TSA Issues Additional Cybersecurity Requirements for Critical Pipeline Owners and Operators
The Transportation Security Administration (TSA) announced the issuance of a Second Security Directive that requires owners and operators of TSA-designated critical pipelines to: (1) implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems; (2) develop and implement a cybersecurity contingency and recovery plan; and (3) conduct a cybersecurity architecture design review.
A few hours after announcing its issuance, TSA began notifying affected companies of the requirement to comply with the Second Security Directive by the effective date. Deadlines for required actions range from 30-180 days. TSA indicated that it would host calls with affected parties to discuss specific requirements after the Second Security Directive’s publication. The Second Security Directive is considered Sensitive Security Information (SSI), which will limit its distribution in some regard.
In May 2021, TSA issued an Initial Security Directive that requires critical pipeline owners and operators to: (1) report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA); (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.