11/30/22, 3:09 PM Pipeline Cybersecurity Implementation Plan for TSA Security Directive | Pipeline and Gas Journal

COPYING AND DISTRIBUTING ARE PROHIBITED WITHOUT PERMISSION OF THE PUBLISHER

Open +

October 2022, Vol. 249, No. 10 (/magazine/2022/october-2022-vol-249-no-10)

FEATURES (/MAGAZINE/2022/OCTOBER-2022-VOL-249-NO-10#FEATURES)

Pipeline Cybersecurity
Implementation Plan for TSA
Security Directive
By Marco Ayala, Director of Industrial Control Systems, 1898 & Co., a part of Burns & McDonnell    

(P&GJ) — The pipeline industry has been placing focus and efforts on cybersecurity ever since last year’s
Transportation Security Administration’s (TSA’s) security directives were first issued. The security
directives (SDs) were a pushed rollout that caught many off-guard at the time—they knew it was coming
but did not know the exact details.

It applies to owner/operators of hazardous liquid and natural

gas pipelines or liquefied natural gas facilities that have been
notified by TSA that their pipeline system or facility is
critical. 

The first SD-01, “Security Directive Pipeline-2021-01,” went

into effect on May 28, 2021, with the intention of enhancing (/media/9213/cyber_ss1971272342.jpg)
pipeline cybersecurity. It called out the following three
critical functions: 

TSA-specified owner/operators must report cybersecurity incidents to the Department of Homeland

Security’s Cybersecurity and Infrastructure Security Agency (CISA).  
Owner/operators must designate a cybersecurity coordinator who must be available to TSA and CISA
24/7 to coordinate cybersecurity practices and address any incidents that arise (and at least one
alternate cybersecurity coordinator at the corporate level).  
Owner/operators must review their current activities against TSA’s recommendations for pipeline
cybersecurity to assess cyber risks, identify any gaps, develop remediation measures and report the
results to TSA and CISA. 

The SD-01 also provided pipeline owner/operators TSA’s definitions for informational technology (IT) and
operational technology (OT) systems, defining “disruption” and “incident.” 

The second SD-02, “Security Directive Pipeline-2021-02,” went into effect July 26, 2021, defining
mitigation actions, contingency planning and testing. The SD-02 is protected by Sensitive Security
Information (SSI) and it calls out three elements in general.  

Implement critically important mitigation measures to reduce the risk of compromise from a
cyberattack.   
Develop a Cybersecurity Contingency/Response Plan to reduce the risk of operational disruption or
significant business or functional degradation of necessary capacity, as defined in this SD, should the IT
and/or OT systems of a gas or liquid pipeline be affected by a cybersecurity incident.  
Test the effectiveness of the owner/operator’s cybersecurity practices through an annual cybersecurity
architecture design review. 

The reality is that SD-02 is very prescriptive, and industry met TSA with heavy feedback and concerns
both directly and through industry associations. So much so that industry organizations banded together
in their feedback to TSA. Pipeline trade associations American Fuel & Petrochemical Manufacturers
(AFPM), American Gas Association (AGA), Association of Oil Pipelines (AOPL), American Petroleum
Institute (API), American Public Gas Association (APGA), the Interstate Natural Gas Association of
America (INGAA), and GPA Midstream together sent a letter to the TSA administrator sharing all the same
concerns with implementing the directive and not arguing the concern of ransomware and other cyber
threats.  

The issue of unanswered technical questions submitted to TSA left operators uncertain about what is
required for compliance. The key challenges were not just in timelines and the elements of the technology
say provisioned running pipeline systems and potentially having limiting security capabilities or capable
but with legitimate deployment concerns, but with unclear elements or defining of items such as
“nonoperational networks” for example.  

In the industry’s association letter to TSA:  

“Operational reliability and safety are extremely important to the pipeline industry. The Directive’s potential
to cause operational disruptions or threaten safe operations remains a concern of affected pipeline
operators. Our pipeline () operators have expert knowledge regarding their assets, how they are managed
to meet customer needs, and how to comply with the various state and federal regulations under which
they are required to operate.  

https://pgjonline.com/magazine/2022/october-2022-vol-249-no-10/features/pipeline-cybersecurity-implementation-plan-for-tsa-security-directive 1/4
11/30/22, 3:09 PM Pipeline Cybersecurity Implementation Plan for TSA Security Directive | Pipeline and Gas Journal
As the Directive was developed, industry conveyed highly probable operational safety and reliability
concerns that could arise by imposing prescriptive cyber requirements and untenable timelines without
specific understanding of a company’s existing cybersecurity protections and operations.” 

