The Transportation Security Administration (TSA) announced on Wednesday an update to its cybersecurity requirements for oil and natural gas pipeline owners and operators.
The security directive for pipeline owners and operators — released following the disruptive cyberattack that hit Colonial Pipeline in 2021 — requires them to implement measures to improve their defenses against cyberattacks.
The TSA updated the requirements in July 2022 to offer more flexibility in achieving the outlined goals. Exactly one year later, the agency has released another updated version with additional requirements.
“Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans,” said TSA administrator David Pekoske.
Specifically, owners and operators are now required to annually submit an updated cybersecurity assessment plan to the TSA for review and approval.
They will also have to provide a schedule for assessing and auditing specific cybersecurity measures and submit an annual report with the results of the previous year’s assessment.
Organizations have been required to develop and maintain a cybersecurity incident response plan. They will now have to annually test at least two objectives of that incident response plan.
There are also some changes related to organizations that don’t have any critical cyber systems.
“Like the last version TSA’s update to its Security Directive for oil and natural gas pipeline cybersecurity focuses on performance-based, rather than prescriptive, measures. That, along with the fact that pipeline companies can incorporate these measures into their existing Cybersecurity Implementation Plans (CIP) to achieve the right outcomes while accommodating differences in systems and operations, shows strong progress in TSA’s support for the distinct needs of the sector and of individual companies,” said Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos.
“The update also gives owners and operators important flexibility to leverage various industry standards they already use—such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series. The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represent major improvements for all pipeline owners and operators.
“Given the increased audit language and reporting requirements in the updated regulation, we hope that TSA continues to align such requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities. We also hope that TSA continues to engage with private sector and industry experts as they update and revise the Security Directives moving forward,” Christopher added.