Feds Order Pipeline Owners And Operators To Make Cybersecurity A Priority

By Terri Jo Neff

The owners and operators of the several critical pipelines which crisscross Arizona have been directed by the Department of Homeland Security’s Transportation Security Administration (TSA) to make cybersecurity a priority, the second such mandate this year.
A Security Directive issued in late July requires owners and operators of TSA-designated critical pipelines which transport hazardous liquids such as gasoline, diesel, and jet fuels, as well as natural gas (also known as methane) to implement a number of “urgently needed” protections against cyber intrusions.
The mandate also applies to dedicated high vaper pressure (HVP) pipelines used for the transport of liquefied petroleum gases (LPGs) such as propane, normal butane, and isobutane.

According to the Arizona Corporation Commission, Arizona is served by several interstate pipeline transmission systems including Cross Country Energy Corp’s Transwestern Pipeline, Dominion Energy’s Southern Trails Pipeline, Energy Transfer Partners’ Transwestern Pipeline, Kinder Morgan’s El Paso Natural Gas, Mohave Pipeline, Questar’s Southern Trails Pipeline, Southwest Gas, and TransCanada’s North Baja Pipeline.

There are then several intrastate distribution and transmission pipelines, including Abbott Nutrition, Alliant Gas Arizona, Applied LNG Technologies, Arizona Public Service, Calpine Pipeline, Desert Gas Services, Duncan Rural Services, Gila River Power, Mineral Park Mine, Nucor Steel Kingman, Pimalco Aerospace Aluminum, Plains LPG Services, Swissport Fueling, UniSource Energy, and Zapco / Biogas Energy Tactics.

The recent Security Directive requires those operating critical pipelines to put into place mitigation measures to protect against ransomware cyberattacks and other threats to information technology and operational technology systems. They must also develop and implement a cybersecurity contingency and a recovery plan, and conduct a cybersecurity architecture design review.

“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” according to Alejandro Mayorkas, Secretary of Homeland Security. “Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

DHS and TSA issued an initial Security Directive in May following a ransomware on Colonial Pipeline, which moves gasoline, diesel, and jet fuel from Texas to the eastern United States. Colonial Pipeline paid a $4.4 million ransom to hackers who accessed the company’s billing software, triggering a pipeline shutdown until it was certain the cyberattack had not targeted the company’s operational software.

The May directive mandated the reporting of all confirmed and potential cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA). Each pipeline owner or operator was also required to immediately designate a Cybersecurity Coordinator who would be available 24 / 7 to federal officials.
There was also a requirement for an internal review of all current cybersecurity practices by the end of June, as was a report to TSA and CISA of all gaps in remediation measures.

 TSA’s heightened attention on pipeline cybersecurity issues follows the agency’s efforts over the last two decades to enhance the physical security preparedness of hazardous liquid and natural gas pipeline systems across the country.