The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies. The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth in its predecessor directives (SD 2021-02A and SD 2021-02B) issued by the TSA last year. The change in approach reflects the significant feedback TSA received from the pipeline industry that many of the previous requirements were unworkable for their particular cyber environments. SD02C takes more of a result-based approach that provides more flexibility to achieve the outcomes called for under the directive. TSA Administrator David Pekoske explained in a press release:
“This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements. We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”
SD02C extends for another year the emergency cybersecurity requirements for critical pipeline companies put in place by TSA on May 26, 2021 in response to the ransomware attack that caused the Colonial Pipeline Company to halt its vast gasoline and jet fuel pipeline operations to contain the impact of the attack.
The revised security directive requires designated critical pipeline owners and operators to implement measures to achieve the following security outcomes:
- develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
- create access control measures to secure and prevent unauthorized access to critical cyber systems;
- implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
- reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
Each owner/operator must submit a Cybersecurity Implementation Plan that describes the specific cybersecurity measures employed and the schedule for achieving these outcomes to the TSA for approval no later than October 25, 2022. Once approved, this Plan will set the security measures and requirements against which TSA will inspect the owner/operator for compliance.
Pipeline owners/operators are also required to:
(1) develop and maintain a Cybersecurity Incident Response Plan to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity should their information or operational technology systems be affected by a cybersecurity incident (note that the attack on the Colonial Pipeline system targeted its billing functionality); and
(2) establish a Cybersecurity Assessment Program, and submit to the TSA an annual plan that describes how the owner/operator will proactively and regularly assess the effectiveness of its cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities.
Until the TSA approves the Cybersecurity Implementation Plan, each critical pipeline owner/operator must continue to implement specific measures from the previous Security Directive 2021-02B as modified by any TSA-approved alternative measure or action plan.
To the extent the TSA has already approved alternative measures or an action plan for a particular owner/operator, those will remain in force and effect until completed or rescinded by TSA. TSA stated that it recognizes that owner/operators may incorporate measures or a schedule for implementation into their proposed Cybersecurity Implementation Plan that is different than those in their previously issued action plans. TSA will work with owner/operators on appropriate modifications to any previously issued action plans as part of their process for approval of submitted Plan.
While the TSA’s shift to a performance based, security outcome driven approach in SD02C is a welcome change from the previous prescriptive requirements, which did not provide pipeline owners/operators with needed flexibility for their specific environments, the cybersecurity measures imposed under SD02C will still require significant planning, time, and resources for most owners/operators to fully implement. As we saw with the previous Security Directives, owners/operators must be prepared for TSA audits of compliance, and carefully document the steps taken to show compliance with SD02C.