The new Directive requires owners and operators of TSA-designated critical pipelines to:
- Implement specific mitigation measures and technical countermeasures to guard against ransomware attacks and similar cyberattacks;
- Develop and implement a cybersecurity recovery plan; and
- Review existing cybersecurity-architecture designs.
There are few details explaining how the TSA will enforce the Directive, because the agency has not published the confidential Directive for security reasons. Nonetheless, the TSA’s announcement reaffirms and bolsters its security directive issued in May (the May Directive). The May Directive requires owners and operators to notify the Cybersecurity and Infrastructure Security Administration (CISA) within 12 hours of discovering a possible cybersecurity breach, even when the owner or operator is merely investigating the possibility of a security breach. It also requires owners and operators to designate a primary and alternate Cybersecurity Coordinator to be available 24 hours a day, seven days a week, to liaise with the TSA and CISA regarding possible cybersecurity breaches. In the event companies are unable to comply with the TSA’s mandates, the May Directive instructs them to notify the TSA in writing, seek approval for alternative cybersecurity measures, and provide a rationale for those alternative measures. For a full list of requirements contained in the May Directive, please see Hogan Lovells’s June 4, 2021 client alert “DHS announces cybersecurity obligations for pipeline companies.”
TSA’s two Directives are aimed at proactively preventing cyberthreats similar to the recent and highly publicized Colonial Pipeline ransomware attack in May 2021. This new Directive indicates TSA’s commitment to enforcing mandatory pipeline cybersecurity protections and protocols, which, until the issuance of the May Directive, had largely been voluntary and collaborative for pipeline owners and operators.
Owners and operators of TSA-designated critical pipelines should continue to monitor developments associated with the new Directive and the May Directive. And, depending on the scope of the new Directive, they also should consider whether to provide input to the TSA through the agency’s feedback system to improve or adjust the requirements imposed on owners and operators. Hogan Lovells’s cross-practice cybersecurity policy and compliance team is prepared to assist you in complying with all aspects of the new Directive and the May Directive as you navigate and implement the newest cybersecurity requirements issued by the TSA.
Authored by Andrew Lillie, Peter Marta, Jessica Black Livingston, and Cory Wroblewski.