Cybersecurity threats to critical infrastructure systems are nothing new. But events over the last few years have been notable due to the seemingly increased frequency of successful attacks and the way those attacks have been vaulted into the national public discourse. In particular, the media attention devoted to these attacks has been unprecedented and is raising the specter of public health and safety risks caused by shadowy cyberthreats.
Recent events in the oil and natural gas industry are telling. In May 2021, a major fuel pipeline that delivered gasoline to much of the US East Coast was forced to shut down after experiencing a ransomware attack. Shortly after the attack was announced, the national average price for a gallon of regular gasoline experienced a noticeable uptick, particularly in the areas served by the pipeline. This event unfurled into a public crisis, triggering panic buying at the pump and driving state and federal regulators into action.
The US Department of Homeland Security’s Transportation Security Administration (TSA)—the federal agency tasked with ensuring security for surface transportation modes, including pipelines—quickly announced mandatory cybersecurity regulations for owners and operators of critical pipeline systems that transport hazardous liquids and natural gas (owner/operators). The regulations—known as Security Directives—require owner/operators to implement a number of urgently needed protections against cyberintrusions. The first Security Directive, Security Directive Pipeline-2021-01 (SD1), was issued on May 28 and required owner/operators to take a number of immediate actions.
However, it was the second Security Directive, Security Directive Pipeline-2021-02 (SD2), issued on July 19, that posed greater challenges for the pipeline industry. SD2 directed owner/operators to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology (OT) systems. Following is a discussion of the key challenges with SD2.
In a letter sent to TSA Administrator David P. Pekoske over the summer, various industry trade associations voiced concerns over these types of implementation challenges and the process in which SD2 was developed. Subsequently, on October 28, a group of US senators called on the Office of Inspector General (OIG) of the Department of Homeland Security to review the process by which the TSA promulgated the rules. Specifically, the senators requested that the OIG examine the basis for the requirements, the stakeholder consultation process, and the reason drafts of the directives were withheld from Congress during their development. Although the industry has encountered implementation challenges, many industry participants are working collaboratively with the TSA to explore potential solutions through, for example, requests for clarification, compliance deadline extensions, and proposals for implementing alternative measures that achieve the same security objectives as the SD2 requirements. These cooperative efforts have addressed some of the timing and scope pressures discussed above.
Mandatory regulations often bring with them the risk of fines, liability, and other sanctions. However, regulations also provide entities with opportunities to improve their overall cybersecurity posture. Pipeline owner/operators, like all companies, are constantly faced with making tradeoffs between making cybersecurity improvements on the one hand and keeping costs low and ensuring operational reliability on the other. Regulations provide the industry with a minimum standard that all entities are required unequivocally to meet. Companies that find they do not meet those minimum requirements now have little choice in the matter, which could eliminate internal funding or logistical roadblocks that once stifled much-needed improvements. Cybersecurity improvements driven by federal regulation should also make regulatory cost recovery more straightforward for those entities that are also regulated utilities.
Although critical pipeline facility owner/operators are continuing to implement the emergency Security Directives, more federal action is likely on the way. The emergency directives that are currently effective are time-limited, but we expect they will be further codified under nonemergency rulemaking procedures and continually refined to keep up with the pace of rapidly evolving cybersecurity threats. It is also possible that the TSA could leverage its emergency authority again based on potential new threat information.
In the meantime, the TSA is expanding its use of emergency authority to impose mandatory requirements on other surface transportation modes that fall within its purview. The TSA is responsible for security over four general modes of land-based transportation—mass transit, freight rail, highway motor carrier, and pipeline—and supports in maritime security efforts. On December 2, the TSA announced new security directives to strengthen cybersecurity in the rail industry. Those rules followed actions impacting the aviation industry, and more is likely on the horizon. In short, federal cybersecurity regulation affecting surface transportation modes is here to stay.
 49 U.S.C. § 114(l)(2)(A).