First-ever Mandatory Cybersecurity Directive for Oil and Gas Pipelines Announces Tighter Regulations Coming | Baker


New cybersecurity requirements for oil and gas pipelines signal significant changes in the regulatory landscape for middleman companies. A new safety directive from the Transportation Security Administration (TSA), effective May 28, 2021, requires immediate action and ongoing compliance protocols for certain energy companies. The Safety Directive also raises many new questions for businesses to consider in their response efforts and highlights the potential for increased regulation in the future. In particular, media reports indicate that the Security Directive is a precursor to additional regulations that will include financial penalties for companies that fail to address cybersecurity vulnerabilities.

The security directive is part of an increasingly urgent government effort to strengthen cybersecurity for critical industries in light of the recent Colonial Pipeline shutdown and other security incidents. On June 2, 2021, the White House issued a memorandum to business executives and business leaders declaring that ransomware in particular is a “top priority” for the Biden administration. He states that “Business leaders should immediately convene their senior management teams to discuss the threat of ransomware and review the company’s security posture and business continuity plans to ensure [they] have the ability to quickly continue or restore operations. In addition to the best practices listed in the June 2 memo, the Safety Directive sets out specific steps that intermediate oil and gas companies will need to follow.

The Security Directive is a derogation from the voluntary measures that the Cybersecurity and Infrastructure Security Agency (CISA) and TSA had developed since the creation of the Pipeline Cybersecurity Initiative in 2018. As of now, the Security Directive requires that ” “[o]Owners and operators of a hazardous natural and liquid gas pipeline or liquefied natural gas facility notified by TSA that their pipeline system or facility is critical “must report cybersecurity incidents to the CISA, designate a cybersecurity coordinator who is available to TSA and CISA at all times, and perform internal security assessments with the aim of reporting results by June 28, 2021. It is important to note that , although the safety directive only applies to the ‘100 most critical pipeline operators’ and expires on May 28, 2022, media are reporting citing officials’ statements that additional regulations are forthcoming and that these regulations will include financial penalties for non-compliance. Therefore, companies other than those directly affected by the Safety Directive may consider taking action to anticipate similar requirements and should consider whether they need additional safety protocols to facilitate business relationships with regulated companies.

The Security Directive requires regulated companies to report a potentially wide range of cybersecurity incidents to the CISA. It lists five categories of reportable events: (1) unauthorized access to information systems or operational technology,[1] including non-malicious policy violations such as employee use of shared credentials; (2) the discovery of malware on a computer system or operating technology; (3) activity causing a denial of service to any information technology or operating system; (4) a physical attack on the network infrastructure; and (5) “[a]any other cybersecurity incident that results in an operational disruption of the owner / operator’s information or operational technology systems or other aspects of the owner / operator’s systems or pipeline facilities, or that could otherwise cause an operational disruption that adversely affects the safe and efficient transport of liquids and gases, including, but not limited to,[,] affects a large number of customers, critical infrastructure or basic government functions, or affects national security, economic security or public health and safety.

Organizations should report these incidents promptly – within 12 hours of the incident being identified – followed by further reporting if the required information is not available at the time of the initial report. Reports must be complete; in addition to basic facts, the company should provide an assessment of the “impact or potential impact” of the incident on the systems and operations of the company, as well as “any planned or envisaged responses “. The Safety Directive also includes a general requirement that companies provide “[a]any other relevant information.

In addition to incident reports, companies should also perform vulnerability assessments to assess their current cybersecurity practices against the TSA’s 2018 Pipeline Security Guidelines (as updated in April 2021). The Safety Directive requires every company to submit a report identifying deficiencies, along with corrective actions and a timeline, by June 28, 2021.

The Safety Directive specifies that it must be disseminated to the top management of the companies concerned. It also requires each company to appoint and maintain a security clearance-eligible cybersecurity coordinator who will serve as the company’s primary contact with CISA and TSA regarding cybersecurity, coordinate relevant internal practices and procedures, work with law enforcement and emergency response agencies, and will remain available to CISA and TSA “24 hours a day, seven days a week.” Each company should also maintain at least one back-up cybersecurity coordinator.

Energy regulators, including Federal Energy Regulatory Commission Chairman Richard Glick, recently called for mandatory cybersecurity standards for pipelines. Although they did not reveal details, officials in the Biden administration have issued statements to the press saying new regulations are on the way in the near term, including provisions on financial sanctions. Congress is also considering several pieces of legislation that would make significant changes to the current energy cybersecurity landscape, including measures to coordinate the regulation of pipeline safety between the various agencies that currently exercise authority over various aspects of pipeline operations.


[1] As defined in the Security Directive, an “information technology system” means “any service, equipment or interconnected system or subsystem of equipment used in the acquisition, storage, analysis, automatic evaluation, handling, management, movement, control, display. , switching, exchanging, transmitting or receiving data or information, the operation and maintenance of which are the responsibility of the owner / operator. An “operational technology system” is “a general term that encompasses several types of control systems, including industrial control systems, supervisory control and data acquisition systems, distributed control systems and other control system configurations, such as programmable logic controllers, fire control systems, and physical access control systems, often found in industry and critical infrastructure. Such systems consist of combinations of programmable electrical, mechanical, hydraulic, pneumatic devices or systems that interact with the physical environment or manage devices that interact with the physical environment.

About Keith Tatum

Check Also

BHE GT&S Awards $115,000 in Grants to North Central West Virginia Charities at 25th Annual Golf Invitational | Harrison News

Country the United States of AmericaUS Virgin IslandsU.S. Minor Outlying IslandsCanadaMexico, United Mexican StatesBahamas, Commonwealth …

Leave a Reply

Your email address will not be published.