The Transportation Security Administration on July 21 revised Security Directive Pipeline-2021-02: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing. The initial version of the Security Directive was issued May 28, 2021, in the wake of the May 2021 ransomware attack on Colonial Pipeline, which resulted in gasoline shortages across the eastern seaboard.
That version – which imposed obligations to report incidents to the government within 12 hours, to designate a cybersecurity coordinator to be available 24/7 to respond to government inquiries and to report to the government on the status of their cybersecurity readiness – was criticized by industry as too rigid and ignorant of the unique cybersecurity needs of pipeline operators.
With its July 21 revision, the TSA seems to acknowledge these criticisms by adopting a more flexible and less prescriptive approach.
These changes, which we discuss below, will be welcomed by industry, but it is not clear whether this more flexible approach by TSA reflects a trend in the government’s approach to cybersecurity regulations or is an outlier. This article highlights some of the recent cyber regulatory efforts by federal agencies, discusses the components of the revised TSA Security Directive and offers a perspective on whether the coming cyber regulations will adopt the TSA approach or something more draconian.
The Coming Wave of Cyber Regulations
The revised TSA Security Directive is just one of a number of recent or upcoming cybersecurity regulations being pursued by the federal government. And although there are likely internal efforts by the federal government to coordinate these initiatives, different agencies are pursuing different regulations on different timelines with different types of obligations:
- On March 9, the Securities and Exchange Commission proposed a new rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies. Controversially, the proposal would require the reporting of potentially sensitive information related to a cybersecurity incidents within four business days of a business determining the incident was material. A material incident would include events that a reasonable shareholder would consider important to an investment decision, such as the compromise of the confidentiality, integrity or availability of data or a network; an unauthorized incident that causes degradation, interruption or loss of control of operational technology systems; or a ransomware event.
- As of May 1, the Computer-Security Incident Notification Requirements Rule issued by Office of the Comptroller for the Currency requires banks and bank service providers to notify their primary regulator within 36 hours of a computer security incident that causes actual harm to the confidentiality, integrity or availability of an information system or the information that such system processes, stores or transmits. A reportable incident would include large-scale distributed denial of service attacks, a ransomware attack that encrypts a core banking system or backup data or a system failure that results in activation of a business continuity and disaster recovery plan.
- On July 21, the National Credit Union Administration Board approved a proposed rule that would require federally insured credit unions to notify the National Credit Union Administration within 72 hours of a cyber incident that actually or imminently jeopardizes the confidentiality, integrity or availability of information or an information system and that results in the unauthorized access to sensitive data or the disruption of vital member services or business operations. The comment period closes Sept. 25.
- On July 28, the Cybersecurity and Infrastructure Security Agency submitted a draft request for information related to its cyber incident reporting rulemaking to the Office of Management and Budget for interagency review before it is publicly issued. The RFI is a first step in CISA’s implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require companies in sectors identified by CISA to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours. The act requires CISA to issue regulations by March 2024 clarifying the scope of the law and implementing the cyber incident reporting obligations.
- Maintaining the focus on critical infrastructure, senior White House cyber officials have said that the Environmental Protection Agency will soon issue regulations establishing cybersecurity requirements for state regulators to evaluate during sanitary surveys of water utilities. The effort is controversial, and water sector officials have expressed concern that the regulations will not account for the different cyber needs of various water utilities and that state inspectors lack the cybersecurity expertise to meaningfully assess compliance. And there are lingering questions as to whether the EPA has sufficient authority to issue these cyber regulations or would need additional legislation from Congress.
TSA’s Security Directive Adopts a More Flexible Approach
Pipeline-2021-02C (SD02C) applies to all owners and operators of hazardous liquids and natural gas pipelines or a liquefied natural gas facility that have been notified by the TSA that their pipeline system or facility is considered by TSA to be “critical.”
SD02C makes critical changes to the initial Security Directive, including several that provide more flexibility to pipeline owners and operators, such as a transition to a more performance-based security outcome model. The revisions allow pipeline owners and operators to use new technologies to ensure cybersecurity advances and not be forced to take a one-size-fits-all approach. The new SD02C transition requires pipeline owners and operators to establish and implement a Cybersecurity Implementation Plan, develop and maintain an Incident Response Plan and establish a Cybersecurity Assessment Program.
