DHS, TSA directive requires specific cybersecurity efforts for critical pipelines

Pushing back against the string of cybersecurity threats instigated this year, the United States Transportation Security Administration (TSA) issued a new Security Directive this week that requires owners and operators of critical pipelines to roll out urgent cyber protections.

“Secure pipelines are critical to our way of life,” CISA Director Jen Easterly tweeted after the announcement. “Just ask anyone trying to buy gas on the east coast after the Colonial hack. The new @TSA Directive requires critical pipeline companies to use @CISAgov best practices to shore up their cybersecurity.”

The demand will apply to any hazardous liquid or natural gas transporting pipelines the TSA has deemed critical. The critical nature of these pipelines is not public knowledge — it is restricted to those deemed need to know.

This is TSA’s second directive this year, building on a rushed order from May that required pipeline owners and operators to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), designate a Cybersecurity Coordinator, review current practices and identify gaps and measures to patch cyber-related risks.

That order came in the wake of a ransomware attack on the Colonial Pipeline that demonstrated massive vulnerabilities within U.S. infrastructure. As a result, the pipeline shut down for days, leading to gas shortages, price spikes, and panic.

“The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats,” Secretary of Homeland Security Alejandro Mayorkas said. “Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats and better protect our national and economic security. Public-private partnerships are critical to the security of every community across our country, and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

CISA, as a fellow part of the Department of Homeland Security, advised TSA on cybersecurity threats to the pipeline industry and technical countermeasures needed to prevent such threats for the creation of this directive. Owners and operators of affected pipelines will need to apply specific mitigation measures for their protection, develop and deploy cybersecurity contingency and recovery plans, and undertake cybersecurity architecture design reviews.