August 25, 2015 Articles

The Legal Cybersecurity Landscape for Pipeline Companies

The potential coalescence of legal standards and best practices into an applicable standard of care.

By Jay Johnson – August 25, 2015

A Connecticut court recently determined that the Health Insurance Portability and Accountability Act privacy rule, 42 U.S.C. § 1320d-6, and its implementing regulations “may be utilized to inform the standard of care applicable to . . . claims arising from allegations of negligence in the disclosure of patient’s medical records pursuant to a subpoena.” Byrne v. Avery Ctr. for Obstetrics & Gynecology, 2014 WL 5507439, at *8 (Conn. Nov. 11, 2014). In other words, the court determined that federal health care information privacy standards may be used to define the applicable standard of care against which the defendant company will be judged when defending a state law tort claimByrne is limited to tort claims based on health care information in Connecticut. Nonetheless, proactive energy pipeline compliance professionals should be mindful of what the decision more broadly may signal—namely, an attempted coalescence, by plaintiffs, of otherwise inapplicable or voluntary legal standards and best practices into an applicable standard of care against which a company’s cybersecurity practices may be judged.  

To be sure, though state and federal privacy and data protection laws generally may apply to pipeline companies depending on a variety of circumstances, mandatory cybersecurity obligations for pipeline operation, at present, do not exist. But the potential misuse of supervisory control and data acquisition (SCADA) and other pipeline-related information can lead to environmental consequences and can negatively affect human health and safety, creating potential liabilities for pipeline companies under state tort law. The modernization of pipeline SCADA systems, with increased connectivity and open architectures, and the “emergency of SCADA-specific malicious software,” make the threat of such misuse very real. Paul W. Parfomak, Cong. Research Serv., Keeping America’s Pipelines Safe and Secure: Key Issues for Congress (Jan. 9, 2013); see also Scott McPherson, “First True SCADA-Specific Malware Detected,” Computerworld, July 22, 2010. Byrne thus serves as a warning that plaintiffs may improperly attempt to borrow cybersecurity standards for pipeline operation from other laws, as well as those from recommended guidance and other best practices for pipeline companies, to establish a reasonable standard of care against which pipeline administrators are held accountable. And to do so, they may attempt to draw from a variety of sources. Consider the following:

  • On February 12, 2013, President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity,” Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013), which among other things required the National Institute of Standards and Technology (NIST) to develop the voluntary Framework for Improving Critical Infrastructure Cybersecurity. See NIST,Cybersecurity Framework, Version 1.0 (Feb. 12, 2014). In it, NIST recommends risk-based measures for improving the cybersecurity of critical infrastructure. The U.S. Department of Energy subsequently issued implementation guidance for energy sector owners and operators for incorporating the Cybersecurity Framework as part of their existing cybersecurity and risk management programs. See U.S. Dep’t of Energy, Energy Sector Cybersecurity Framework Implementation Guidance (Jan. 2015).
  • The Transportation Security Administration’s Pipeline Security Guidelines provide cybersecurity recommendations for pipeline operators, including general security measures, information security coordination and responsibilities, system lifecycle considerations, and system restoration and recovery planning. See Transp. Sec. Admin., Pipeline Security Guidelines (Apr. 2011).
  • The Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS) apply to high-risk chemical facilities and establish 18 risk-based performance standards by which a covered facility’s security posture will be examined, including cybersecurity. U.S. Dep’t of Homeland Sec., Risk-Based Performance Standards Guidance—Chemical Facility Anti-Terrorism Standards(May 2009). The department’s guidance identifies a number of cybersecurity measures for consideration, including the maintenance of effective security policies, plans, and procedures; access controls; awareness and training; cybersecurity controls, monitoring, response, and reporting; and post-incident disaster recovery and business continuity measures.
  • The North American Electric Corporation (NERC) implements and enforces standards for increasing the reliability of the bulk power system. In 2009, NERC adopted cybersecurity standards—Critical Infrastructure Protection (CIP) standards—intended to secure critical energy infrastructure from cybersecurity threats. While the CIP standards currently apply only to operators of electric energy transmission networks and facilities, NERC has published studies recognizing the country’s increased dependence on natural gas, and natural gas pipelines by implication, for electric power. See NERC, 2013 Special Reliabiltiy Assessment: Accommodating an Increased Dependence on Natural Gas for Electric Power, Phase II: A Vulnerability and Scenario Assessment for the North American Bulk Power System (May 2013).

In addition, state data protection laws are increasing in number and sophistication, and industry groups such as the American Petroleum Institute, the Interstate Natural Gas Association of America, and others have provided additional cybersecurity guidance and recommendations.

Byrne has nothing to do with pipeline security, SCADA systems, or best practices in the energy sector. But opportunistic plaintiffs may argue otherwise. Oil and gas practitioners would be wise to recommend to proactive pipeline clients that they consider using the aforementioned standards and guidance to inform their own practices. An audit of a pipeline operator’s existing cybersecurity measures, followed by the well-documented development of and compliance with an internal set of best practices, is a prudent undertaking.

Keywords: litigation, energy, cybersecurity, supervisory control and data acquisition, SCADA, pipeline companies

Jay Johnson is of counsel in Jones Day's cybersecurity, privacy, and data protection practice, in the firm's Dallas, Texas, office.

Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).