In the weeks that followed a ransomware attack on a domestic pipeline company, the federal government’s efforts to shore up the cybersecurity posture of America’s critical infrastructure and supply chains, including the oil and gas industry, have garnered increased attention. Historically, the oil and gas sector has not been subject to mandatory cybersecurity regulations, but rather was encouraged to follow voluntary security guidelines that were initially published by the Transportation Security Administration (TSA) in 2011 and revised in 2018. Yet, the industry sector’s geographic size, number of operators/stakeholders within the sector, and its importance to the national economy make the oil and gas industry an attractive target for cyberattacks.
Each of these factors begs the question whether voluntary cybersecurity measures are sufficient to protect this critical infrastructure component? Based on the TSA’s decision to publish the very first Pipeline Security Directive (“Directive”) three weeks after Colonial Pipeline was victimized by a ransomware attack, the answer to this rhetorical question appears to be an emphatic “No.”