The U.S. relies on pipelines to deliver natural gas, oil, and other hazardous liquids that power vehicles, heat homes, and more. Today, the nation's pipelines are vulnerable to cyberattacks because they increasingly rely on computer systems. Malicious cyber actors deployed ransomware against Colonial Pipeline's business systems in May 2021, shutting down certain systems that monitor and control physical pipeline functions to protect them from attack.

On July 20, 2021, the Transportation Security Administration (TSA) issued a directive classified as "sensitive security information" that should only be shared when necessary, which was eventually released in June 2022. Industry and cybersecurity experts criticized the July 20, 2021 directive for not considering IT structures typical of industrial control systems, so it was replaced with a third directive.

The third directive shows that governments continue to pay close attention to cybersecurity measures for critical infrastructure systems. Operators of pipelines that fall within the scope of the third guideline need to assess their current cybersecurity practices continually. These practices should be compared to the third guideline and action plans developed in collaboration with subject matter experts.

Specifically, the requirements are intended to ensure that owners and operators of pipelines and LNG facilities covered by the TSA Directive take steps to prevent their systems from being compromised and disrupted in a security incident.

The new requirements include the following:

Cybersecurity implementation Plan

The latest version of the TSA directive requires owners and operators of critical pipelines to submit their cybersecurity implementation plans to TSA for approval. Once the plan is approved, it must be implemented.

Cybersecurity Incident Response Plan

Continuous tracking and detection policies and processes are also required, including capabilities and processes to prevent, block, monitor, and respond to the CISA catalog of known vulnerabilities and respond appropriately to cybersecurity incidents.

Cybersecurity Assessment Program

To ensure effective implementation of the cybersecurity plan, the pipeline owner must develop a cybersecurity assessment program that includes an architectural design review at least every two years and other assessment capabilities such as penetration testing and adversary team testing. The cybersecurity assessment program must be submitted no later than 60 days after TSA approves the cybersecurity plan, and operators must update and resubmit the plan annually.

Cyberattacks, such as the May 2021 attack on Colonial Pipeline's IT networks, threaten pipeline security and force regulators and pipeline operators to act.

                                                    Download Whitepaper