DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators

The Department of Homeland Security’s Transportation Security Administration (TSA) announced a new Security Directive that will require critical pipeline owners and operators to:

  • Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA);
  • Designate a Cybersecurity Coordinator that must be available 24 hours a day, seven days a week; and
  • Review their current practices and identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

TSA is also considering follow-on mandatory cybersecurity measures for the pipeline industry.

Potential CFATS Appendix A Revisions

The Department of Homeland Security (DHS) released its unified agenda in Federal Register on March 31, 2021, stating that one of its rulemaking priorities was “improving Appendix A” to the Chemical Facility Anti-Terrorism Standards (CFATS) regulations and addressing “concerns with release-flammable security issues.”

Industry stakeholders, including the International Liquid Terminals Association (ILTA), anticipate this rulemaking likely applies to the inclusion of gasoline, diesel, and other fuel mixes in Appendix A, which the Cybersecurity & Infrastructure Security Agency (CISA) has not enforced to date.

CFATS Information Collection Request

On March 23, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) published a 60-day notice in the Federal Register soliciting public comment on revisions to an Information Collection Request (ICR) relating to various efforts under the CFATS program – including tiering redeterminations, compliance assistance, and verifying Top-Screen information associated with the sale of a facility or the removal of a Chemical of Interest (COI).

In this Federal Register notice, CISA is requesting approval to continue the collection of information to support these efforts, as well as a clearer description of the scope of each instrument. CISA is not proposing changes to the scope of what information is collected. The ICR in question was approved for a three-year period in December 2018 and is set to expire in December 2021.

Online TWIC Renewals

The Transportation Security Administration (TSA) has sent proposed revisions to the Transportation Worker Identification Credential (TWIC) program to the Office of Management and Budget (OMB) for review and approval.

Among other revisions related to Merchant Mariners, TSA is implementing an online renewal capability for applicants who previously maintained an active TWIC. According to TSA, approximately 60% of active TWIC cardholders enroll for a new TWIC after the initial five-year expiration date. TSA believes online TWIC renewals will reduce cost and processing time by permitting eligible applicants to obtain a new TWIC without enrolling in-person at a TSA enrollment center. Accordingly, the renewal fee for TWIC will decrease with the implementation of online renewals.

TSA is accepting comments on the proposed revisions until March 26, 2021.

SolarWinds MSIB – Breach of Security Reporting Requirement

The US Coast Guard (USCG) published Marine Safety Information Bulletin (MSIB) 03-21 directing any owner or operator of a Maritime Transportation Security Act (MTSA)-regulated facility that relies on SolarWinds software for a system that serves or supports a critical security function to report a Breach of Security if:

  1. They have downloaded the trojanized SolarWinds Orion plug-in (see FBI Private Industry Notification 20201222-001); or
  2. They note any system with a critical security function displaying any signs of compromise, including those that may have not originated from the SolarWinds Orion compromise but utilize similar Tactics, Techniques, and Procedures (TTPs) (see Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-352A).

CISA recommends utilizing three open-source tools – including a CISA-developed tool, Sparrow – to help detect and remediate malicious activity connected to the SolarWinds incident. Sparrow was created to detect possible compromised accounts and applications in the Azure/Microsoft 365 environment. For guidance on the three open-source tools, see CISA AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.

Chemical Safety and Security Programs Overlap and Gap Assessment Report

The U.S. Government Accountability Office (GAO) has published a report titled, Chemical Security – Overlapping Programs Could Better Collaborate to Share Information and Identify Potential Security Gaps. In the report, the GAO reviewed overlap between chemical safety and security programs administered by the Department of Homeland Security (DHS), Environmental Protection Agency (EPA), Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), and the Department of Transportation (DOT). Specifically, the GAO focused on the: (1) Chemical Facility Anti-Terrorism Standards (CFATS); (2) Maritime Transportation Security Act (MTSA); (3) Transportation Security Administration (TSA) Rail Security Program; (4) TSA Pipeline Security Program; (5) ATF Explosive Materials Program; (6) EPA Water Infrastructure Act Program; (7) EPA Risk Management Program (RMP); (8) EPA Resource Conservation and Recovery Act (RCRA) Program; and (9) DOT Hazardous Materials Program.

Among other things, the GAO found that:

  • When compared with CFATS, all eight of the other programs reviewed contain requirements or guidance that generally align with at least half of the eighteen CFATS Risk-Based Performance Standards (RBPSs).
  • At least 550 of 3,300 (16%) CFATS-regulated facilities are also subject to other federal chemical safety or security programs.
  • More than 1,600 public water systems or wastewater treatment facilities are excluded from CFATS, leading to fragmentation. These facilities are subject to federal programs that generally do not align with CFATS and, according to DHS, are not required to implement security measures commensurate to their level of security risk. The GAO determined that DHS and the EPA have not collaborated to modernize policies and assess potential water security gaps.
  • Although directed by Executive Order to improve coordination and information sharing, the Chemical Facility Safety and Security Working Group (led by DHS, EPA, and the Department of Labor, along with representation from ATF and DOT) has not identified which facilities are subject to multiple programs and may be unnecessarily developing duplicative information for compliance.

The GAO made the following recommendations:

  • DHS should collaborate with partners and establish an ongoing process to identify the extent to which CFATS-regulated facilities are also covered by other programs that generally align with some of the CFATS RBPSs.
  • The EPA, ATF, and DOT should collaborate with partners and establish ongoing processes to identify the extent to which the facilities they regulate are also covered by the CFATS program.
  • DHS’s Cybersecurity and Infrastructure Security Agency (CISA) should update and disseminate CFATS program guidance to include a list of commonly accepted actions facilities may have taken and information they may have prepared pursuant to other federal chemical safety or security programs.
  • CISA and the EPA should collaborate to assess the extent to which potential security gaps exist at water and wastewater facilities and develop a legislative proposal to address these gaps.