To be sure, though state and federal privacy and data protection laws generally may apply to pipeline companies depending on a variety of circumstances, mandatory cybersecurity obligations for pipeline operation, at present, do not exist. But the potential misuse of supervisory control and data acquisition (SCADA) and other pipeline-related information can lead to environmental consequences and can negatively affect human health and safety, creating potential liabilities for pipeline companies under state tort law. The modernization of pipeline SCADA systems, with increased connectivity and open architectures, and the “emergency of SCADA-specific malicious software,” make the threat of such misuse very real. Paul W. Parfomak, Cong. Research Serv., Keeping America’s Pipelines Safe and Secure: Key Issues for Congress (Jan. 9, 2013); see also Scott McPherson, “First True SCADA-Specific Malware Detected,” Computerworld, July 22, 2010. Byrne thus serves as a warning that plaintiffs may improperly attempt to borrow cybersecurity standards for pipeline operation from other laws, as well as those from recommended guidance and other best practices for pipeline companies, to establish a reasonable standard of care against which pipeline administrators are held accountable. And to do so, they may attempt to draw from a variety of sources. Consider the following:
- On February 12, 2013, President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity,” Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013), which among other things required the National Institute of Standards and Technology (NIST) to develop the voluntary Framework for Improving Critical Infrastructure Cybersecurity. See NIST,Cybersecurity Framework, Version 1.0 (Feb. 12, 2014). In it, NIST recommends risk-based measures for improving the cybersecurity of critical infrastructure. The U.S. Department of Energy subsequently issued implementation guidance for energy sector owners and operators for incorporating the Cybersecurity Framework as part of their existing cybersecurity and risk management programs. See U.S. Dep’t of Energy, Energy Sector Cybersecurity Framework Implementation Guidance (Jan. 2015).
- The Transportation Security Administration’s Pipeline Security Guidelines provide cybersecurity recommendations for pipeline operators, including general security measures, information security coordination and responsibilities, system lifecycle considerations, and system restoration and recovery planning. See Transp. Sec. Admin., Pipeline Security Guidelines (Apr. 2011).
- The Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS) apply to high-risk chemical facilities and establish 18 risk-based performance standards by which a covered facility’s security posture will be examined, including cybersecurity. U.S. Dep’t of Homeland Sec., Risk-Based Performance Standards Guidance—Chemical Facility Anti-Terrorism Standards(May 2009). The department’s guidance identifies a number of cybersecurity measures for consideration, including the maintenance of effective security policies, plans, and procedures; access controls; awareness and training; cybersecurity controls, monitoring, response, and reporting; and post-incident disaster recovery and business continuity measures.
- The North American Electric Corporation (NERC) implements and enforces standards for increasing the reliability of the bulk power system. In 2009, NERC adopted cybersecurity standards—Critical Infrastructure Protection (CIP) standards—intended to secure critical energy infrastructure from cybersecurity threats. While the CIP standards currently apply only to operators of electric energy transmission networks and facilities, NERC has published studies recognizing the country’s increased dependence on natural gas, and natural gas pipelines by implication, for electric power. See NERC, 2013 Special Reliabiltiy Assessment: Accommodating an Increased Dependence on Natural Gas for Electric Power, Phase II: A Vulnerability and Scenario Assessment for the North American Bulk Power System (May 2013).
In addition, state data protection laws are increasing in number and sophistication, and industry groups such as the American Petroleum Institute, the Interstate Natural Gas Association of America, and others have provided additional cybersecurity guidance and recommendations.
Byrne has nothing to do with pipeline security, SCADA systems, or best practices in the energy sector. But opportunistic plaintiffs may argue otherwise. Oil and gas practitioners would be wise to recommend to proactive pipeline clients that they consider using the aforementioned standards and guidance to inform their own practices. An audit of a pipeline operator’s existing cybersecurity measures, followed by the well-documented development of and compliance with an internal set of best practices, is a prudent undertaking.
Keywords: litigation, energy, cybersecurity, supervisory control and data acquisition, SCADA, pipeline companies
Jay Johnson is of counsel in Jones Day's cybersecurity, privacy, and data protection practice, in the firm's Dallas, Texas, office.