Following significant collaboration with industry, the Transportation Security Administration (TSA) has issued a revised guidance, effective July 27, 2022, which updates one of the previous guidance issued following a May 2021 cyberattack on one of the nation’s largest interstate oil pipelines. . Similar to previous guidance, this latest version, Pipeline Safety Directive-2021-02C, incorporates several key changes that provide more flexibility to operators of critical pipelines and LNG infrastructure that are subject to the guidance. This includes employing a performance-based rather than prescriptive safety results model, which is more aligned with federal pipeline safety regulations and allows operators to develop plans tailored to their pipeline systems. The updated directive, along with part of the previous directive 2021-02B, is due to expire within one year, July 27, 2023, during which time the TSA intends to continue rulemaking. formal.
The TSA remains concerned that the risks to critical pipeline systems and LNG facilities continue to be elevated. As such, the TSA requires in its most recent directive that the following additional protocols be developed and incorporated into response plans:
- Cybersecurity Implementation Plan. This plan must be submitted to the TSA for approval within 90 days of the effective date of the guidance (i.e. by October 25, 2022). The plan must provide specific measures and a proposed timetable for the implementation of network segmentation policies and controls, access control measures, access rights management policies and controls; policies that limit the availability and use of shared accounts, ongoing monitoring and detection procedures; and policies to reduce the risk of exploitation of unpatched systems.
- Cyber Security Incident Response Plan.
- Cyber Security Assessment Program (including annual submission of cybersecurity effectiveness and vulnerability assessment plans).
In particular, until a cybersecurity implementation plan is approved by the TSA, owners/operators of critical pipelines and LNG facilities are required to continue to implement the Pipeline Security Directive- 2021-02B of July 2021, attached to the new security directive Pipeline-2021-02C, as well as any action plan or alternative measure approved by the TSA. In part, these new requirements reflect feedback from the pipeline and LNG industry on previous guidance, particularly with respect to providing greater flexibility for safety practices involving operational technology systems ( OT) as opposed to the previous focus on information technology (IT) systems. In addition, Safety Directive Pipeline-2021-01B update (which on May 29, 2022 superseded Safety Directive Pipeline-2021-01A May 2021) revised reporting requirements to impose the declaration within 24 hours (instead of 12 hours) .
The TSA’s requirements for owners and operators of critical pipelines and LNG facilities, however, remain stringent. In a press release on the latest directive, TSA Administrator David Pekoske said, “We recognize that every business is different, and we’ve developed an approach that recognizes that fact, backed by monitoring and ongoing auditing to assess achievement of necessary cybersecurity outcomes. “It remains to be seen whether the performance-based approach actually provides sufficient flexibility for owners and operators of critical pipelines and LNGs, and a number of prescriptive requirements remain in the updated guidance.
Although the latest revision is encouraging and the wording of the guidance indicates more flexible requirements for industry, owners and operators of critical LNG pipelines and facilities should seek expert advice when developing, implementing and evaluating their incident response plans to ensure they stay on track with the ever-changing standards.