The Department of Homeland Security Requires Pipeline Operators to Set Cybersecurity Safeguards

Publish Date


Cyber Alert

  • Cybersecurity
  • Portfolio Company Risk Management

The U.S. Transportation Security Administration (TSA) of the Department of Homeland Security (DHS) have issued a directive to operators of fuel and gas pipelines that requires them to improve their cybersecurity defenses. The directive obligates private sector pipeline operators to implement protections against ransomware attacks and against other cyber threats to information technology and operational systems. The directive further requires pipeline operators to conduct a cybersecurity architecture design review, as well as develop contingency and recovery plans.

This directive supplements the previous TSA directive to the pipeline sector, issued in May of 2021. That directive required pipeline owners and operators to report cybersecurity incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), to designate an always-available cybersecurity coordinator, to review current practices, to review current risks, and to report remediation steps to the TSA and to CISA.

Both directives come on the heels of the recent spate of large-scale ransomware attacks (e.g., Colonial Pipeline), as well as CISAs recent disclosure that the energy sector has been specifically targeted by Chinese state-sponsored hackers over a two-year period, during which 23 natural gas operators were attacked and at least 13 systems were compromised.

ACA guidance

ACA recommends that private equity firms with energy companies in their portfolio proactively ensure those companies are following this government directive, and include this as part of their oversight.

The TSA directive reflects a change in approach to cybersecurity, taking it from a voluntary to a mandated effort. As quoted, the specifics of the directive are considered sensitive security information, and will be distributed by the government to those with a need to know.

In general, companies in the energy sector must implement cybersecurity safeguards as stipulated by the federal government, including actively assessing the status of their cybersecurity programming, defending against ransomware and other attacks, developing and refining contingency planning, establishing a cybersecurity coordinator, and reporting risks and remediations to the TSA and CISA. ACA Aponix will release updated guidance as more information becomes available.

How we help

ACA Aponix can help firms prepare with a thorough assessment of cybersecurity risk.

In addition, ACA Aponix offers the following solutions that can help your company protect itself in relation to ransomware and other cyber attacks, as well as address and implement protections mandated by the government.

Download our Aponix Protect cybersecurity solution brochure.

If you have any questions, please contact your ACA Aponix consultant or contact us here.