"TSA Revises and Reissues Cybersecurity Requirements for Pipeline Owners and Operators"
The Transportation Security Administration (TSA) has revised and reissued its Security Directive on oil and natural gas pipeline cybersecurity. This revised directive will continue the effort to strengthen the cybersecurity of the nation's critical pipelines. The reissued security directive for critical pipeline companies was developed with extensive input from industry stakeholders and federal partners, including the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), and follows the directive announced in July 2021. The directive extends cybersecurity requirements for an additional year and emphasizes performance-based measures instead of prescriptive-based measures to achieve critical cybersecurity outcomes. The reissued security directive takes a novel, performance-based approach to security, allowing the industry to leverage new technologies and adapt to changing environments. The security directive requires TSA-specified pipeline and liquefied natural gas facility owners and operators to take action to prevent disruption and degradation of their infrastructure and achieve highlighted security outcomes. These outcomes include creating access control measures to secure and prevent unauthorized access to critical cyber systems, building continuous monitoring and detection procedures to detect cybersecurity threats, and more. Pipeline owners and operators are required to establish a Cybersecurity Assessment Program to test and regularly audit the effectiveness of cybersecurity measures and identify vulnerabilities within devices, networks, and systems. This article continues to discuss the revision and reissuance of TSA's Security Directive on oil and natural gas pipeline cybersecurity.