TSA Security Directive Requires 30-Day Cybersecurity Assessments, Rapid Incident Notification for "Critical" Pipeline and LNG Facilities
Less than a month after the high-profile ransomware attack against Colonial Pipeline, the Department of Homeland Security's (DHS) Transportation Security Administration (TSA) has issued its first-ever set of mandatory cybersecurity rules for pipelines and liquefied natural gas (LNG) facilities.
The TSA, which assumed primary responsibility for security of pipelines and other oil and gas distribution infrastructure when it was created in 2001, had previously issued only voluntary Pipeline Security Guidelines (the Guidelines). Following the Colonial Pipeline attack, which we discussed in a prior blog post, the TSA faced both criticism for its voluntary approach to pipeline cybersecurity and calls for mandatory rules similar to those in place for the electric power grid.
The TSA's Security Directive-Pipeline-2021-01 (the Security Directive), which went into effect on May 28, 2021, requires owners and operators of "critical"1 hazardous liquid and natural gas pipelines and LNG facilities to:
- Within 30 calendar days, conduct a detailed gap assessment of their cybersecurity programs using the TSA's Guidelines. Owners and operators must move quickly, as the Security Directive requires them to analyze a substantial amount of cybersecurity guidance and create a remediation plan within a very short period;
- Report information and physical security incidents affecting their IT or operational technology (OT) systems to DHS's Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identification. Reportable incidents include:
- Unauthorized access;
- Discovery of malicious software;
- Denial of service (DoS) attacks;
- Physical attacks against network infrastructure; and
- Any other cybersecurity incident that disrupts systems or facilities, "or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases including, but not limited to impacts to a large number of customers, critical infrastructure or core government functions, or impacts national security, economic security or public health and safety" or have the potential to disrupt system or facility operations; and
- Designate a Cybersecurity Coordinator, including a primary coordinator and at least one alternate, and provide their names, titles, phone numbers, and email addresses to TSA within seven days of the Security Directive's effective date, commencement of new operations, or certain other changes.
- The Cybersecurity Coordinator is responsible for coordinating the owner/operators' cybersecurity practices and procedures, serving as TSA and CISA's primary point of contact on cybersecurity-related issues and information sharing, and working with law enforcement agencies. The Cybersecurity Coordinator must be available to TSA and CISA 24 hours a day, seven days a week, and must be a U.S. citizen eligible to obtain a security clearance.
According to the Security Directive, owners and operators of infrastructure that TSA deems "critical" have been notified that they must comply with the directive. Owners and operators that have received such notification are required to confirm receipt with the TSA "immediately."
Cybersecurity Assessments: Big Lift, Short Deadline
The TSA issued the current version of its Guidelines in 2018 and updated them in April 2021, just prior to the Colonial Pipeline attack. The new Security Directive makes parts of those Guidelines mandatory for critical pipeline and LNG facility owners/operators by requiring those owners/operators to:
- Review Section 7 of the Guidelines and determine whether their practices to address cyber risks align with the Guidelines. While only five pages long, Section 7 incorporates by reference numerous other guidelines and frameworks—evaluating one's cybersecurity program against those is a substantial task;
- Identify any gaps between their current practices and the Guidelines; and
- Identify measures to remediate those gaps and a timeline for implementing such measures.
Section 7, titled "Pipeline Cyber Asset Security Measures," advises owners/operators to:
- Evaluate and classify pipeline assets by criticality;
- Evaluate and apply various "baseline" and "enhanced" cybersecurity measures to pipeline assets based on their criticality; the listed measures are organized according to the "functions" identified in the NIST Cybersecurity Framework—Identify, Protect, Detect, Respond, and Recover; and
- Consult numerous sets of industry and government-issued cybersecurity guidance, including the American Chemistry Council's "Guidance for Addressing Cyber Security in the Chemical Industry," the American Petroleum Institute's Standard 1164 titled "Pipeline SCADA Security," the NIST Cybersecurity Framework, and the
U.S. Department of Energy's "Energy Sector Cybersecurity Framework Implementation Guidance," among others.
