June 1, 2021
On May 27, 2021, the Transportation Security Administration (TSA), a federal agency under the Department of Homeland Security (DHS), issued a Security Directive1 intended to enhance DHS’ ability to identify and respond to cybersecurity threats in the pipeline sector. The Security Directive expires in one year, but ratification by the Transportation Security Oversight Board would give it indefinite effect.
While Congress authorized TSA to regulate pipeline security in 2007, TSA had pursued a collaborative approach with industry through voluntary Pipeline Security Guidelines. In recent years, there have been multiple calls for TSA to move instead toward mandatory standards like the Critical Infrastructure Protection (CIP) rules that apply to the electric utility industry.
TSA’s Security Directive marks a significant change in its approach to pipeline security. Notably, the Directive does not rely on its 2007 pipeline security authority, which would have required notice-and-comment rulemaking. Instead, TSA utilized general transportation emergency security directive powers granted it when Congress first formed TSA in 2001. This authority does not require public input. TSA also announced that it is considering “follow-on mandatory measures” that would “further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.” It is not yet clear whether TSA will pursue a traditional rulemaking process when considering those additional measures or will instead issue another security directive.
Security Directive Requirements
The Security Directive was only sent to, and only applies to, owners and operators of pipeline facilities that TSA has deemed “critical.”2 The Security Directive directs these owners and operators to designate a primary, and at least one alternate, Cybersecurity Coordinator to act as TSA’s primary point of contact with the owner/operator by June 4, 2021.
The Security Directive requires those owner/operators to report “cybersecurity incidents” to the Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identification. Such incidents may include unauthorized access of information technology or operational technology systems, discovery of malware, physical attacks against network infrastructure, and any activity that has potential to cause operational disruption. The Security Directive’s definition of “cybersecurity incident” is even broader than CISA’s own definition. TSA has indicated to industry that it will revise this definition as it is implemented and potentially clarify its scope.
Finally, the Security Directive directs covered owners and operators to fill out a TSA provided “vulnerability assessment” form within 30 days. This form, based largely on Section 7 of TSA’s Pipeline Security Guidelines, requires owner/operators to review their current cybersecurity procedures, and identify any gaps and potential remediation measures. The form is in a “yes/no” format that requires the owner/operators to provide further details on any “no” responses. TSA has described the form as similar to its Corporate Security Review process, and at a much higher level than the Validated Architecture Design Review (VADR) process that TSA has been conducting with pipeline companies on a voluntary basis.
TSA’s Security Directive comes in the wake of a growing debate in Congress over who should be accountable for safeguarding pipeline security. Congress has already directed that TSA have regulatory oversight of pipeline security. Members of the House Energy and Commerce Committee have argued the Department of Energy is better suited to take on the responsibility, while members of the House Homeland Security Committee argue jurisdiction should remain with TSA, which it asserts has more familiarity with pipeline security.
TSA has long been criticized for being under-equipped to oversee even voluntary pipeline security standards. DHS plans to have CISA assist TSA’s small staff of trained inspectors with enforcement and hire new staff at both agencies.
In addition, Richard Glick, the Chairman of the Federal Energy Regulatory Commission (FERC), has argued for years that mandatory standards should be applied to the pipeline sector. Other FERC Commissioners have taken the same position at various times. FERC already oversees a comprehensive set of mandatory cybersecurity standards, i.e., the CIP standards, which apply to the electric utility industry. However, FERC does not have jurisdiction over pipeline safety or security.
Stakeholders have raised concerns with the new requirements, including for example:
Further clarification from TSA is needed to address these and other issues.
2 “Critical” facilities may be natural gas pipelines, as well as hazardous liquid pipelines and liquefied natural gas facilities. The Security Directive notes that TSA is required by law to “review pipeline security plans and inspect critical facilities of the 100 most critical pipeline operators” and that “[i]n general, criticality is determined based on factors such as the volume of product transported, service to other critical sectors, etc.” Security Directive at n. 1.