Attacks on critical U.S. infrastructure have been on the rise. On April 13, 2022, the U.S. Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) warned that certain advanced persistent threat actors have exhibited the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices. The agencies encouraged energy companies to enhance their cyber defenses.
In May 2021, Colonial Pipeline Co. experienced a cyberattack that shut down their entire operations for five days. The impact – disrupted domestic fuel supplies throughout the Northeastern United States and increased costs associated with the transportation of millions of barrels of oil by trucks, rails and vessels. With recent efforts by the Biden Administration and Congress to curb the increasing impacts that foreign adversaries are having on critical U.S. infrastructure, bolster supply chain resiliency and maintain stable prices for oil and gas for every day Americans, Congress has undertaken efforts to bolster the U.S. federal response to cyber incidents.
Existing Cyber Incident Reporting Requirements for the Energy Sector
The current process for reporting cyber incidents in the oil and gas industry requires energy companies to report cyber incidents directly to the DOE, Federal Energy Regulatory Commission (FERC), and state and local agencies. Separately, in May and July 2021, the Transportation Security Administration (TSA) issued new, mandatory cybersecurity rules on owners and operators of pipelines, which included reporting all cybersecurity incidents to CISA within 12 hours. A full summary of these rules can be found in this Aug. 17, 2021, article from Holland & Knight attorneys.
CISA Rulemaking on New Cyber Incident Reporting Requirements
In March 2022, Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act (Act) as part of the fiscal year (FY) 2022 omnibus appropriations bill. The Act requires owners and operators of critical infrastructure, including companies in the energy sector, to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. Of importance to the energy sector, the bill charges CISA with promulgating new regulations to define which entities within the critical infrastructure sectors will be impacted by the law and the types of substantial cyber incidents it covers. (See Holland & Knight's previous alert, "Cyber Incident Reporting Requirements for Critical Infrastructure Sectors Signed into Law," March 16, 2022.)
How You Can Ensure CISA's Final Rule Meets the Energy Sector's Cyber Needs?
The Act requires CISA to issue a notice of proposed rulemaking on these definitions within 24 months from the date of the bill's enactment and issue a final rule within 18 months of issuing the proposed rule. While the rule has not yet been submitted to the Office of Management and Budget for approval, it is critical that the oil and gas industry begin preparing its feedback. For example, which oil and gas operators should be subjected to the rulemaking and reporting requirements? What incidents will be subject to the new mandatory reporting requirements? What data will be required to be preserved following a cyber incident? How can we ensure that the new rules do not diminish the strengths of the current processes for reporting cyber incidents? How can we avoid redundancy and confusion? Should DOE maintain its authority as the Sector Risk Management Agency for energy sector cybersecurity?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.