Welcome to the Reuters.com BETA. Read our Editor's note on how we're helping professionals make smart decisions.
Skip to main content

O'Melveny's Dermody on new cybersecurity directives for critical pipelines

5 minute read

Source: O’Melveny & Myers LLP

  • Former DHS and DoD official on reporting, reviews and fines

The company and law firm names shown above are generated automatically based on the text of the article. We are improving this feature as we continue to test and develop in beta. We welcome feedback, which you can provide using the feedback tab on the right of the page.

(Reuters) - The Department of Homeland Security (DHS) last month issued a second pipeline security directive that, in the wake of May's hack of the Colonial Pipeline, beefs up cybersecurity for some of the 2.6 million miles of oil and gas pipelines that crisscross the United States.

The move was followed last week by a U.S. Senate Commerce Committee hearing on how to fix the vulnerabilities of pipelines to ransomware attacks.

John Dermody, a counsel at O'Melveny & Myers in Washington D.C. and a former legal advisor for DHS, spoke with Reuters about what the new regulatory landscape could look like.

The interview has been edited for length and clarity.

REUTERS: What cybersecurity requirements have changed with DHS's two recent directives?

DERMODY: The directives represent a shift from industry-led best practices characterized by 2018 U.S. Transportation Security Administration (TSA)-issued voluntary guidelines to a more direct regulatory approach.

REUTERS: What remains voluntary, and what is now obligatory?

DERMODY: The major distinction between the voluntary guidelines and some of the things you're seeing with the first May directive, which is the one we were allowed to see, is very specific reporting requirements.

The requirement to have to report to DHS within 12 hours of an incident: that's new. The requirement to designate a singular point of contact that the government can work with to respond to a particular incident: that's new.

There are two different kinds of requests that are articulated in the second directive: to have a plan and to conduct a service security architecture design review. Both of those probably stem from some of the best practices that would have existed in industry.

REUTERS: The second security directive targets owners and operators of "critical" pipelines that transport hazardous liquids and natural gas. Who falls into those categories?

DERMODY: The directive is not being publicly released and the distribution is not being publicly identified. Those companies that are subject to directives will know it because TSA will reach out to them directly.

But DHS is charged by statute to identify the top 100 most critical pipeline operators.

I would think there would be significant overlap between those two lists.

REUTERS: How much teeth do these two directives have?

DERMODY: In both directives, authorities have not identified the specific compliance mechanisms.

It's a bit of speculation, but TSA does have significant civil authority to fine companies and to take other administrative actions. For example it can implement a civil fine of $10,000 per incident of violation of a particular directive. That gives you a lot of flexibility. Is each day of noncompliance a separate violation?

In addition, they can seek significant civil relief; potentially up to $400,000 in terms of a civil fine.

The question is: How productive is it going to immediately jump out of the gate with fining companies for noncompliance when you are very much adopting sort of a novel regulatory approach?

Read more:

U.S. announces new cybersecurity requirements for critical pipeline owners

U.S. announces new security directives for pipelines after hack

U.S. to boost pipeline cyber protections in wake of Colonial hack

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed

Sebastien Malo reporters on environmental, climate and energy litigation. Reach him at sebastien.malo@thomsonreuters.com

More from Reuters