US Transportation Security Administration Releases Updated Pipeline Security Directive: Key Revisions and Compliance Strategies

The US Transportation Security Administration (TSA) has recently released an updated version of the TSA Pipeline Security Directive on Enhancing Pipeline Cybersecurity, known as Security Directive Pipeline-2021-01D. This new directive supersedes the previous version, Security Directive Pipeline-2021-01C, and introduces several key revisions aimed at enhancing the cybersecurity resilience of the nation’s critical pipeline infrastructure. Below, we outline the most important changes and provide insights into how the Dragos Platform can help oil and gas companies meet and exceed these new requirements. 

Key Revisions in Security Directive Pipeline-2021-01D 

1. Enhanced Reporting Requirements 

• Previous Version: Required Owner/Operators to report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). 
• New Version: Continues this requirement but emphasizes the need for timely and detailed reporting to avoid duplicate reporting. Information provided to the Cybersecurity and Infrastructure Security Agency (CISA) will be shared with TSA and other relevant agencies. 

2. Designation of Cybersecurity Coordinators 

• Previous Version: Required Owner/Operators to designate a Cybersecurity Coordinator and alternates available 24/7. 
• New Version: Clarifies that the requirements for the Cybersecurity Coordinator also apply to alternate Cybersecurity Coordinators, ensuring continuous availability and coordination. 

3. Review and Assessment of Cybersecurity Practices 

• Previous Version: Required Owner/Operators to review their activities against TSA’s recommendations, identify gaps, develop remediation measures, and report results. 
• New Version: Maintains this requirement but adds a new definition for “business critical functions” and revises the definition of “days” to exclude federal holidays from compliance deadlines. The updated definition of “business critical functions” is “the Owner/Operator’s determination of capacity or capabilities to support functions necessary to meet operational needs and supply chain expectations.” 

4. Applicability and Compliance Deadlines

• Previous Version: Applied to Owner/Operators of TSA-designated critical pipeline systems or facilities. 
• New Version: Clarifies applicability and compliance deadlines, including provisions for notifying additional Owner/Operators identified as critical by TSA. 

Compliance Timeframes 

• Effective Date: May 29, 2024 
• Expiration Date: May 29, 2025 
• Initial Compliance: Within the first 90 days, Owner/Operators must create and submit a Cybersecurity Implementation Plan by October 25, 2022. 
• Ongoing Compliance: Until the plan is approved, apply requirements from SD 2021-02B. 

How the Dragos Platform Helps Meet TSA Directive Requirements 

The Dragos Platform offers comprehensive solutions to help oil and gas companies comply with the updated TSA Pipeline Security Directive. Here’s how each requirement aligns with Dragos Platform features: 

1. Incident Reporting

• Requirement: Report cybersecurity incidents to CISA. 
• Dragos Feature: The Dragos Platform provides automated threat detection, and provides incident playbooks, case management and forensic tools, and reporting capabilities, ensuring timely and accurate information sharing with CISA and TSA. 

2. Cybersecurity Coordinator Availability

• Requirement: Ensure Cybersecurity Coordinators are available 24/7. 
• Dragos Feature: Dragos Platform offers continuous monitoring and alerting, enabling Cybersecurity Coordinators to stay informed and responsive at all times. 

3. Review and Assessment of Cybersecurity Practices 

• Requirement: Review response to vulnerability activities, identify gaps, develop remediation measures, and report results. 
• Dragos Feature: The Dragos Platform includes comprehensive vulnerability management tools that help identify vulnerabilities, recommend remediation measures, and generate reports for compliance. 
• Dragos Services: An OT Cybersecurity Assessment (OTCA) will provide asset owners/operators with an evaluation of their security practices with the appropriate TSA Security Directive references. Asset Owner/Operators who have not already submitted their cybersecurity vulnerability assessment can use the OTCA to help them complete the required TSA form. 

Summary 
The updated TSA Pipeline Security Directive Pipeline-2021-01D introduces critical revisions aimed at bolstering the cybersecurity defenses of the nation’s pipeline infrastructure. By leveraging the advanced capabilities of the Dragos Platform, oil and gas companies can meet these stringent requirements, ensuring robust protection against cyber threats and compliance with federal regulations. 

Previous materials:  

• Infographic: TSA Security Directive Pipeline-2021-02D 
• Blog: TSA Security Directive Pipeline-2021-02D Reinforces Requirement for Tabletop Exercises and Rigor in Plan Auditing 
• Report: Understanding, Implementing New TSA Pipeline Directive