Government Imposes Mandatory Cybersecurity Requirements on Pipeline Operators in Response to Ransomware Attack

In the wake of the Colonial Pipeline ransomware incident, which led to customer panic and fuel shortages across the East Coast, the US Transportation Security Administration (“TSA”) issued a directive imposing several new cybersecurity requirements for critical liquid and natural gas pipeline owners and operators. While the directive applies only to specific pipeline owners and operators, it demonstrates a government policy shift from encouraging best practices to imposing mandatory cybersecurity requirements on critical infrastructure.

US Department of Homeland Security (“DHS”) officials have indicated that the TSA directive is a “significant shift” in the government’s approach and that they will pursue similar mandatory cybersecurity requirements for other critical infrastructure sectors. Consequently, companies operating in any critical infrastructure sector should review the requirements in the directive and evaluate whether they could meet similar requirements.

Directive Requirements

The TSA directive requires owners or operators of specified hazardous liquid and natural gas pipelines or liquefied natural gas facilities to:

1. Report cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (“CISA”).
2. Designate a Cybersecurity Coordinator to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise. The Cybersecurity Coordinator must be a US citizen who is eligible for a security clearance and is to serve as the primary contact for cyber-related intelligence information sharing with TSA and CISA.
3. Assess their current activities against TSA’s recommendations for pipeline cybersecurity and report the results of their assessment to TSA and CISA.

The directive requires owners and operators to report cybersecurity incidents involving Information Technology or Operational Technology systems to TSA or CISA within 12 hours of identifying the incident. Cybersecurity incidents, for purposes of the directive, include unauthorized access to systems by former employees, employees accessing systems for which they are not authorized, and the unauthorized sharing of passwords among employees. The 12-hour reporting requirement is shorter than those typically imposed by data breach laws and may pose practical challenges to owners and operators that are in the early stages of investigating a suspected incident.

Information provided to TSA or CISA pursuant to the directive will be considered sensitive security information pursuant to 49 C.F.R. § 1520 and thus protected from public disclosure requests made pursuant to the Freedom of Information Act. Companies have frequently cited concerns regarding the confidentiality of information shared with the government as an impediment to cybersecurity information sharing.

Bigger Picture

The directive reflects the Biden Administration’s goal of taking more aggressive steps to improve cybersecurity. As we previously addressed, Executive Order 14028, Improving the Nation’s Cybersecurity, directed a number of actions that will heighten cybersecurity requirements for federal agencies and companies doing business with the government. This directive demonstrates a willingness to extend these efforts to critical infrastructure, and senior government cybersecurity officials have indicated that the “next phase” of their effort will focus on other critical infrastructure sectors.

Companies operating in critical infrastructure sectors should evaluate their current practices against existing voluntary cybersecurity best practices to identify gaps and shortcomings. In addition to being a good practice, such an assessment will be useful to understand the efforts that may be needed to comply with future government cybersecurity regulations. Whether through existing authorities or through new legislation, the government appears committed to taking additional steps to address cybersecurity vulnerabilities to critical infrastructure.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Tod Cohen, an O’Melveny partner licensed to practice law in the District of Columbia, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Greta Lichtenbaum, an O’Melveny partner licensed to practice law in the District of Columbia, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, and John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.