Emergency Cybersecurity Regulations in the Pipeline Industry: Unique Challenges and Opportunities Ahead

Cybersecurity threats to critical infrastructure systems are nothing new. But events over the last few years have been notable due to the seemingly increased frequency of successful attacks and the way those attacks have been vaulted into the national public discourse. In particular, the media attention devoted to these attacks has been unprecedented and is raising the specter of public health and safety risks caused by shadowy cyberthreats.

Recent events in the oil and natural gas industry are telling. In May 2021, a major fuel pipeline that delivered gasoline to much of the US East Coast was forced to shut down after experiencing a ransomware attack. Shortly after the attack was announced, the national average price for a gallon of regular gasoline experienced a noticeable uptick, particularly in the areas served by the pipeline. This event unfurled into a public crisis, triggering panic buying at the pump and driving state and federal regulators into action.

The US Department of Homeland Security’s Transportation Security Administration (TSA)—the federal agency tasked with ensuring security for surface transportation modes, including pipelines—quickly announced mandatory cybersecurity regulations for owners and operators of critical pipeline systems that transport hazardous liquids and natural gas (owner/operators). The regulations—known as Security Directives—require owner/operators to implement a number of urgently needed protections against cyberintrusions. The first Security Directive, Security Directive Pipeline-2021-01 (SD1), was issued on May 28 and required owner/operators to take a number of immediate actions.

However, it was the second Security Directive, Security Directive Pipeline-2021-02 (SD2), issued on July 19, that posed greater challenges for the pipeline industry. SD2 directed owner/operators to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology (OT) systems. Following is a discussion of the key challenges with SD2.

Key Implementation Challenges

• No Notice and Comment: TSA released SD2 pursuant to its statutory emergency authority, which allows the agency to issue regulations without the opportunity for notice and comment if needed “to protect transportation security.”[1] TSA, which has been scrutinized in the past over weaknesses in its voluntary pipeline security program, issued the Security Directives at a time of significant political pressure following the May 28 fuel pipeline ransomware incident. The rules went into effect without the same level of industry feedback and cooperation that is routine under administrative notice and comment procedures. That is an uncommon practice for federal regulators. In contrast, the electric industry’s mandatory cybersecurity requirements (the NERC CIP Reliability Standards) are primarily stakeholder-driven and developed according to specific procedural rules. The requirements must also go through potentially numerous rounds of public notice and comment before being adopted. Notably, though, the NERC CIP Reliability Standards were not developed and issued specifically in response to an emergent non-public threat, as with the Security Directives.
• Compliance Deadlines: SD2 requirements must be completed in sometimes tight timeframes that have challenged owner/operators in the pipeline industry. Many of the requirements are highly specific and could require owner/operators to make changes to longstanding operations. Some even require significant investments in personnel and technology to implement. Most importantly, the SD2 requirements have forced owner/operators to try and strike a tricky balance between quickly rolling out changes in the field without risking adverse safety and operational impacts to their systems.
• Scoping: The mandatory measures in SD2 require owner/operators to identify the IT and OT assets that are subject to the rules based on broad definitions of those types of systems. While undoubtedly intended to be flexible, the definitions have raised myriad scoping conundrums for industry participants who are unclear where their compliance obligations begin and end. Some entities have designed their systems with a high degree of interdependence between field assets and traditional enterprise systems, blurring the line between IT and OT. Others have systems that, if brought into scope, could expand the reach of TSA requirements endlessly to noncritical assets without providing a meaningful security benefit. In some cases, entities may have assets that support both gas and electric operations and that are already subject to a parallel regulatory regime under the NERC CIP Reliability Standards.
• Procurement: As noted above, some owner/operators will need to make capital improvements to their systems to meet compliance with SD2. This may prove to be particularly challenging in the current environment, when supply chains across industries are being strained to their limits. Moreover, several of the implementation deadlines will coincide with colder winter months, forcing owner/operators that are natural gas utilities to juggle equipment procurement and installation during their most critical operating season.

In a letter sent to TSA Administrator David P. Pekoske over the summer, various industry trade associations voiced concerns over these types of implementation challenges and the process in which SD2 was developed. Subsequently, on October 28, a group of US senators called on the Office of Inspector General (OIG) of the Department of Homeland Security to review the process by which the TSA promulgated the rules. Specifically, the senators requested that the OIG examine the basis for the requirements, the stakeholder consultation process, and the reason drafts of the directives were withheld from Congress during their development. Although the industry has encountered implementation challenges, many industry participants are working collaboratively with the TSA to explore potential solutions through, for example, requests for clarification, compliance deadline extensions, and proposals for implementing alternative measures that achieve the same security objectives as the SD2 requirements. These cooperative efforts have addressed some of the timing and scope pressures discussed above.

It’s Not All Bad, Right?

Mandatory regulations often bring with them the risk of fines, liability, and other sanctions. However, regulations also provide entities with opportunities to improve their overall cybersecurity posture. Pipeline owner/operators, like all companies, are constantly faced with making tradeoffs between making cybersecurity improvements on the one hand and keeping costs low and ensuring operational reliability on the other. Regulations provide the industry with a minimum standard that all entities are required unequivocally to meet. Companies that find they do not meet those minimum requirements now have little choice in the matter, which could eliminate internal funding or logistical roadblocks that once stifled much-needed improvements. Cybersecurity improvements driven by federal regulation should also make regulatory cost recovery more straightforward for those entities that are also regulated utilities.

Next Steps

Although critical pipeline facility owner/operators are continuing to implement the emergency Security Directives, more federal action is likely on the way. The emergency directives that are currently effective are time-limited, but we expect they will be further codified under nonemergency rulemaking procedures and continually refined to keep up with the pace of rapidly evolving cybersecurity threats. It is also possible that the TSA could leverage its emergency authority again based on potential new threat information.

In the meantime, the TSA is expanding its use of emergency authority to impose mandatory requirements on other surface transportation modes that fall within its purview. The TSA is responsible for security over four general modes of land-based transportation—mass transit, freight rail, highway motor carrier, and pipeline—and supports in maritime security efforts. On December 2, the TSA announced new security directives to strengthen cybersecurity in the rail industry. Those rules followed actions impacting the aviation industry, and more is likely on the horizon. In short, federal cybersecurity regulation affecting surface transportation modes is here to stay.

[1] 49 U.S.C. § 114(l)(2)(A).