In an early sign of the ripple effect President Biden’s recent executive order will have on the nation’s energy industry, the Department of Homeland Security’s (DHS’s) Transportation Security Administration (TSA) announced on May 27, 2021, a security directive that will enable DHS to better “identify, protect against, and respond to threats to critical companies in the pipeline sector.”
The directive requires critical pipelines to report confirmed and potential cybersecurity incidents to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). It also requires them to designate a cybersecurity coordinator, who must be available 24/7. And most importantly, the directive imposes a 30-day deadline by which critical pipelines must review their current practices, identify any gaps and remediation measures to address them, and report the results to TSA and CISA.
The directive comes on the heels of the May 10 ransomware attack on Colonial Pipeline, which reportedly carries 45 percent of the East Coast’s fuel supplies, and President Biden’s May 12 Executive Order on Improving the Nation’s Cybersecurity. The directive highlights CISA’s central role as the “national cyber defense center.” (Colonial Pipeline did not initially report the ransomware attack to CISA; only after the FBI began its investigation was CISA notified.)
Critical pipelines will be hard at work to assess and augment their cyber safeguards within the security directive’s 30-day deadline. And they may need to do so without further guidance from TSA, which is considering, but has not yet imposed, mandatory cybersecurity measures on the pipeline industry. As for what those measures will be, look for TSA to draw on frameworks set out by the president’s executive order, the National Institute of Standards and Technology (NIST), and the Pipeline and Hazardous Materials Safety Administration. And expect the government’s compliance review to be rigorous.
Barclay Damon’s attorneys team across office and practices to provide their clients with customized, targeted solutions. If you have any questions about the DHS’s security directive or how best to comply, please contact Nick DiCesare or Kevin Szczepanski, co-team leaders of the Cybersecurity Team, at ndicesare@barclaydamon.com and kszczepanski@barclaydamon.com, respectively; Richard Capozza, leader of the Energy and Electric Power Teams and co-leader of the Oil & Gas, Renewable Energy, and Linear Infrastructure Teams, at rcapozza@barclaydamon.com; or Yvonne Hennessey, co-team leader of the Oil & Gas, Linear Infrastructure, and Energy Markets Teams, at yhennessey@barclaydamon.com.