In February, the Pipeline and Hazardous Materials Safety Administration (PHMSA) and the Transportation Security Administration (TSA), which are agencies within the Department of Transportation (DOT), announced an updated pipeline security agreement.
The updated agreement is designed to increase ongoing safety and security efforts to protect our nation’s energy assets. This includes increased efforts to protect pipeline operations from the increased risk of cyber attacks.
When the updated agreement was announced in February, the coronavirus was a looming threat to our nation, but not the immediate threat that COVID-19 has become as a national emergency.
Because of the challenges presented by COVID-19 (maintaining pipeline safety in new or different control room environments, optimizing SCADA system performance, ensuring business continuity, and protecting the health of available personnel to support operations), the security challenge has evolved to ensure that pipeline operators can maintain a strong cyber defense when there is tremendous strain on resources.
The new agreement between PHMSA and TSA provides the framework for how these agencies plan to work together to ensure that operators can continue to maintain safe operations.
Main Purpose of the PHMSA and TSA Security Agreement
As identified by the DOT in their announcement, the main purpose of the updated security agreement is to define each agency’s “respective authorities and responsibilities regarding pipeline safety and security.”
The goal is to enhance cooperation and collaboration through information sharing, strong communication, and more efficient processes that will allow both agencies to better support companies and operators.
Specific to the pipeline industry, the DOT has requested that PHMSA and TSA “use an interagency protocol to enhance timely sharing of information that is intended to facilitate the agencies’ sharing of information with the federal pipeline stakeholder community.”
Both agencies have also been requested to expand efforts to “improve alignment of communication efforts between themselves and pipeline stakeholders.”
Why the Emphasis on Pipeline Cybersecurity?
An important point that relates to securing pipeline assets is that TSA is being asked to share information with PHMSA on “pipeline security incidents and threats to pipeline infrastructure.”
This is related to a December 2019 pipeline security incident, where a natural gas compression facility was targeted by a ransomware attack that shut down the pipeline for two days.
The Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security (DHS), made the public disclosure about the attack.
In response to the rising threat of cybersecurity threats, the DOT has asked TSA and PHMSA to pursue effective collaboration with CISA to protect critical pipeline infrastructure. This includes sharing information with CISA to coordinate cybersecurity efforts with other agencies.
Will There Be New Standards or Regulations?
The updated pipeline security agreement sets in motion the potential for new standards, regulations, or guidelines that could impact pipeline operators.
There is a framework for new standards included in the updated annex to the memorandum of understanding between the DHS and DOT concerning TSA and PHMSA security and safety efforts.
The call to action for both TSA and PHMSA includes the following:
- Review the adequacy of existing standards.
- Identify any gaps that should be addressed through rulemaking, guidelines, or directives.
- Identify best practices and consider opportunities to promote these practices.
- Explore opportunities to build on existing standards-setting activities or processes without creating regulatory burdens.
- PHMSA will coordinate with TSA to develop standards, regulations, guidelines, or directives that affect pipeline transportation security.
- TSA will coordinate with PHMSA to develop standards, regulations, guidelines, or directives that affect pipeline transportation safety.
This section of the memo includes a provision that “emergencies or other exigent circumstances” may preclude thorough coordination prior to dissemination of any measures. COVID-19 would seem to fall into this category, potentially delaying the process of initiating potential rulemaking concerning pipeline security and safety.
How Will PHMSA Communicate with Pipeline Stakeholders?
Specific to the role of PHMSA in the revised pipeline safety agreement, PHMSA has been asked to continue building on existing relationships with public and private stakeholders to “identify and respond to stakeholders needs and concerns.”
Because security and safety often overlap — hence the need for an updated agreement between PHMSA and TSA — there will be increased efforts to communicate publicly with pipeline stakeholders about issues that could affect operational integrity.
Also, before any requirements, standards, best practices, or guidelines are disseminated, both PHMSA and TSA will share information with each other to review how the rules affect their constituents.
Ultimately, the goal is to coordinate efforts to improve security and safety while minimizing duplicate efforts, disruptions to current operations, and costs imposed on stakeholders.
How Does This Affect Pipeline Operators Now?
Pipeline operators should continue to maintain communication with PHMSA about pipeline security concerns or threats. This is especially important during a period of heightened security risk and vulnerabilities indirectly caused by the COVID-19 national emergency.
Information shared with PHMSA will help the agency better coordinate security and safety efforts with TSA to protect pipeline assets.
Additionally, should your operation require additional staff support during COVID-19, we are providing staff augmentation services for SCADA teams and pipeline control rooms.
Contact us today to discuss how we can support your operation during this time. We are here to help.