A new update from the Transportation Security Administration bolsters the security of essential pipeline companies. The revised directive aims to foster preparedness and fortify industry defenses against cyberattacks.
It instructs TSA-specified pipeline stakeholders to annually submit an updated cybersecurity assessment plan (CAP) not only for review, but for approval as well. Owners and operators must submit a CAP schedule for assessing and auditing specific cybersecurity measures. The schedule must ensure that at least 30% of TSA-relevant policies, procedures, measures, and capabilities are evaluated each year so that all are evaluated every three years. An annual report containing the results of the previous year’s assessments is mandated as well.
In addition, the new directive instructs owners and operators to test at least two of their cybersecurity incident response plan (CIRP) objectives annually and identify the employees involved in such exercises. Further, more language has been added informing owners and operators of pipelines that the TSA may notify them to include additional critical cyber systems not identified in the company’s cybersecurity implementation plan.
Published Wednesday in consultation with CISA and the Department of Transportation, it is the third in a series of pipeline security directives since the TSA first began issuing them in July 2021. The first directive came after a May 2021 ransomware attack on the Colonial Pipeline, which provides about 45% of the fuel used on the east coast. Perpetrated by a Russian ransomware gang, it led to a six-day shutdown of the pipeline, gas shortages, and emergency declarations in 17 states. In response, the U.S. Senate passed a law requiring operators of critical infrastructure and federal civilian agencies to report cyber incidents to CISA. Federal agencies like the TSA took note, too, introducing new cybersecurity requirements.
In a press release announcing the update, TSA administrator David Pekoske said, “Earlier versions [of the directive] required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans. We will continue to work with our partners in the transportation sector to increase cybersecurity resilience throughout the transportation system and acknowledge the significant work over the past year to protect critical infrastructure.”
Many of the measures found in the July 2021 directive and renewed in July 2022 will remain in place. Those include disclosing cyber incidents to CISA, identifying a cybersecurity point of contact, and conducting cybersecurity vulnerability assessments.
