Guidance 3.0: TSA Issues a Third Directive on Pipeline Security

On July 21, 2022, the TSA issued its Security Directive Pipeline-2021-02C (the “Third Directive”). The Third Directive applies to owners and operators of pipelines and liquified natural gas facilities that the TSA has identified as “critical” and that have been previously notified that they are covered by the scope of the Security Directive Pipeline-2021-02 series.

The second directive faced criticism from industry representatives and cybersecurity experts for failing to account for the IT structure specific to industrial control systems, such as pipelines, where systems include both Operational Technology and Information Technology. Other commentators have called for a different approach, suggesting that regulators focus on the enforcement of industry-created technical standards. TSA reportedly considered feedback from pipeline owners and operators, as well as other federal agencies, in drafting the Third Directive, and as a result, the Third Directive appears to take a more flexible approach than earlier iterations.

Earlier Guidance

The Third Directive comes on the heels of two other directives, which were issued in close succession.

The TSA’s May 27, 2021 directive was issued in the same month as the Colonial Pipeline incident and required owners and operators of critical pipelines to designate a Cybersecurity Coordinator who must be available to TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) 24-hours a day, seven days a week. Under the May 27, 2021 directive, operators are also required to review current practices to assess cyber risks and report the results to TSA and CISA and, significantly, to report cybersecurity incidents to CISA no more than 12 hours after an incident is identified.

On July 20, 2021, the TSA issued its second directive. The second directive was designated “sensitive security information” and shared only on a need-to-know basis before its eventual declassification and release to the public in June of 2022. The July 20, 2021 directive faced criticism from industry experts and cybersecurity experts for its failure to account for the IT structure typical of industrial control systems. It has now been replaced by the Third Directive.

New Requirements

Under the latest version of TSA’s guidance, owners and operators of critical pipelines are required to submit a cybersecurity implementation plan to the TSA for approval. Once the plan is approved, it must be implemented. Operators are also required to develop and maintain an up-to-date cybersecurity incident response plan and cybersecurity assessment program.

Cybersecurity Implementation Plan

Pipeline owners must submit a cybersecurity implementation plan to TSA for approval. Until the plan is approved, the pipeline owner is advised to continue to follow the guidance of earlier directives or previously approved alternative measures. The required cybersecurity implementation plan must include certain specified access control measures including:

• Network segmentation policies and controls designed to prevent disruption of the Operational Technology system if the Information Technology systems is compromised or vice versa,
• Schedules for secret authenticator resets,
• Multifactor authentication or compensating controls for industrial control workstations,
• Policies and procedures to manage access rights based on the principles of least privilege and separation of duties, and
• Standards that limit the use of shared accounts.

Continuous monitoring and detection policies and procedures are also required, including capabilities and procedures to:

• Prevent phishing email attacks;
• Prohibit communications with known or suspected malicious IP addresses;
• Block and prevent unauthorized code, including macro scripts, from executing;
• Monitor and/or block connections from known or suspected malicious command and control systems;
• Collect and maintain logs in order to analyze data for potential intrusions and anomalous behavior;
• Mitigation measures or manual controls to ensure industrial control systems can be isolated when a cybersecurity incident in the Information Technology system creates a risk to the safety and reliability of the Operational Technology system; and
• A patch management strategy that prioritizes CISA’s Known Exploited Vulnerabilities Catalog.

Cybersecurity Incident Response Plan

The Third Directive further requires pipeline owners and operators to develop and maintain a cybersecurity incident response plan, which must provide for:

• Containment of infected devices,
• Segregation of any infected networks,
• Preserving volatile memory of affected devices,
• Security and integrity of backed-up data,
• Established capability and governance for isolating the Information Technology and Operational Technology systems in the event of a cybersecurity incident,
• Annual exercises to test the effectiveness of procedures and implementing personnel, and
• Identification of personnel responsible for implementing specific measures in the incident response plan.

Cybersecurity Assessment Program

To ensure effective execution of the cybersecurity implementation plan, the pipeline owner must develop a so-called cybersecurity assessment program that includes an architectural design review at least once every two years and incorporates other assessment capabilities, such as penetration testing and the use of adversarial-style team testing.

The cybersecurity assessment program must be submitted no later than 60 days after TSA approval of the cybersecurity implementation plan, and operators must update and resubmit the plan annually.

More Regulation to Come

In addition to the TSA’s Third Directives, companies in critical infrastructure sectors should be aware of other cybersecurity regulations on the horizon. The following are expected to come into effect in the near term:

• CISA
  • In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was signed into law. CIRCIA directs CISA to complete mandatory rulemaking activities before reporting requirements take effect. Under CIRCIA, covered entities will be required to report cybersecurity incidents and ransomware payments to CISA within 72 and 24 hours, respectively. A future CISA rule is expected to detail which entities among identified critical infrastructure sectors will be subject to the rule.
• EPA
  • In late July 2022, the EPA was reportedly close to adding cybersecurity requirements to accompany its existing assessments of U.S. critical water facilities. As of this writing, it is unclear when the EPA guidance will be released.

What This Means For You

The Third Directive signals the government’s continued, heightened focus on the cybersecurity practices of critical infrastructure systems. Because the guidance is so new, and because information about compliance with the guidance is often classified, there is uncertainty surrounding the TSA’s enforcements of the Third Directive. Pipeline operators within the scope of the Third Directive should assess current cybersecurity practices on an ongoing basis. Those practices should be compared to those set out in the Third Directive, and an action plan should be developed in conjunction with subject matter experts.

V&E assists clients in identifying, managing, and mitigating cybersecurity risks, from early planning and assessment to managing incident response and resulting investigations and litigation.