In the weeks that followed a ransomware attack on a domestic pipeline company, the federal government’s efforts to shore up the cybersecurity posture of America’s critical infrastructure and supply chains, including the oil and gas industry, have garnered increased attention.  Historically, the oil and gas sector has not been subject to mandatory cybersecurity regulations, but rather was encouraged to follow voluntary security guidelines that were initially published by the Transportation Security Administration (TSA) in 2011 and revised in 2018. Yet, the industry sector’s geographic size, number of operators/stakeholders within the sector, and its importance to the national economy make the oil and gas industry an attractive target for cyberattacks.

Each of these factors begs the question whether voluntary cybersecurity measures are sufficient to protect this critical infrastructure component? Based on the TSA’s decision to publish the very first Pipeline Security Directive (“Directive”) three weeks after Colonial Pipeline was victimized by a ransomware attack, the answer to this rhetorical question appears to be an emphatic “No.”

The Directive debuts TSA’s first mandatory requirements for the pipeline sector

Physical security for oil and gas pipelines has been in the domain of the TSA since the agency’s inception in 2001. The safe transport of fuels and chemicals, arguably a task that is within TSA’s wheelhouse, was viewed through a prism of physical risk after 9/11. However, the prevalence of ransomware and the vulnerability of Operational Technologies to cyber-attack has blurred the lines between safety and security. Compounding this problem, cybersecurity is not a core skill for the six TSA personnel who have primary responsibility for pipeline security.[1] As such, the TSA is not only understaffed in the cybersecurity department, it has relied on voluntary guidelines and lacks the enforcement tools available to other agencies[2] such as the Cybersecurity and Infrastructure Security Agency (CISA). Considering these limitations, the TSA deserves some praise for issuing the Directive fifteen business days after a service disruption, but the Directive’s requirements are far from revolutionary.

The Directive required owners and operators of hazardous liquid and natural gas pipelines to (1) designate in writing and provide to TSA, the names of the primary and alternate Cybersecurity Coordinators; (2) report to CISA the occurrence of cybersecurity incidents involving systems the owner/operator is responsible for operating; and (3) perform a vulnerability assessment of the organization’s activities and practices to address risks to their networks, identify gaps in those activities, remediation measures to fill those gaps, and a timeline for doing so. The Directive called for those three requirements to be completed by June 28, 2021.  The information owner / operators provide to TSA under the Directive is Sensitive Security Information and thus will not be disclosed to the public.

Are there better equipped agencies who can handle cybersecurity for oil and gas?

The Directive follows on the heels of President Biden’s Executive Order No. 14028 issued on May 12, 2021 (EO 14028) to improve the nation’s cybersecurity. The Directive, EO 14028 and other recent federal policy initiatives signal a shift towards greater oversight and control for the cybersecurity of important industries. CISA, which is self-described as “the nation’s risk advisor” is one of the agencies likely to be heavily involved with cybersecurity changes for critical infrastructure sectors, such as oil and gas pipelines.

The Federal Energy Regulatory Commission (FERC) has already developed mandatory cybersecurity standards for the electrical grid and has the experience to create similar standards for oil and gas. Additionally, the Department of Energy (DOE), which has experience with nuclear cybersecurity, could take the reins on oil and gas cybersecurity.  Moreover, Secretary of Energy Granholm testified on June 15, 2021 before the Senate Energy and Natural Resources Committee that the DOE wanted to help electric utilities defend themselves from sophisticated cyber threats as part of DOE’s efforts to coordinate with the private sector and CISA.

Arguably, CISA is better-suited to recognize cyberattacks, create guidelines, and manage responses to cyber-attacks and is likely to increase its involvement with oil and gas cybersecurity. Case in point, EO 14028 mentions CISA thirty-four times, but is completely silent regarding any role or expectations for TSA.

What is on the road ahead for pipelines?

No matter which agency, including TSA, takes or retains the lead role on cybersecurity for the oil and gas sector, industry actors will have to deal with significantly more regulation than in the past. Regulations promulgated by that agency will most likely require rapid investigation and identification of cybersecurity incidents and require the disclosure of bona fide incidents to the cognizant agency. Regulations could also incorporate by reference third-party consensus standards and basic cyber-hygiene practices (e.g. multifactor authentication, risk-based identification, recurrent cybersecurity training for personnel etc.) to reduce the effectiveness of phishing and spear phishing.

While new regulatory requirements may be costly to comply with initially, the reduced vulnerability to cyberattacks by malicious actors not only protects the nation’s critical infrastructure, the measures reduce the risks of pipeline owners/operators suffering large financial losses that cause operational disruptions or in the worst case force a pipeline to temporarily shut down.

[1] TSA Has Been Underfunded, Understaffed While Overseeing Pipeline Cybersecurity, Nat’l Public Radio, interview by Brian Naylor with Robert Knake, Senior Follow with the Council on Foreign Relations, May 18, 2021.

[2] TSA Pipeline Oversight Faces Scrutiny After Colonia Hack, David Uberti, Wall Street Journal, May 13, 2021.