TSA issues urgent requirements for critical pipeline owners, operators to launch cybersecurity efforts
Pushing back against the string of cybersecurity threats instigated this year, the U.S. Transportation Security Administration (TSA) issued a new Security Directive this week that requires owners and operators of critical pipelines to roll out urgent cyber protections.
“I’m pleased to see today’s steps, including mandatory standards, by @TSA to protect the safety of our nation’s critical energy infrastructure,” Rich Glick, chairman of the Federal Energy Regulatory Commission, tweeted after the requirements were announced.
The demand will apply to any hazardous liquid or natural gas transporting pipelines the TSA has deemed critical. It is TSA’s second directive this year, building on one from May that required pipeline owners and operators to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), designate a Cybersecurity Coordinator, review current practices and identify gaps and measures to patch cyber-related risks.
“The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats,” Secretary of Homeland Security Alejandro Mayorkas said. “Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats and better protect our national and economic security. Public-private partnerships are critical to the security of every community across our country, and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”
CISA, as a fellow part of the Department of Homeland Security, advised TSA on cybersecurity threats to the pipeline industry and technical countermeasures needed to prevent such threats for the creation of this directive. Owners and operators of affected pipelines will need to apply specific mitigation measures for their protection, develop and deploy cybersecurity contingency and recovery plans, and undertake cybersecurity architecture design reviews.
