In the immediate aftermath of the devastating ransomware attack on Colonial Pipeline, the U.S. Transportation Safety Administration (TSA) issued in May 2021 a hastily prepared security directive that required oil and gas pipeline companies to report every security incident to the Cybersecurity and Infrastructure Security Agency (CISA) no later than 12 hours after they identify it. Companies that fail to meet this and other security requirements in the directive are reported to be subject to fines starting at $7,000 per day.
