TSA Pipeline Cybersecurity Directive SD02C 
On July 21, 2022, the U.S. Department of Homeland Security, issued a major update to their TSA pipeline directive SD02C originally issued in July 2021. The new TSA cybersecurity pipeline directive is effective as of July 27, 2022. The “Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing” directive is targeted towards Owner/Operators of hazardous liquid and natural gas pipelines and lays out a timetable and actions that will be requirements for compliance.
As of July 26, 2022, many of the nation’s leading pipeline operators in the US were notified of these new requirements. Per the TSA, the following high-level cybersecurity requirements should include:
- Establishment and implementation of a TSA-approved Cybersecurity Implementation Plan
- Development and maintenance of a Cybersecurity Incident Response Plan to reduce the risk of operational disruption; and
- Establishment of a Cybersecurity Assessment Program and submission of an annual plan that describes how the Owner/Operator will assess the effectiveness of cybersecurity measures.
What is the TSA Pipeline Directive?
The 2022 TSA pipeline directive sets immediately applicable expectations of the program to developed and maintained by owner/operators. These requirements for the TSA pipeline cybersecurity directive include:
- The requirements apply to all notified Owner/Operators as well as additional ‘critical Pipeline Systems or Facilities’ identified by the TSA after the notification date.
- All Owner/Operators shall submit a Cybersecurity Implementation Plan for TSA approval within 90 days of the issuance of the directive.
- All requirements laid out below shall become the mandate for any Owner/Operator that does not receive approval of their specific Implementation Plan by the due date.
- Implementation of a ‘zero trust’ policy to manage unauthorized execution, monitoring or data acquisition both internal to OT networks as well as inter IT/OT networks is expected. The Cybersecurity Implementation Plan must also include time-based evaluation and execution of the following:
- Identification of all OT based Critical Systems
- Network segmentation policies and controls that include an isolated interface between IT and OT environments
- Understanding and definition of all external connections (whether for ingress or egress) from the OT environment
- IT/OT zone boundaries, definitions, logical segmentation, criticality, consequence, and necessity for business continuity
- Security approach for protecting zones while data is at rest and in transit; this may include new encryption requirements
- Access control measure for both local and remote systems access and control including:
- Identification and authentication policies and procedures
- Schedules for password and/or security resets
- Mitigation strategies for systems incapable of managing password resets automatically or via procedure
- Multi-factor authentication
- Access rights based on the principle of ‘least privilege’ including separation of duties and admin access controls
- Assessment and remediation inasmuch as possible shared login accounts
- Implementation of continuous monitoring and detection policies and procedures to prevent, detect, and respond to cybersecurity threats and/or attacks
- Malicious email protections
- Security controls to prevent access or communication with potentially malicious operators
- Security controls to minimize web access with potentially malicious sites
- Blocking of unauthorized code including macros, shareware, and customized applications
- Procedure to audit unauthorized access
- Procedure to document communications to/from OT systems that deviate from pretested and approved communication paths
- Procedure to identify and respond to execution of unauthorized code
- Procedure to Implement capabilities to define, prioritize, and drive standardized incident response activities
- Policies that address continuous collection of data associated with potential intrusions and retention timeframes
- Implementation strategies to isolate systems deemed as potentially compromised both within the OT network and to/from the IT environment
- Provisions and standards for proper patch management of all OT systems, controllers and devices including a risk methodology for categorizing patches or updates
- Prioritization of all security patches and updates on CISA’s Known Exploited Vulnerabilities Catalog