressional Requesters, December 2018.

¹² Securing U.S. Surface Transportation From Cyber Attacks, Joint Hearing, Feb. 26, 2019, Serial No. 11602, at 32. Since the February 2019 hearing, TSA significantly increased its pipeline security staff. See Politico Pro's Morning Cybersecurity, "Russia is already thinking about the midterms, Biden says — TSA's pipeline security growing pains — Mandatory breach reporting rules get new fans at DOJ," July 28, 2021.

¹³ "Should TSA be regulating pipeline cybersecurity?" GCN, May 13, 2021; "Looming Cybersecurity Battle: Who Protects U.S. Pipelines? (Corrected)," Bloomberg Law, June 27, 2018.

¹⁴ TSA, Pipeline Security Guidelines, April 2011, at 1; TSA, Pipeline Security Guidelines, March 2018.

¹⁵ TSA, Pipeline Security Guidelines, April 2011, at 1; TSA, Pipeline Security Guidelines, March 2018.

¹⁶ Critical Infrastructure Protection: Actions Needed to Address Significant Weaknesses in TSA's Pipeline Security Program Management, U.S. Government Accountability Office, Report to Congressional Requesters, December 2018.

¹⁷ Id.

¹⁸ TSA, Pipeline Security Guidelines, March 2018 (with Change 1 (April 2021)).

¹⁹ Testimony of Joseph Blount, President and CEO of Colonial Pipeline, Hearing Before the U.S. Senate Committee on Homeland Security and Governmental Affairs, June 8, 2021.

²⁰ Id.

²¹ See, e.g., "Panic buying strikes Southeastern United States as shuttered pipeline resumes operations," The Washington Post, May 12, 2021.

²² Executive Order on Improving the Nation's Cybersecurity, White House, May 12, 2021.

²³ See "Managing Risk After SEC's Cyber Enforcement Action," Law360, June 28, 2021; "DOL Releases Cybersecurity Best Practices Guidance for Protecting Retirement Benefits," Holland & Knight Alert, June 30, 2021.

²⁴ Ratification of Security Directive Pipeline-2021-01, Federal Register, July 20, 2021.

²⁵ "DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators," DHS, July 20, 2021.

²⁶ "Sen. Blackburn Says Pipe Operators Concerned About Cyber Rules," Bloomberg Law, July 27, 2021.

²⁷ Id.

²⁸ "China hacking threat prompts rare U.S. pipeline warning," E&E News, Energy Wire, July 21, 2021.

²⁹ 49 U.S.C. § 114(l)(2)(A).

³⁰ For example, on July 28, 2021, the Biden Administration announced the Industrial Control System Cybersecurity Initiative, which already has an action plan for natural gas pipelines underway. See "Fact Sheet: Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure," White House, July 28, 2021. In addition, Congress is considering a number of cybersecurity bills, including the Pipeline Security Act (H.R. 3243), which would codify TSA's and CISA's role in pipeline security as well as require TSA to implement a personnel strategy to properly staff the Pipeline Security Division.

³¹ NERC CIP Cybersecurity Standards.

³² State of Operational Technology Cybersecurity in the Oil and Natural Gas Industry, American Petroleum Institute, April 2014, at 33.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.