Regulatory interest in securing the nation’s energy infrastructure continued in 2023. On July 26, 2023, the Transportation Security Administration (TSA) announced significant updates to its security directive aimed at enhancing and testing cybersecurity for certain pipelines and liquified natural gas (LNG) facilities. This move underscored the TSA’s continued focus on fortifying the nation’s critical infrastructure against cyber threats.
TSA’s new security directive, SD Pipeline-2021-02D, is titled “Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing.” Developed with industry stakeholders, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation, the revised directive seeks to not only bolster, but also test, the cybersecurity preparedness and resilience of critical infrastructure. In support for the revised directive, TSA Administrator David Pekoske emphasized the importance of testing cybersecurity readiness:
“TSA is committed to keeping the nation’s transportation systems secure in this challenging cyber threat environment. This revised security directive sustains the strong cybersecurity measures already in place for the oil and natural gas pipeline industry.
“Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans. We will continue to work with our partners in the transportation sector to increase cybersecurity resilience throughout the transportation system and acknowledge the significant work over the past year to protect critical infrastructure.”
The security directive currently applies to “Owners/Operators of TSA-designated hazardous liquid and natural gas pipelines or [LNG] facilities” who were “previously notified” by TSA that their pipeline system or facility is “critical.” The revised directive affirms that “[a]ll currently identified critical Owner/Operators have a TSA-approved Cybersecurity Implementation Plan in place.” However, the TSA can seek to designate new owners/operators as “critical” with resulting compliance requirements.
Key provisions of the current security directive include:
- Annual Submission and Review of Cybersecurity Assessment Plan. Owners and operators of critical infrastructure designated by TSA must (1) annually submit to TSA an updated cybersecurity assessment plan (CAP) for review and approval; and (2) annually report on CAP results from the prior year. TSA mandates a comprehensive assessment of 100% of security measures every three years to ensure compliance.
- Emphasis on oversight and cooperation. The directive balances oversight from the TSA with cooperation from owners and operators: “[T]he TSA Administrator is authorized to ‘enforce security-related regulations and requirements’; ‘inspect, maintain, and test security facilities, equipment, and systems’; and ‘oversee the implementation, and ensure the adequacy of security measures at … transportation facilities.’ Given this authority, TSA may require Owner/Operators to provide specific documentation and access to TSA as necessary to establish compliance.”
- Testing Cybersecurity Incident Response Plans. The directive builds on the TSA’s prior mandate regarding cybersecurity incident response plans (CIRP), now requiring the testing of at least two objectives annually. Objectives include prompt containment, segregation, security and integrity of backed-up data, and established capability and governance for isolating certain systems. Individuals identified in the CIRP must participate in required annual exercises.
Much of the TSA’s previously established requirements remain unchanged, including the obligations to report significant incidents to CISA, identify a cybersecurity point of contact and conduct a cybersecurity vulnerability assessment.
Looking ahead, the TSA’s updated security directive demonstrates continued regulatory oversight of the energy sector with specific interest in cybersecurity. Energy lawyers will play a crucial role in helping their clients ensure compliance with the TSA’s directive, communicate with TSA in the face of cyber threats and foster collaboration as TSA likely issues new directives in the future.