The Transportation Security Administration (TSA) has released Security Directive Pipeline-2021-02D (SD-02D), effective July 27, 2023, which supersedes and replaces SD-02C. The update is a minor revision and maintains and reinforces the community-driven controls from SD-02C.
While most of the requirements and compliance elements remain the same, SD-02D does provide audit language, new timelines, and processes for specific requirements of the TSA compliance program. The following changes should be noted by asset owners and operators of hazardous liquid and natural gas pipeline, or liquified natural gas facilities:
- Direct language was added to inform asset owners/operators that if TSA disagrees with any critical system designations submitted, asset owners/operators may be required to provide rationale for excluding systems or require that additional systems be included.
- Tabletop exercises to test Cybersecurity Incident Response (IR) plans are now mandatory annually and must include two objectives being tested from the IR plan and must include the positions (named roles) who are active participants in those exercises.
- Asset owners/operators must provide a schedule for assessing and auditing the Cybersecurity Assessment Plan, ensuring at least 30 percent of the policies, procedures, measures, and capabilities are assessed each year, so that 100 percent of the Assessment Plan is assessed every three years. These audit results must be captured in an annual assessment report and submitted to TSA.
The SD-02D update also provides consistency and more incremental enhancement, rather than a major overhaul, affording industries more confidence that the efforts they’ve put into SD-02C will carry forward and not be disrupted by changing regulations. These incremental updates allow asset owners/operators more time to understand their compliance obligations and continue to secure funds to support the efforts from SD-02C.
Check out our on-demand webinar with Dragos Senior Industrial Consultant Elan Alvey and Dragos Technical Lead Mike Hoffman – they break down the key changes in this latest update and offer insights on how the TSA Security Directive is shaping the future of cybersecurity for pipeline asset owners and operators.
View On-Demand Now
Related Posts
How to Prioritize Vulnerabilities in Your OT Environment with Risk-Based Vulnerability Management
Key Insights for NERC CIP-015 Compliance: Anomaly Detection vs. Detecting Anomalous Activity
US Transportation Security Administration Releases Updated Pipeline Security Directive: Key Revisions and Compliance Strategies
Ready to put your insights into action?
Take the next steps and contact our team today.