“We also urge TSA to reconsider its process for implementing pipeline security initiatives in the future to
ensure better input on the compatibility of proposed security requirements with pipeline operational
technology. It is important TSA make timely updates to its pipeline security policies to keep up with
evolving threats. At the same time, it is equally important TSA’s process does not sacrifice input from the
regulated industry for the sake of speed.” 

The addendum to SD-02 “Security Directive Pipeline-2021-02B” went into effect December 17, 2021,
defining mitigation actions, contingency planning, and testing. SD-02B was protected by SSI - Sensitive
Security Information also calls out the same three elements as the original SD-02.  

However, on June 6, the TSA issued a memorandum stating that they “made a determination that the
Security Directive, SD Pipeline-2021-02B, is no longer considered to contain Sensitive Security
Information (SSI) and the markings denoting the document as SSI have been removed from the attached
copy of the Security Directive.” 

The SD-02B provided prescriptive controls that again did have the same concerns as the original, but with
cyber as a moving target anything pointing our bow in the right direction is still a positive move. The
implementation timelines provided by TSA were still tight, effectively extending the operational technology
(OT) sections to January 22, 2022, and assessments by July 26.  

An example from the SD-02B Conduct Operational Technology System Cybersecurity Architecture Design
Reviews:  

“No later than January 22, 2022, unless otherwise directed, Owner/Operators must schedule a third-
party evaluation of the Owner/Operator’s Operational Technology system design and architecture, to be
conducted no later than July 26, 2022, which includes verification and validation of network traffic and
system log review analysis to identify cybersecurity vulnerabilities related to network design,  

configuration, and inter-connectivity to internal and external systems. 

This evaluation must:  

1. Be conducted by an independent third-party, unless otherwise approved by TSA that has

demonstrated capability to perform the cybersecurity architecture design review required by this
Security Directive 
2. Be completed annually thereafter for the duration of this Security Directive, as 

revised and renewed  

1. Include a written report detailing the results of the evaluation and the acceptance or rejection of any
recommendations provided by the evaluator to address vulnerabilities. This written report must be
made available to TSA upon request and retained for no less than two (2) years from the date of
completion.
The SD-02C “Security Directive Pipeline-2021-02” went into effect July 27, again reinstituting mitigation
actions, contingency planning, and testing and expires July 27, 2023.  

SD-02C is a continuation of the SD-02 series and supersedes and replaces SD Pipeline-2021-02B and is
not an SSI document.   

The requirements are:  

Establish and implement a TSA-approved Cybersecurity Implementation Plan.  

Develop and maintain a Cybersecurity Incident Response Plan to reduce the risk of operational
disruption.  
Establish a Cybersecurity Assessment Program and submit an annual plan that describes how the
owner/operator will assess the effectiveness of cybersecurity measures. 

Owner/operators must continue to implement the specific measures from Security Directive Pipeline
2021-02B, as identified in the Attachment to SD02C, and to be modified by any TSA­approved alternative
measures and/or action plans, until a Cybersecurity Implementation Plan issued pursuant to this Directive
is approved by TSA.  

The goal of this SD is to reduce the risk that cybersecurity threats pose to critical pipeline () systems and
facilities by implementing layered cybersecurity measures that demonstrate a defense-in-depth approach
against such threats. Recent and evolving intelligence emphasizes the growing sophistication of nefarious
persons, organizations and governments; highlights vulnerabilities; and intensifies the urgency of
implementing and sustaining the requirements.  

The good news is that TSA did listen to the pipeline () industry in its effort on cybersecurity requirements
and inspections. The better part of the news and directive is that TSA is focusing more on a results-based
approach than a prescriptive stance. TSA uses the terms “result”- and “performance”-based approach in
different commentary and documents but have allowed for alternative measures (AM).  

“This revised security directive follows significant collaboration between TSA and the oil and natural gas
pipeline industry. The directive establishes a new model that accommodates variance in systems and
operations to meet our security requirements,” said TSA Administrator David Pekoske. “We recognize that
every company is different, and we have developed an approach that accommodates that fact, supported
by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.” 

The reissued security directive takes an innovative, performance-based approach to enhancing security,
allowing industry to leverage new technologies and be more adaptive to changing environments. The
security directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas
facilities take action to prevent disruption and degradation to their infrastructure to achieve the following
security outcomes: 

https://pgjonline.com/magazine/2022/october-2022-vol-249-no-10/features/pipeline-cybersecurity-implementation-plan-for-tsa-security-directive 2/4
11/30/22, 3:09 PM Pipeline Cybersecurity Implementation Plan for TSA Security Directive | Pipeline and Gas Journal
Develop network segmentation policies and controls to
ensure that the OT system can continue to safely operate
if an IT system has been compromised and vice versa.  
Create access control measures to secure and prevent
unauthorized access to critical cyber systems.  
Build continuous monitoring and detection policies and
procedures to detect cybersecurity threats and correct
anomalies that affect critical cyber system operations.  
Reduce the risk of exploitation of unpatched systems
through the application of security patches and updates
for operating systems, applications, drivers and firmware
on critical cyber systems in a timely manner using a risk-
based methodology.  