Incident Reporting: "Information Sharing" Over "Breach Notification"
The Security Directive requires critical pipeline and LNG facility owners/operators to report a cybersecurity incident to the TSA and CISA "as soon as practicable, but no later than 12 hours after a cybersecurity incident is identified." The owner/operator must make its report using CISA's reporting system and include the following information:
- The name and contact information of the individual making the report, and a statement that the report is being made to satisfy the reporting requirements of Security Directive-Pipeline-2021-01;
- The affected pipelines or other facilities;
- Identified threat intelligence or indicators of compromise, such as attacker IP addresses, domain names, malware, and compromised accounts;
- The incident's impact on IT or OT systems and operations, including "an assessment of actual, imminent or potential service operations, operational delays, and/or data theft that have or are likely to be incurred;" and
- Response activities that are planned or under consideration.
The Security Directive's 12-hour reporting deadline echoes the incident reporting provisions of the recent Executive Order on Improving the Nation's Cybersecurity. The Executive Order, which DWT has discussed in a prior post, directs the government to require certain government contractors to report security incidents within three days and to share incident and threat data with CISA and the FBI.
The 12-hour reporting deadline is very tight, especially when compared to state data breach notification deadlines, which range from 10 days to 45 days (when a deadline is specified at all), or the 60-day breach notification deadline under the Health Insurance Portability and Accountability Act (HIPAA). The Security Directive's very short deadline makes sense when understood primarily as an information-sharing provision, not as a data-breach notification requirement.
Generally speaking, information-sharing requirements, such as the ones in the Security Directive and the recent Executive Order, are focused on incident detection, containment, and response. Such requirements aim to get actionable threat and incident information to the government (and onward to potential victims) quickly and coordinate a public-private response. In contrast, data breach notification is primarily remedial: the notification is intended to inform regulators and affected individuals of a breach so that measures can be taken to prevent downstream harms, such as identity theft.
A victim entity typically makes a breach notification only after it has had some opportunity to contain, investigate, assess, and remediate the incident. Improving the sharing of cyber threat and incident data among public and private entities is a core part of CISA's mission, so it makes sense that requirements to report incidents to CISA follow an information-sharing, not a data-breach notification, paradigm.
Next Steps
A DHS press release announcing the Security Directive stated "TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity...," indicating that additional rules may be under development. Various news outlets have reported that the Biden Administration is developing a second, more detailed security directive to be released in a matter of weeks.2 DWT will continue to monitor the developments in this space.
Amidst a shifting regulatory landscape, DWT is uniquely positioned to advise oil and natural gas companies facing both ongoing cybersecurity risks and evolving compliance obligations. Our team boasts expertise in information security, critical infrastructure, and the energy regulatory space. We stand ready to assist oil and natural gas companies in assessing the risks to their IT and OT systems and preparing their cybersecurity programs for the new TSA Security Directive and future requirements.
FOOTNOTES
1 As stated in the Security Directive, section 1557(b) of the Implementing Recommendations of the 9/11 Commission Act of 2007 (codified at 6 U.S.C. § 1207), requires TSA to review the pipeline security plans and facilities of the 100 most critical operators. The TSA notes in the directive that it generally bases its determination of criticality "on factors such as the volume of product transported and service to other critical sectors."
2 Rebecca Smith, The Wall Street Journal, "After Colonial Pipeline Hack, U.S. to Require Operators to Report Cyberattacks," https://www.wsj.com/articles/tsa-to-require-pipeline-operators-to-notify-it-of-cyberattacks-11621960244?mod=djemCybersecruityPro&tpl=cy; Ellen Nakashima, and Lori Aratani, The Washington Post, "DHS to issue first cybersecurity regulations for pipelines after Colonial hack," https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/.