The Department of Homeland Security (DHS) recently announced a new Security Directive requiring companies in the pipeline sector “to better identify, protect against, and respond to” cyber threats. Among other things, the Security Directive requires pipeline operators to report cyberattacks against their pipelines to DHS. This new requirement replaces the voluntary reporting guidelines that had been in place since 2010.
The new Security Directive is a response to the May 2021 ransomware attack on Colonial Pipeline that shut down much of the oil and gas distribution to the East Coast of the United States for approximately six days. According to various media reports, Colonial Pipeline ultimately elected to pay a Russian ransomware gang that claimed responsibility for the attack over four million dollars to re-open the crippled pipeline.
Under the new Security Directive, which is implemented by the Transportation Security Administration (TSA), pipeline operators will be required to take the following steps:
- Report attempted and confirmed cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA);
- Designate a “Cybersecurity Coordinator” who must be available on a 24/7 basis in the event of a cyberattack; and
- Immediately review current cyber-hygiene practices and identify and report any gaps and related remediation measures to TSA and CISA within 30 days of the implementation of the Security Directive.
TSA is also currently considering additional “follow on” measures to further support the pipeline industry and to assist the industry in strengthening its cybersecurity posture.
The ransomware attack against Colonial Pipeline appears to have spurred the federal government to recognize and take steps to combat the significant cybersecurity threats facing critical infrastructure in the United States. DHS’s Security Directive is an effort to tighten the agency’s previously lax oversight of the nation’s pipeline system, which TSA has been responsible for overseeing since the terrorist attacks of September 11, 2001. In addition, the Federal Energy Regulatory Commission (FERC), which also oversees and regulates natural gas and gas pipelines, has publicly called for mandatory and uniform cybersecurity standards throughout the entire oil and gas industry.