Pipeline owners/operators are also required to:  

(/media/9209/cyber_ayala-7.jpg)
Develop and maintain a Cybersecurity Incident Response
Plan to reduce the risk of operational disruption, or the
risk of other significant impacts on necessary capacity
should a cybersecurity incident affect their IT or OT
systems. (Note that the attack on the Colonial Pipeline
system targeted its billing functionality.)  

Establish a Cybersecurity Assessment Program and submit to the TSA an annual plan that describes how
the owner/operator will proactively and regularly assess the effectiveness of its cybersecurity measures
and identify and resolve device, network and/or system vulnerabilities. 

Technology that provides both enabling and supporting functions at the enterprise level but also real-time
systems that safely and reliably operate our pipeline systems and safeguard compounding aspects of
health, safety, and environment (HSE) must always take precedence.  

TSA has developed and provided to owner/operators 34 new “Frequently Asked Questions (FAQs)” in
August this year that help industry further clarify points on the security directives. It has, for example,
compare and contrast questions and answers to specific technical questions from stakeholders like
patching, firmware and backups, for example.  

The sections cover general, protection of information, cybersecurity implementation plan, monitoring and
detection policies and procedures, security patch and updates, cybersecurity incident response plan,
cybersecurity assessment program, records, amendments to cybersecurity implementation plan and
compliance. 

On Sept. 2, TSA just issued the “Information Supplement for the TSA Security Directive Pipeline-2021-
02C, Version 1.0.” This document provides owner/operators a deeper informative document that focuses
on the Cybersecurity Implementation Plan (CIP). TSA also created a generic template that
owner/operators can use as added help and an appendix that outlines what should be in the
owner/operators’ CIP.  

The biggest help and lift from the TSA are the addition of a mapping table from National Institute of
Standards and Technology’s (NIST) Cyber Security Framework (CSF) to SD-02C.  

While the latest SD-02C allows owner/operators the choice of third-party assessments, TSA generally
recommends it. It is strongly recommended that  you consider having peer assessments and reviews with
subject matter experts outside of the integrator and systems vendor because biases can run deep and
wide, and the inherent risks are the ones that can, and often do, go unrecognized. Threat actors are
counting on it; you should also be real with your selection.  

IT assessors in an OT environment can lead to issues. Asking the basketball team to assess and audit the
football team or baseball team is a compare and contrast situation. They all use balls and play on fields, but
the game and rules are all different, not to mention the injuries. There are many independent third parties
that have the owner/operator experience and cover from field instrument and control element up and to
enterprise.

Safety and environmental is paramount and we need to

understand the difference between a secure non-productive
system and a secure but productive system. Our nation
depends on it.   

(/media/9210/cyber_ayala-8.jpg)

Related Articles
East African Pipeline Company’s Hits and
Misses on Inline Inspection
(/magazine/2022/november-2022-vol-249-
no-11/features/east-african-pipeline-company-
s-hits-and-misses-on-inline-inspection)
The Forgotten World of Moving the Pipe
(/magazine/2022/november-2022-vol-249-
no-11/features/the-forgotten-world-of-moving-
the-pipe)
Carbon Capture Not Ending Pipeline Woes
(/magazine/2022/november-2022-vol-249-
no-11/features/carbon-capture-not-ending-
pipeline-woes)
Cybersecurity Update: Aligning Industry
Standard’s Best Practices
(/magazine/2022/october-2022-vol-249-no-
10/features/cybersecurity-update-aligning-
industry-standard-s-best-practices)

https://pgjonline.com/magazine/2022/october-2022-vol-249-no-10/features/pipeline-cybersecurity-implementation-plan-for-tsa-security-directive 3/4
11/30/22, 3:09 PM Pipeline Cybersecurity Implementation Plan for TSA Security Directive | Pipeline and Gas Journal
Urban Pipeline Construction: Innovations Putting Machine Learning to Use for Integrity
Overcoming Density, Aging Infrastructure Management (/magazine/2022/october-2022-
Issues (/magazine/2022/november-2022-vol- vol-249-no-10/features/putting-machine-
249-no-11/features/urban-pipeline- learning-to-use-for-integrity-management)
construction-innovations-overcoming-density-
aging-infrastructure-issues)

https://pgjonline.com/magazine/2022/october-2022-vol-249-no-10/features/pipeline-cybersecurity-implementation-plan-for-tsa-security-directive 4/4