The Transportation Security Administration (TSA) issued a Security Directive (2021-01), effective May 28, 2021, titled Enhancing Pipeline Cybersecurity. This Directive was sent to the specific pipeline operators who were identified by the TSA as operating critical pipeline systems or facilities. The Directive has three requirements:
- Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 12 hours of discovery of a cybersecurity incident.
- Designate a Cybersecurity Coordinator and at least one alternate for 24/7 coverage.
- Review and use the TSA’s pipeline security recommendations (Section 7 of the 2018 Pipeline Security Guidelines (with Change 1 (April 2021)) to assess cyber risk and develop action plans to address any gaps.
Since all pipeline operators are not included in this Directive, and in light of recent events, all pipeline operators should review their own cybersecurity plans and assess the plans against the guidelines in 2018 Pipeline Security Guidelines (with Change 1 (April 2021) and take action as necessary to address vulnerability gaps. TSA highlighted that the plans, assessments and action plans be considered security sensitive information and managed per the requirements of 49 CFR 1520 – Protection of Sensitive Security Information.
For a copy of the directive, contact Jessica Foley.