- Establish and Implement a TSA Approved Cybersecurity Implementation Plan
Under SD02C, pipeline owners and operators must develop a Cybersecurity Implementation Plan that identifies their critical cyber systems and implements network segmentation polices. These polices help divide a network into smaller zones that limit a cyber attacker’s ability to move through the network and access the entire system. The Plan also must have safeguards within the system that provide for multifactor authentication, procedures to manage access rights and protections to limit the use of shared accounts that are critical for operations.
Within the Plan, owners and operators also have to show how they are going to continuously monitor their system to prevent, detect and respond to cybersecurity threats and reduce the risk of exploitation of vulnerable systems through the application of security patches and updates.
By Oct. 24, owners and operators must submit their Cybersecurity Implementation plan to TSA. Owners and operators must implement and maintain all the measures listed in the plan after it is approved by TSA,
- Develop and Maintain a Cybersecurity Incident Response Plan
The hours after a cyber intrusion are vital. Under SD02C, owners and operators must develop and maintain a cyber Incident Response Plan that includes mechanisms for: (1) prompt containment of the infected server or device; (2) segregating the network from the infected network or devices; (3) securing backup systems; (4) isolating information technology and operational technology systems; and (5) annually testing the effectiveness of the cybersecurity incident response plan.
Owners and operators must also identify who at the company is responsible for implementing the measures within the incident response plan.
- Develop a Cybersecurity Assessment Program
Not only does SD02C require pipeline owners and operators to develop a Cybersecurity Implementation and Incident Response Plans, but it also makes them create a Cybersecurity Assessment Program. This Program must proactively assess critical cyber systems to determine the effectiveness of the cybersecurity measures and the effectiveness of the Cybersecurity Implementation Plan. The TSA requires that a plan describing the Cybersecurity Assessment Program, including a schedule for specific action pursuant to that plan, be documented annually.
Additionally, no later than 60 days after TSA’s approval of a company’s Cybersecurity Implementation Plan, pipeline owners and operators must submit the annual plan for their Cybersecurity Assessment Program. This plan must be updated annually and submitted no later than one year from the date of the previous plan.
These new security directives can pose a complicated and detailed set of questions that pipeline owners and operators must deal with within a short period of time. With an Oct. 24 deadline for submitting an implementation plan, cybersecurity planning and preparedness must be at the top of list of concerns for pipeline owners and operators.
What Does This Mean for Regulations on the Horizon?
It is clear that cybersecurity has become a priority for the federal government. But as various agencies rush to issue guidance and regulations, there is legitimate concern that these regulations are not being pursued in a unified manner. Further, while the government has cyber expertise in many key areas and agencies, it is generally acknowledged that the overall cyber literacy of the federal government needs to improve. And while government agencies have recognized the importance of harmonizing their efforts, companies should continue to expect varying approaches by different agencies.
More fundamentally, the government appears to have shifted away from an approach of collaborative best practices to one that embraces affirmative regulatory obligations. Whether as a result of existing agency efforts or the result of legislation, it is unlikely that industry will be able to push back this coming regulatory wave. Instead, companies would be wise to engage and shape the regulations and to take steps now to prepare to meet the inevitable new requirements.
Sid Mody is a partner at O’Melveny in Dallas who focuses his practice on cryptocurrency, cyber intrusions, ransomware and computer fraud. He recently joined O’Melveny from the National Security, Cybercrime and Money Laundering Division of the U.S. Attorney’s Office for the Northern District of Texas, where he served as the office’s lead cyber hacking and intellectual property attorney, the digital currency crimes coordinator and the sole national security cyber specialist.
John Dermody, who was a deputy legal advisor at the National Security Council, is counsel at O’Melveny in Washington, D.C. He advises clients on data security, privacy, cybersecurity and national security issues, including economic sanctions and national security reviews of investments and technology transactions conducted by the Departments of Justice, Homeland Security, Defense, the Treasury, State and Commerce.