Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

TSA Updates Pipeline Cybersecurity Requirements

The TSA has released updated cybersecurity requirements for pipeline owners and operators, instructing them to test assessment and incident response plans.

The Transportation Security Administration (TSA) announced on Wednesday an update to its cybersecurity requirements for oil and natural gas pipeline owners and operators.

The security directive for pipeline owners and operators — released following the disruptive cyberattack that hit Colonial Pipeline in 2021 — requires them to implement measures to improve their defenses against cyberattacks.  

The TSA updated the requirements in July 2022 to offer more flexibility in achieving the outlined goals. Exactly one year later, the agency has released another updated version with additional requirements.

“Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans,” said TSA administrator David Pekoske. 

Specifically, owners and operators are now required to annually submit an updated cybersecurity assessment plan to the TSA for review and approval. 

They will also have to provide a schedule for assessing and auditing specific cybersecurity measures and submit an annual report with the results of the previous year’s assessment. 

Organizations have been required to develop and maintain a cybersecurity incident response plan. They will now have to annually test at least two objectives of that incident response plan. 

There are also some changes related to organizations that don’t have any critical cyber systems. 

Advertisement. Scroll to continue reading.

“Like the last version TSA’s update to its Security Directive for oil and natural gas pipeline cybersecurity focuses on performance-based, rather than prescriptive, measures. That, along with the fact that pipeline companies can incorporate these measures into their existing Cybersecurity Implementation Plans (CIP) to achieve the right outcomes while accommodating differences in systems and operations, shows strong progress in TSA’s support for the distinct needs of the sector and of individual companies,” said Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos.

“The update also gives owners and operators important flexibility to leverage various industry standards they already use—such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series. The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represent major improvements for all pipeline owners and operators.

“Given the increased audit language and reporting requirements in the updated regulation, we hope that TSA continues to align such requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities. We also hope that TSA continues to engage with private sector and industry experts as they update and revise the Security Directives moving forward,” Christopher added.

Related: TSA Requires Aviation Sector to Enhance Cybersecurity Resilience

Related: New TSA Directive Aims to Further Enhance Railway Cybersecurity

Related: Operations at US Natural Gas Facilities Disrupted by Ransomware Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.