The Transportation Security Administration (TSA) has revised and reissued its Security Directive on cybersecurity for critical pipelines and liquified natural gas (LNG) facilities. The new Security Directive takes a more flexible approach and has fewer prescriptive requirements than TSA's prior directives. Among other things, the new Security Directive requires pipeline and LNG facility operators, designated as "critical" by TSA, to develop a Cybersecurity Implementation Plan which must be submitted to TSA for approval. The new Security Directive comes after more than a year of criticism of the TSA's initial efforts to impose mandatory cybersecurity requirements for critical pipeline and LNG facilities.
The ransomware attack against Colonial Pipeline in May of 2021 has proven to be a watershed moment in the way the federal government approaches cybersecurity for its critical pipeline infrastructure assets. In the months following the attack, the TSA issued a series of security directives intended to mitigate the mounting threats to critical infrastructure via mandatory implementation of certain critical cybersecurity measures. These directives were TSA's first-ever mandatory cybersecurity rules for pipelines and LNG facilities.
TSA's initial Security Directive went into effect on May 28, 2021. As outlined by DWT in a prior blog post, the initial Security Directive, titled Security Directive Pipeline-2021-01, required owners and operators of critical pipelines and LNG facilities to conduct a detailed gap assessment of their cybersecurity programs, identify a designated Cybersecurity Coordinator, and ensure their capability to report any information and physical security incidents affecting their IT or operational technology (OT) systems to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identification. Covered operators were given only 30 days to complete the required assessment, raising concerns that TSA was acting too hastily and without industry input in the aftermath of the Colonial Pipeline attack.
The second Security Directive, announced July 20, 2021, and discussed in greater detail in a previous DWT blog post, created additional mandatory cybersecurity rules for owners and operators of critical pipelines and LNG facilities, but was sent directly to designated owners and operators and restricted from public disclosure, thereby hindering valuable opportunities for cooperation within the industry and third-party oversight. In addition to raising concerns regarding the transparency of TSA's regulatory approach, the second Security Directive drew criticism for its overly prescriptive directives, lack of facility-specific flexibility, and aggressive implementation deadlines.
Now, over fourteen months after the Colonial Pipeline attack crippled fuel supplies in parts of the East Coast, TSA has announced the revision of its most recently issued Security Directive, this time with an eye toward "performance-based" measures intended to encourage collaboration, innovation, and customization on the part of the industry. By "performance-based," the TSA refers to an approach intended to allow operators to design tailored cybersecurity programs that are evaluated based on the real benefits to cybersecurity they produce—in contrast to an approach that simply prescribes the blanket adoption of enumerated controls.
TSA's directives thus far, including the new Security Directive, apply only to the 100 facilities that TSA deems most critical, meaning that cybersecurity for all other pipelines and LNG facilities is still addressed through voluntary guidelines. The TSA issued an Information Circular for operators not covered by the mandatory directives in February 2022, and published a set of security guidelines for all operators in 2018 (which were updated in 2021).
Security Directive Pipeline-2021-02C
The revised Security Directive, Security Directive Pipeline-2021-02C, reflects consideration of the pushback to previous iterations and became effective July 27, 2022. As was true for the previously issued Security Directives, Security Directive Pipeline-2021-02C applies only to those pipeline systems or facilities that have been identified by TSA as critical infrastructure. Although Security Directive Pipeline-2021-02C relaxes some of the overly rigid requirements and timelines established in earlier iterations, it continues to emphasize the need for companies to address potential threats to IT and OT system environments. Security Directive Pipeline-2021-02C also introduces several new requirements for TSA-specified owners and operators of critical pipelines and LNG facilities, including:
- Establishing and executing a TSA-approved Cybersecurity Implementation Plan that specifically describes the cybersecurity measures being adopted by each owner or operator;
- Developing a Cybersecurity Incident Response Plan that outlines the specific measures that owners and operators will take following a cybersecurity incident; and
- Creating an annual Cybersecurity Assessment Program to proactively test and audit the effectiveness of any cybersecurity measures adopted by each owner or operator and identify and address vulnerabilities.
TSA's pivot to a performance-based regulatory model grants owners and operators of critical pipelines and LNG facilities the ability to implement tailored compliance measures designed to achieve desired security outcomes, rather than trying to adhere to a "one-size-fits-all" compliance mandate. Increased transparency of TSA's requirements also enables greater industry collaboration and information sharing and allows for individual owners and operators to pilot and socialize innovative approaches to enhancing cybersecurity resiliency.
Despite the TSA's emphasis on increased flexibility for covered operators, the new Security Directive mandates that certain safeguards be incorporated into an organization's Cybersecurity Implementation Plan, including:
- Measures to segment OT and IT systems from each other, such that a compromise of IT systems may not result in the disruption of OT systems (and vice versa); segmentation of IT and OT systems has been a major point of emphasis following the Colonial Pipeline attack, as it has been reported that the company took down its OT systems to avoid infection spreading from its IT systems to its OT systems, such as those that directly manage pipeline operations;
- Access control measures, including implementation of the principles of least privilege (i.e., employees should have access only to systems and data they need to perform their job responsibilities) and separation of duties (i.e., no one employee should have sufficient privileges to perform critical operations entirely on their own);
- Multifactor authentication, or similar measures to supplement password authentication;
- Limits on account sharing;
- Continuous security monitoring and detection activities, including through tools such as email filtering and firewalls, and processes such as log review and analysis; and
- Security patch management processes and tools.
Cybersecurity Implementation Plans must be submitted for TSA approval within 90 days of the Security Directive Pipeline-2021-02C effective date, or by October 25, 2022, but there is no set timeline for TSA to review and approve submissions. Importantly, owners and operators must continue to comply with the second Security Directive's more prescriptive requirements until their Cybersecurity Implementation Plan is approved by TSA. Once the TSA approves an operator's Cybersecurity Implementation Plan, that operator has 60 days to submit its Cybersecurity Assessment Program plan to the TSA for review. The operator must then update its Cybersecurity Assessment Program annually.
TSA has also announced that it intends to open a formal rulemaking process to allow for public comments regarding its directives. DWT will continue to monitor these developments, and stands ready to assist our clients in assessing the risks to their IT and OT systems and preparing their cybersecurity programs to meet evolving regulatory requirements and heightened levels of scrutiny.
This article was originally featured as an privacy and security advisory on DWT.com on August 22, 2022. Our editors have chosen to feature this article here for its coinciding subject matter.