TSA Updates Cybersecurity Requirements for "Critical" Pipelines and LNG Facilities

On July 26, 2023, the Transportation Security Administration (TSA) issued a revised Security Directive governing the cybersecurity practices of owners and operators of critical liquid and natural gas pipelines and liquified natural gas (LNG) facilities. The new Security Directive, Security Directive Pipeline 2021-02D, largely builds on its predecessor directive's flexible approach and adds more detailed requirements related to cybersecurity program testing, reporting, and documentation. The Security Directive became effective the day after it was issued.

Background

The TSA began issuing a series of Security Directives on cybersecurity for critical pipelines and LNG facilities in spring of 2021 following the high-profile cyberattack on Colonial Pipeline. The Security Directives apply to owners and operators of pipeline and LNG facilities deemed "critical" by TSA. The initial Security Directive, Security Directive-Pipeline-2021-01, which went into effect on May 28, 2021, was the TSA's first set of mandatory cybersecurity rules for critical pipelines and LNG facilities. Previously, the agency had issued only nonbinding guidance, including its 2018 Pipeline Security Guidelines. The TSA has since issued four additional Security Directives on pipeline and LNG facility cybersecurity and has provided notice to owners and operators it deems subject to these directives.

The TSA's Security Directives reflect the agency's evolving approach to cybersecurity regulation. Security Directive-Pipeline-2021-01 took a relatively rigid and prescriptive approach (DWT summarized Security Directive-Pipeline-2021-01 in a prior blog post). After issuing two additional directives,[1] the TSA issued Security Directive Pipeline-2021-02C, which went into effect on July 27, 2022 (outlined by DWT here). That Security Directive sought to address the shortcomings of the TSA's prior issuances by giving covered owners and operators greater flexibility in designing and customizing their cybersecurity programs. Specifically, Security Directive Pipeline 2021-02C shifted from mandating specific cybersecurity activities for owners and operators of critical pipelines and LNG facilities to defining required outcomes and allowing those owners and operators of critical pipelines and LNG facilities to implement tailored, facility-specific compliance measures.

Security Directive Pipeline 2021-02C represented a pivot from prescriptive guidelines to a performance-based regulatory model in response to industry feedback following issuance of Security Directive-Pipeline-2021-01 and mandated the creation and implementation of certain cybersecurity plans and programs. Security Directive Pipeline 2021-02C struck this balance by establishing required outcomes while allowing covered owners and operators to propose compliance measures tailored to meet the needs of their individual facilities. The requirements of Security Directive Pipeline 2021-02D introduce additional rigor but retain much of the flexibility introduced under Security Directive Pipeline 2021-02C, allowing critical facility owners and operators to build upon the compliance measures they have already implemented.

Overview of Security Directive Pipeline-2021-02D

Security Directive Pipeline 2021-02D arrives more than two years after the now-notorious Colonial Pipeline cyberattack but during a time of similarly heightened awareness of the growing threats to sensitive infrastructure, as highlighted by the recent cybersecurity incident impacting Suncor Energy in Canada, which impacted the oil and gas producer's supplier payments and retail operations. The new directive introduces a number of requirements and makes various changes to Security Directive Pipeline 2021-02C. Key changes include:

• A requirement for owners and operators who determine that they do not have "Critical Cyber Systems"—i.e., any Information or Operational Technology (IT/OT) system or data that if compromised or exploited could result in operational disruption—to notify the TSA of that determination within 60 days. Those owners and operators must reevaluate that determination if they change their method of operations and must notify TSA within 60 days if they determine that they have Critical Cyber Systems in light of the operational change.
• New required procedures for handling amendments to an owner or operator's TSA-approved "Cybersecurity Implementation Plan" ("CIP") based on revisions to the Security Directive—i.e., the specific description of the cybersecurity measures being adopted by each owner or operator;
• The ability for TSA to identify new Critical Cyber Systems not previously included in an owner or operator's TSA-approved CIP following consultation with that owner or operator;
• A requirement for annual testing of at least two objectives of the owner or operators "Cybersecurity Incident Response Plan"—i.e., the specific measures that owners and operators will take following a cybersecurity incident—and inclusion of employees responsible for implementing the specific measures in the plan in that testing. Previous Security Directives required annual testing but did not specify the number of objectives to be tested or the individuals to be involved.
• Use of the term "Cybersecurity Assessment Plan" instead of the term "Cybersecurity Assessment Program" established under Pipeline 2021-02C. A Cybersecurity Assessment Plan ("CAP") refers to an owner or operator's plan to proactively test and audit the effectiveness of any cybersecurity measures adopted by each owner or operator and identify and address vulnerabilities. According to the TSA, this new terminology reflects several new requirements, including that the required annual updates to an owner or operator's CAP must be reviewed and approved by TSA, that CAPs must include a schedule for auditing at least 30 percent of the owner or operator's CIP annually, and that an annual CAP Report—covering all assessments conducted in accordance with the CAP over the previous year—must be submitted to TSA for review.
• A mandate that all plans, assessments, tests, and evaluations used to comply with the Security Directive be explicitly incorporated by reference in the owner or operator's CIP.
• A new requirement that all required documentation be submitted in the manner prescribed by TSA.[2]

What's next for owners and operators of critical pipeline and LNG facilities?

TSA's revised Security Directive is effective as of July 27, 2023, and those owners and operators who were subject to the prior directives are also subject to this one. Compliance will require owners and operators to make further updates to their cybersecurity programs, but the new measures' focus on testing of and reporting on compliance with the requirements implemented under Security Directive Pipeline 2021-02C should make the necessary changes fairly modest. For its part, the TSA has indicated that it intends to continue the formal rulemaking process to codify key cybersecurity requirements for the pipeline and rail that it began last fall, with issuance of a notice of proposed rulemaking expected in September 2023.

DWT will continue to monitor these developments and stands ready to assist our clients in assessing the risks to their IT and OT systems and preparing their cybersecurity programs to meet evolving regulatory requirements and heightened levels of scrutiny.