The Transportation Security Administration (TSA) revised and reissued its Security Directive regarding oil and natural gas pipeline cybersecurity. This revised directive will continue the effort to build cybersecurity resiliency for critical pipelines.

Developed with extensive input from industry stakeholders and federal partners, including the Department’s Cybersecurity and Infrastructure Security Agency (CISA), the reissued security directive for critical pipeline companies follows the directive announced in July 2021.

The directive extends cybersecurity requirements for another year and focuses on performance-based — rather than prescriptive — measures to achieve critical cybersecurity outcomes. TSA also intends to begin the formal rulemaking process, which will provide the opportunity for the submission and consideration of public comments.

The reissued security directive takes an innovative, performance-based approach to enhancing security, allowing the industry to leverage new technologies and be more adaptive to changing cybersecurity environment.

The security directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas facilities take action to prevent disruption and degradation to their infrastructure to achieve the following security outcomes:

  1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate if an Information Technology system has been compromised and vice versa;
  2. Create access control measures to secure and prevent unauthorized access to critical cyber systems;
  3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
  4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Pipeline owners and operators are required to:

  1. Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes outlined in the security directive.
  2. Develop and maintain a Cybersecurity Incident Response Plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident.
  3. Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.

These requirements are in addition to the previously established requirement to report significant cybersecurity incidents to CISA, establish a cybersecurity point of contact and conduct an annual cybersecurity vulnerability assessment.

To view TSA’s security directives and guidance documents, please visit the TSA Cybersecurity Toolkit.