DHS Announces New Cybersecurity Requirements for Pipeline Owners and Operators

On May 28, the Department of Homeland Security’s Transportation Security Administration (TSA) released a new Security Directive to establish protocols to identify, protect against, and respond better and more quickly to threats to critical companies in the pipeline sector.

The Security Directive applies to owners and operators of facilities or pipelines that handle any hazardous liquid, natural gas pipelines, or any liquefied natural gas facility notified by TSA that their pipeline system or facility is considered critical. In addition to new guidance on incident response and notification requirements, the Directive requires four very time-sensitive and vital actions.

Actions Required

Accordingly, critical pipeline and facility owners and operators must:

• Immediately provide written confirmation of receipt of the Security Directive to the TSA.
• Within seven days of May 28, designate a primary and at least one alternate cybersecurity coordinator. These individuals must be at the corporate level. They will be required to be available to TSA and CISA 24/7 to address cyber best practices and provide coordination in the event of any incident. The names of the appointed coordinators and their titles, phone numbers, and email addresses must be submitted in writing to the TSA. Each named coordinator must be a U.S. citizen who is eligible for a security clearance and shall coordinate cyber and related security practices and procedures within the organization and work with both law enforcement and emergency response agencies as needed.
• Within 30 days of May 28, conduct a gap assessment to assess current practices and immediately disseminate the information and measures in this Security Directive to corporate senior management, security management representatives, and any personnel responsible for implementing the provisions in this Security Directive and provide a prompt briefing regarding the Security Directive to all such individuals. Additionally, the owner/operator also should share this Security Directive with anyone subject to the provisions of this Security Directive, including federal, state, and local government personnel, tenants, and contractors.
• Address cybers risks for both information and operational technology systems and infrastructure. Any gaps identified shall have remediation measures enacted to address those gaps and a timeframe for implementing the measures shall be provided. Each affected organization shall deliver a copy of the resulting report to TSA and CISA.

If you have any questions about this Security Directive or would like a copy, please contact Jeffrey Wells, jwells@clarkhill.com, or Melissa Ventrone, mventrone@clarkhill.com.