DHS Pipes Up Again: Issues Second Directive on Pipeline Security

The May Directive

We previously discussed the TSA’s announcement of Security Directive Pipeline-2021-01 on May 27, 2021 (the “May Directive”). Issued against the backdrop of the Colonial Pipeline cybersecurity incident, the May Directive requires select critical pipeline owners and operators to (1) designate a Cybersecurity Coordinator who must be available to TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) 24-hours a day, seven days a week, (2) review current practices to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA within 30 days, and (3) report cybersecurity incidents to CISA no more than 12 hours after an incident is identified.

The July Directive

The July Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems. Additionally, covered pipeline owners and operators must develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review. Because the July Directive requires the covered pipeline owners and operators to implement specific cybersecurity practices, this directive is designated as “security sensitive,” and a DHS spokesperson has reported that its distribution will be limited to those with a need to know.

Enforcement

Although news outlets have reported that TSA officials plan to assess fines of up to $7,000 per day on operators and owners that fail to adhere to TSA’s new requirements, neither the May Directive nor the July Directive detail any penalties for noncompliance. Nonetheless, operators and owners should be prepared for TSA to use any of its powers to penalize noncompliance, including potential denial or revocation of necessary permits.

What This Means For You

This second directive, issued just two months after the first, signals the government’s heightened focus on cybersecurity protections for critical infrastructure systems. Regulators of pipeline systems, such as the Federal Energy Regulatory Commission, have recently issued statements calling for the examination of mandatory pipeline cybersecurity standards. This multi-agency effort to enhance cybersecurity measures of pipeline systems is a strong indication that operators and owners should continue assessing current practices and begin developing, and implementing, comprehensive cybersecurity programs.

V&E provides curated teams of transactional, regulatory, and litigation attorneys, who use their decades of experience to assist clients in identifying, managing, and mitigating regulatory and business risks, from early planning, assessment and training to managing incident response.

*Bree Sinclair is a law clerk in our Houston office.