The Transportation Security Administration (TSA) on Tuesday handed down another set of directives aimed at protecting critical pipelines that transport hazardous liquids and natural gas against cyber attacks.

The second security directive, issued two months after the initial orders were put out, requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems. It also requires these pipelines to develop and implement a cybersecurity contingency and recovery plan, as well as conduct a cybersecurity architecture design review.

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) advised TSA on cybersecurity threats to the pipeline industry, as well as technical countermeasures to prevent those threats, during the development of the second security directive.

“Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” said Secretary of Homeland Security Alejandro N. Mayorkas. 

[Tune in: NGI’s Hub & Flow podcast features editors, analysts and industry experts diving into fundamental drivers of North American natural gas and LNG prices.]

The latest directive builds upon the initial security mandates issued in May following the ransomware attack on Colonial Pipeline Co. That directive required critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to CISA. It also required a cybersecurity coordinator be designated and available 24 hours a day, seven days a week. Pipelines also were directed to review their current practices and identify any gaps and related remediation measures to address cyber-related risks.

After learning on May 7 it had been victimized by hackers, Colonial shut down its 5,500-mile system, which transports more than 100 million gallons of gasoline, diesel and jet fuel to markets throughout the southern and eastern United States.

The shutdown led to fuel shortages and panic buying across the region, as Colonial did not fully restart operations until May 13.

“Public-private partnerships are critical to the security of every community across our country, and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience,” Mayorkas said.

The Interstate Natural Gas Association of America (INGAA) said it appreciates TSA’s ongoing efforts to enhance federal pipeline cybersecurity programs to confront the wave of cyberattacks threatening many different industries across the country. However, in this instance, the TSA used emergency authority to implement a significant new set of regulations without the usual notice-and-comment procedures. As such, it anticipates that improvements to the TSA directive would be necessary to maximize its efficacy and practicality.

For example, the directive would be improved by providing pipeline operators more ability to base their cybersecurity protections on individual pipeline systems’ specific configurations and risks, according to INGAA. “The most effective cybersecurity programs evaluate risks on an ongoing basis and implement targeted protections to address those risks, rather than applying the same set of protections to every scenario,” an INGAA spokesperson told NGI.

A risk-based, technology-neutral approach encourages cybersecurity programs and technologies to evolve to match new threats, while minimizing the energy reliability impact of applying new protections, according to the natural gas pipeline association.

“INGAA stands ready to collaborate with our partners at TSA and CISA to pursue improvements to the recent directives over the coming months.”