On May 27, 2021, the Transportation Security Administration (“TSA”) issued a cybersecurity directive to America’s 100 largest pipeline owners and operators. The directive imposes several new obligations on pipeline owners and operators. Industry experts believe that this is just another step in the Biden Administration’s efforts to shore up the Nation’s cybersecurity laws and regulations, and operators of critical infrastructure systems should continue to expect additional new rules and regulations to in the near future.
The directive—entitled “Enhancing Pipeline Security”—places the following obligations on pipeline owners/operators:
- Within seven (7) days of the directive, the owner/operator must designate in writing to TSA a Cybersecurity Coordinator at the corporate level who is available to TSA and the Cybersecurity & Infrastructure Security Agency (“CISA”) on a 24/7 basis.
- Within twelve (12) hours of any identified cybersecurity incident, the owner/operator must report the incident to CISA. Cybersecurity incidents include unauthorized access of an information or technology system, discovery of malware, activity resulting in denial of service of any information or technology system, a physical attack on the owner’s/operator’s network infrastructure, and any other incident that disrupts the owner’s/operator’s information or technology systems. In reporting incidents to CISA, the owner/operator must include: (1) the name of the contact person, along with specifying that the report is being made to satisfy the obligations established under the directive; (2) the affected facility(ies); (3) a description of the threat, incident, or activity, including a description of who has been notified, and any information known about the incident; (4) a description of the potential impact of the incident; and (5) a description of planned responses.
- Within thirty (30) days of the directive, owners and operators must immediately perform a vulnerability assessment in compliance with TSA’s 2018 Pipeline Security Guidelines. This assessment must: (1) review whether current practices comply with the guidelines; (2) identify any gaps in the owner’s/operator’s practices; and (3) identify any remediation efforts to fill those gaps. This assessment must be submitted to TSA using TSA’s form.
In addition, owners and operators must provide confirmation of receipt of the directive to TSA at SurfOps-SD@tsa.dhs.gov, and immediately disseminate the directive to any individuals having cybersecurity responsibilities, including whomever is designated as the Cybersecurity Coordinator.
An official from the Department of Homeland Security indicated that the Department would be ramping up financial penalties for owners and operators who fail to update their cybersecurity practices and comply with the directive. Despite not appearing in the directive, this official stated that the penalties can cost up to $7,000 a day. This same official states that the directive would be “followed by more” actions in the near future. The Washington Post has separately reported that DHS “will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked[.]”
This directive underscores the rapidly changing landscape for cybersecurity regulations and liability. In the past, guidelines for critical infrastructure owners and operators have largely been voluntary, with limited oversight and means of enforcing these guidelines. Federal regulators are now focused on promulgating mandatory regulations incorporating cybersecurity, that will likely include potential civil and criminal penalties for noncompliance. Bottom line: Owners and operators of critical infrastructure should closely monitor the rapidly changing landscape for cybersecurity regulations, and continue to assess and enhance, as needed, their own practices to reflect changing expectations and requirements.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.