On July 20, 2021, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued an expected second Security Directive that requires owners and operators of TSA-designated critical pipelines, including natural gas pipelines, to implement additional critical protections against cyber intrusions. The first Security Directive was issued on May 28, 2021, and it was focused on TSA pipeline cybersecurity incident reporting requirements. This second Security Directive will require the following:
- Implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology (OT) systems;
- Develop and implement a cybersecurity contingency and recovery plan; and
- Conduct a cybersecurity architecture design review.
Notably, the specific content of this second Security Directive will not be publicly available. It is being designated by DHS as “sensitive security information” and will only be available to the TSA-designated critical pipelines.
We are not aware of any additional next steps on pipeline cybersecurity mandates at this time; however, further regulatory and/or legislative action cannot be ruled out.
The DHS press release on the second TSA Security Directive is available here.
For more information, or to obtain assistance in understanding how TSA’s Security Directive impacts your organization, please contact Kristen Connolly McCullough, Barry Lawson, or Ellen Hill.