The Department of Homeland Security’s Transportation Security Administration (“TSA”) has issued an amended directive on pipeline security, SD-Pipeline-2021-02D (the “Directive”). The Directive is based on and supersedes the previous directive, SD-Pipeline-2021-02C, and is the latest in a series of TSA directives issued in the wake of the Colonial Pipeline ransomware attack. As before, the Directive applies to TSA-designated hazardous liquid and natural gas pipelines or liquefied natural gas facilities.
The newly amended Directive took effect on July 27, 2023 and expires July 27, 2024. If the TSA identifies new in-scope owners and operators, the TSA will provide specific compliance deadlines for the requirements of the Directive.
Significant Changes
The Directive continues to require owners and operators of critical pipelines and liquified natural gas facilities to implement cybersecurity measures—such as reporting incidents, designating a cybersecurity coordinator, and reviewing current practices—in an effort to improve resiliency. The newly amended Directive introduces four significant changes.
New Cybersecurity Assessment Plan
First, the Directive now requires a Cybersecurity Assessment Plan (“CAP”), as opposed to the “program” required by earlier iterations.1 Owners and operators must now test at least 30% of measures and capabilities implemented under a CAP, with 100% to be tested over any three-year period. In addition, owners and operators must create a “CAP Report” and provide it to the TSA for annual review. This CAP Report must include results of CAP assessments and disclose implemented methodology.
Alternative Measures Questioned
Second, the Directive removes the alternative measures safe harbor present in earlier directives.2 This earlier mechanism allowed owners and operators to implement cybersecurity measures different from those prescribed by the directive, subject to TSA approval.
The newly amended Directive states that alternative measures are “no longer relevant” given that all currently identified critical owners and operators have a TSA-approved Cybersecurity Implementation Plan in place. It is unclear whether owners and operators of pipelines that become subject to the Directive at some later point will have the opportunity to request compliance through alternative measures.
Notice of Status Changes
“Critical Cyber Systems” are defined as those systems that are essential for the safe and efficient operation of the pipeline and that, if compromised, could result in an operational disruption.
After a change in operations occurs, owners and operators must now reassess whether their systems qualify as “Critical Cyber Systems” and notify the TSA accordingly.3 Owners and operators have 60 days to notify the TSA of a change in status.
Required Testing
Finally, the Directive now requires that critical pipeline owners and operators test at least two of the objectives found within their Cybersecurity Incident Response Plan annually.4 Employees identified in the plan must be involved as “active participants in the exercises.”
What This Means for You
Many of the TSA’s changes make intuitive sense. Testing cybersecurity policies, for example, is essential and allows entities to evaluate the policies’ workability in real world conditions.
The Directive reflects TSA’s ongoing efforts to enhance the cybersecurity of the nation’s oil and gas pipelines, which are often critical infrastructure systems. Pipeline operators within the scope of the Directive should compare their current practices to those required by the new Directive and reach out for assistance as necessary.
1 Security Directive (SD) Pipeline-2021-02D § II.G.
2 SD § III.A.
3 SD § II.A.3.
4 SD § III.F.1.