Cyber Brief: After Colonial Pipeline, DHS: Less Advice, More Rules

Washington D.C., July 23, 2021 - Earlier this week, the Department of Homeland Security (DHS) announced the Transportation Security Administration (TSA) had released a second set of pipeline cybersecurity regulations, requiring “owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyberintrusions.” This directive, preceded by an emergency pipeline cybersecurity directive issued in May, follows the ransomware attack on Colonial Pipeline, which highlighted not only the nation’s vulnerabilities in critical networks, but also the lack of pipeline sector cybersecurity regulations. The documents below, which include DHS press releases from both July and May 2021, as well as the first Security Directive, suggest the federal government will no longer shy away from imposing cybersecurity standards on private entities in critical infrastructure sectors.

The July 20 announcement (Document 1) noted that, in the development of the second Security Directive, TSA had consulted with the Cybersecurity and Infrastructure Security Agency (CISA), another agency under the purview of DHS, in assessing cybersecurity threats to the pipeline sector, as well as determining appropriate technical measures to counter those threats. The latest regulations require “owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review” (Document 1). (Note: the directive referenced in Document 1 is not currently available for examination, but will be added to this collection when released).

Document 1 also notes that the latest Security Directive builds upon an earlier one released in May 2021. On May 28, 2021, a DHS press release entitled, “DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators” (Document 2) announced “a Security Directive that will enable the Department to better identify, protect against, and respond to threats to critical companies in the pipeline sector.” This initial emergency directive, “Security Directive Pipeline-2021-01” (Document 3), demanded three critical actions from “owners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility notified by TSA that their pipeline system or facility is critical” (p.1).

Under Security Directive Pipeline-2021-01, specified owner/operators must report cybersecurity incidents to CISA “as soon as practicable, but no later than 12 hours after a cybersecurity incident is identified” (p. 3). Additionally, owner/operators must identify a Cybersecurity Coordinator, “who is required to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise” (p. 1). The Cybersecurity Coordinator and an alternate Coordinator must be identified in writing to TSA within seven days of the effective date of the directive (p. 2).  Lastly, owner/operators are required to conduct a cybersecurity assessment, comparing their current practices “against TSA's recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA” (p. 1).

TSA issued Security Directive Pipeline-2021-01 as an emergency regulation under 49 U.S.C. 114(d), (f), (l) and (m) (Document 3, p.1), allowing TSA to issue such directives if the Administrator determines that transportation security is under immediate threat [49 U.S.C. 114(l)(2)(A)]. However, emergency directives must be ratified by the Transportation Security Oversight Board (TSOB) within 90 days of issuance. “Ratification of Security Directive” (Document 4) confirms TSOB ratified Security Directive Pipeline-2021-01 on July 3, 2021, allowing the regulation to remain in effect.

The new directives demonstrate the pivot in the federal government’s approach to pipeline cybersecurity since May’s Colonial Pipeline attack, from a “hands-off,” advisory role to a firmer regulatory stance.  Prior to May, TSA had only recommended certain pipeline security practices, such as those provided in “Pipeline Security Guidelines” (Document 5). The introduction to Document 5 emphasizes, “This document is guidance and does not impose requirements on any person or company. The term ‘should’ means that TSA recommends the actions described” (p. 1). Given the multi-sector impact of the Colonial Pipeline attack, it seems likely that the residual shockwaves will continue to be felt across critical sectors in the form of a heavier-handed approach to federal cybersecurity regulations.