Department of Homeland Security’s Cybersecurity Requirements for Pipeline Owners and Operators - Are You Prepared to Respond?

August 2021

BY

Sean MurphyManaging Director, Crisis Management and Risk & Insurance

Karyl Van TasselSenior Managing Director, Legal Monitorships and Investigations

Michael BarbaManaging Director, National Security Compliance Practice Leader

On Friday, May 7, 2021, Colonial Pipeline fell victim to a cyberattack that resounded throughout the pipeline owners and operators industry, resulting in the Department of Homeland Security (DHS) issuing two directives in response to the threat. The Colonial Pipeline cyberattack forced the company to proactively close down operations and disable IT systems. The perpetrators targeted the business side of the pipeline rather than operational systems as the motive was monetary rather than meant to halt pipeline activities.[1] Colonial Pipeline leadership made the difficult decision to cease the operations systems as well as the internal IT systems for purposes of protecting this critical infrastructure from possible compromise.

The shutdown of operations resulted in gasoline shortages from Texas through the Southeast, up the Eastern seaboard and through New Jersey. This type of disturbance in the supply chain was considered a threat to our national security. 

Therefore, on May 27, 2021, DHS issued an initial cybersecurity requirement (“initial security directive” or “Security Directive”) for critical pipeline owners and operators: “The Security Directive [required] critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week.  It also require[d] critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.”[2]

On July 20, 2021, after further review of this Security Directive, DHS’ Transportation Security Administration (TSA) issued a second Security Directive that requires “…operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.”[3]

The TSA has stated: “[T]his Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”

The challenging aspects of the second Security Directive, which builds on the initial Security Directive, are (1) the level of detail of the requirements, and (2) the strict timeframes that are imposed on each of the approximately fifty provisions outlined within the requirements. The timeframes range from 30-120 days for completion of specific criteria.

Additionally, further challenges will now require pipeline owners and operators to focus not only on their internal information technology systems, but also to pay particular attention to their operational technology systems when putting together mitigation measures to protect this portion of U.S. critical infrastructure. Having two systems, internal and operational—or client-facing systems—mirrors the telecommunications industry where each service provider has requirements to protect their internal systems along with those that support the Domestic Communications Infrastructure, or “DCI”.

Mitigations measures that can be considered by pipeline owners and operators include the following:
  • Overall plans for continuous monitoring of internal and operational systems.
  • Dedicated resources to communicate with members of DHS.
  • Annual independent third-party audits of physical and logical security controls.
  • Consideration for independent third-party monitorships who have the resources and expertise in information system infrastructure, security resiliency and working relationships with U.S. governmental agencies.
Knowing and understanding the most current DHS expectations can go a long way in facilitating compliance with the TSA second Security Directive for pipeline owners and operators.

 

[1] https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/
[2] https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators
[3] https://www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators