The US Transportation Security Administration (TSA) has updated its security directive regarding oil and natural gas pipeline cybersecurity.
Updates to the security directive require oil and natural gas pipeline owners and operators to:
- Annually submit an updated Cybersecurity Assessment Plan to TSA for review and approval.
- Annually report results from previous year’s assessment, with a schedule for assessing and auditing specific cybersecurity measures for effectiveness. TSA requires 100% of an owner-operator’s security measures be assessed every 3 years.
- Test at least two Cybersecurity Incident Response Plan (CIRP) objectives and include individuals serving in positions identified in the CIRP in required annual exercises.
The reissued security directive was developed with input from industry and other federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation, Remaining in place are previously established requirements to report significant cybersecurity incidents to CISA, identify a cybersecurity point of contact, and conduct a cybersecurity vulnerability assessment (Security Directive Pipeline 2021-01C).
TSA originally issued the directive following a May 2021 ransomware attack that led to the 6-day shutdown of Colonial Pipeline Co.’s 5,500-mile refined products pipeline (OGJ Online, June 11, 2021). Colonial carries 45% of the US East Coast’s gasoline, diesel, and jet fuel.