Following the Colonial Pipeline Company Cyberattack: Two Months Later

The cybersecurity ransomware attack on the Colonial Pipeline system in early May 2021 received extensive media coverage.  It caused a surge in panic buying of gasoline, leading to a gasoline shortage at stations up and down the East Coast of the United States. In the wake of the high-profile incident, there has been substantial public pressure on federal agencies and Congress to implement stronger cybersecurity controls.

In the immediate wake of the cyberattack, the Transportation Security Administration (“TSA”), an agency of the Department of Homeland Security, ramped up its oversight of pipeline cybersecurity by issuing two Security Directives seeking to enhance the cybersecurity of critical pipeline systems and facilities.

On May 26, 2021, the TSA issued Security Directive Pipeline-2021-01, effective May 28, directing owners and operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities designated as “critical” by TSA to take specified actions related to pipeline cybersecurity.  This Security Directive is considered the first step in establishing a more prescriptive regulatory scheme, and it combines the resources of TSA and the Cybersecurity and Infrastructure Security Agency (“CISA”).  The May 26 Security Directive requires owners and operators of facilities deemed to be critical to take the following actions: 

(1)    Designate a corporate-level Cybersecurity Coordinator and alternative Cybersecurity Coordinator to be available 24 hours a day, 7 days a week;
(2)    Report cybersecurity incidents to CISA within 12 hours;
(3)    Perform a Vulnerability Assessment based on Section 7 of TSA’s 2021 Pipeline Security Guidelines; and
(4)    Confirm receipt of the Security Directive and disseminate information and measures contained in the Security Directive to corporate senior management, security management representatives, and personnel with compliance responsibilities.

 

On July 20, 2021, in response to ongoing cybersecurity threats to the pipeline industry, the TSA announced the issuance of a second Security Directive. The July 20 Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review. CISA assisted TSA in the development of the second Security Directive and provided guidance on cybersecurity threats to the pipeline industry and technical countermeasures to prevent those threats.

Lawmakers and members of the public have questioned whether TSA is the appropriate agency to oversee pipeline cybersecurity going forward.  In the past two months, the U.S. House Committee on Energy and Commerce has voted to advance thirteen bills seeking to address cybersecurity, five of which pertain specifically to the energy industry. 

Share this post: