The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has issued a new Security Directive, developed with input from industry, for pipeline owners and operators to implement cybersecurity measures.
The directive focuses on performance-based – rather than prescriptive – measures to bolster pipeline cybersecurity. Industry stakeholders and Federal partners provided input for the directive, including the Cybersecurity and Infrastructure Security Agency (CISA).
“TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry,” TSA Administrator David Pekoske said in a statement. “The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements.”
The directive builds upon the initial Security Directive that TSA issued in May 2021, following the Colonial Pipeline ransomware attack. The updated directive aims to provide more flexibility to owners and operators to meet security outcomes.
It requires all owners and operators to submit a Cybersecurity Implementation Plan for TSA approval that details the specific cybersecurity measures they are using. Additionally, pipeline owners and operators will need to develop and maintain a Cybersecurity Incident Response Plan, along with a Cybersecurity Assessment Program to proactively test the effectiveness of cyber measures.
“We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes,” Pekoske added. “We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”