Revised Pipeline Cybersecurity Focuses on Performance-Based Measures
TSA Introduced Revised Pipeline Security Directive
Following the May 7, 2021 Colonial Pipeline incident, the Transportation Security Administration (TSA), which is in charge of pipeline security, issued Security Directives Pipeline-2021-01 and Pipeline-2021-02 in July of 2021. The directives mandated pipeline operators and owner to report cybersecurity incidents within 12 hours and to implement immediate mitigation measures to protect against cyberattacks. The industry expressed concerns that the requirements were overly burdensome and not readily attainable. In response, TSA engaged with cybersecurity experts and industry stakeholders over the past 12 months and decided to offer more flexibility to meet the intended security outcomes by transitioning to a performance-based approach. The new requirements have been issued through Security Directive Pipeline-2021-02C on July 27, 2022. The revised security directive includes the following three requirements:
- Establish and implement a TSA-approved Cybersecurity Implementation Plan
- Develop and maintain an up-to-date Cybersecurity Incident Response Plan to reduce the risk of operational disruption
- Establish a Cybersecurity Assessment Program that is updated at least annually
Pipeline owners and operators must make records necessary to establish compliance with the requirements available to TSA upon request for inspection. Those records include firewall rules, router/switch configuration, and network architecture diagram. NP-View can directly assist pipeline security and compliance teams by providing a turn-key solution to translate complex network device configurations into the following documentation:
- Correct implementation of network segmentation (section III.B of the TSA Security Directive) and access control measures (section III.C), including all external connections to the OT system.
- Clear understanding of communication paths between IT and OT (section III.F.1.b and III.F.1.d).
- Generate automatically network architecture diagram (section III.G.2.b) with a representation of logical zone boundaries and their criticality.
Contact us to learn more, or review a visual summary of the security directive at: