TSA Pipeline Cybersecurity Directive SD02D 
On July 26, 2023, the U.S. Department of Homeland Security, issued a major update to their TSA pipeline directive SD02C previously updated in July 2022. The new TSA cybersecurity pipeline directive is effective as of July 27, 2023. The “Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing” directive is targeted towards Owner/Operators of hazardous liquid and natural gas pipelines and lays out a timetable and actions that will be requirements for compliance.
As of July 26, 2023, many of the nation’s leading pipeline operators in the US were notified of these new requirements. This update further pushes a transition to a more flexible and performance-based approach. Per the TSA, the following high-level cybersecurity requirements will be met to prevent disruption and degradation to TSA identified facilities:
- Establishment and implementation of a TSA-approved Cybersecurity Implementation Plan
- Development and maintenance of a Cybersecurity Incident Response Plan to reduce the risk of operational disruption; and
- Establishment of a Cybersecurity Assessment Program and submission of an annual plan that describes how the Owner/Operator will assess the effectiveness of cybersecurity measures and provide assessment results from the previous year.
What is the TSA Pipeline Directive?
Back in 2021 the TSA launched a set of mandatory cybersecurity rules for critical pipelines and LNG facilities. The TSA pipeline directive sets immediately applicable expectations of the program to developed and maintained by owner/operators. These requirements for the TSA pipeline cybersecurity directive include:
- The requirements apply to all notified Owner/Operators as well as additional ‘critical Pipeline Systems or Facilities’ identified by the TSA after the notification date. All newly identified Owner/Operators will be notified by the TSA and provided with specific compliance deadlines for the requirements of the SD02D Security Directive.
- If an Owner/Operator determines they do not have Critical Cyber Systems, they must notify the TSA in writing within 60 days of the effective date of this security directive.
- All Owner/Operators shall submit a Cybersecurity Implementation Plan for TSA approva. This plan sets the security measures and requirements against which TSA inspects for compliance.
- If an Owner/Operator is denied approval of their updated Cybersecurity Implementation Plan, they must file a petition for reconsideration no later than 30 Calendar Days.
- Implementation of a ‘zero trust’ policy to manage unauthorized execution, monitoring or data acquisition both internal to OT networks as well as inter IT/OT networks is expected. The Cybersecurity Implementation Plan must also include time-based evaluation and execution of the following:
- Identification of all OT based Critical Systems
- Network segmentation policies and controls that include an isolated interface between IT and OT environments
- Understanding and definition of all external connections (whether for ingress or egress) from the OT environment
- IT/OT zone boundaries, definitions, logical segmentation, criticality, consequence, and necessity for business continuity
- Security approach for protecting zones while data is at rest and in transit; this may include new encryption requirements
- Access control measure for both local and remote systems access and control including:
- Identification and authentication policies and procedures
- Schedules for password and/or security resets
- Mitigation strategies for systems incapable of managing password resets automatically or via procedure
- Multi-factor authentication
- Access rights based on the principle of ‘least privilege’ including separation of duties and admin access controls
- Assessment and remediation inasmuch as possible shared login accounts and procedures that describe the compensating controls that will be applied
- Implementation of continuous monitoring and detection policies and procedures to prevent, detect, and respond to cybersecurity threats and/or attacks
- Malicious email protections
- Security controls to prevent access or communication with potentially malicious operators
- Security controls to minimize web access with potentially malicious sites
- Blocking of unauthorized code including macros, shareware, and customized applications
- Procedure to audit unauthorized access
- Procedure to document communications to/from OT systems that deviate from pretested and approved communication paths
- Procedure to identify and respond to execution of unauthorized code
- Procedure to Implement capabilities to define, prioritize, and drive standardized incident response activities
- Policies that address continuous collection of data associated with potential intrusions and retention timeframes
- Implementation strategies to isolate systems deemed as potentially compromised both within the OT network and to/from the IT environment
- Provisions and standards for proper patch management of all OT systems, controllers and devices including a risk methodology for categorizing patches or updates
- Prioritization of all security patches and updates on CISA’s Known Exploited Vulnerabilities Catalog
- Owner/Operators must have an up-to-date Cybersecurity Incident Response Plan for the Critical Cyber Systems that include measures to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, should their pipeline or facility experience a cybersecurity incident. This response plan must provide measure sufficient to ensure the following objectives:
- Prompt containment of infected systems
- Segregation of infected networks to ensure malicious code does not spread further
- Ensure the security and integrity of backed-up data including methods to separately store data and procedures to ensure data for testing and restoration is free of malicious code.
- Establish capability and governance for isolating IT and OT systems in the event of a cyber incident
- Must identify who (by position) is responsible for implementing specific measures in the Incident Response Plan and all required resources
- Inclusion of cybersecurity architecture design review at least once every two years.
- Incorporation of other assessment capabilities such as penetration testing and “red” and “purple” team adversarial testing.
- Implementation of a schedule for assessing and auditing specific cybersecurity measures.
- Maintain Secure and up-to-date records available to the TSA at any time for the following and have all the following documentation in order to establish compliance:
- All documentation for hardware/software asset inventory, including supervisory control, and data acquisition systems.
- All documentation for Firewall Rules
- All documentation for Network diagrams, switch and router configurations, architecture diagrams, publicly routable internet protocol addresses, and virtual Local Area Networks
- All documentation for Policy, procedural, and other documents that informed the development, and documented implementation of, the Owner/Operator’s Cybersecurity Implementation PIan, Cybersecurity Incident Response PIan, Cybersecurity Assessment Plan, and assessment or audit results.
- All documentation for a “snapshot” of activity on and between Information and Operational Technology systems, such as log files, network traffic captures, East-West Traffic (Inside OT Network), North-South Traffic (Outside OT Network)
The July 2023 Updates
- Owner/Operators to re-assess and reach out to the TSA if it’s determined ‘they now have’ Critical Cyber Systems whenever their operation methods change.
- Owner/Operators to follow Section VI procedures in this security directive if their Cybersecurity Implementation Plan changes due to the July SD02D update.
- Cybersecurity Implementation Plan “Alternative Measures” and attachments from SD02C – Removed.
- TSA (post consultation) may inform Owner/Operators to include additional Critical Cyber Systems in their Cybersecurity Implementation Plan.
- Owner/Operators are required to test at least two Cybersecurity Incident Response Plan objectives no less than annually. Identified employees (by position) must participate in the required Cybersecurity Incident Response Plan exercise.
- Cybersecurity Assessment Program replaced with “Cybersecurity Assessment Plan” (CAP)
- Owner/Operators to submit annual Cybersecurity Assessment Plan update for TSA approval with subsequent updates requiring approval also.
- Cybersecurity Assessment Plan will include a timeline ensuring at least 30% of the policies, procedures, measures, and capabilities included in the Cybersecurity Implementation Plan are evaluated annually – with 100% evaluated by three years.
- Annual Cybersecurity Assessment Plan report submission to TSA required. Including Cybersecurity Implementation Plan evaluation results and methods utilized for determining if the annually evaluated Cybersecurity Implementation Plan items are proving effective as originally planned.
- All previously developed plans, assessments, test, and evaluations utilized to meet the requirements of SD02D (listed in the index) – must now be included in the Cybersecurity Implementation Plan and provided to the TSA as needed.
- Owner/Operators must submit all documentation in the manner defined by the TSA.
TSA Pipeline Directive Recommendations
At Mangan Cybersecurity, we know that meeting these objectives is not only paramount, but essential. This is why to strive to be proactive with our planning and remediation efforts know that projects may require that the TSA cybersecurity pipeline directive mandates be understood, evaluated, and potentially applied.
In order to meet the criteria of the 2023 TSA pipeline security directive update, Mangan Cybersecurity recommends a tiered approach be followed including the following steps:
Assessment – Review to the TSA pipeline directive to determine the areas and environment that need to be covered in the cybersecurity implementation plan.
Training – Identify capabilities to meet the SD02D and execute operations-specific training for PMs, Engineers, and OT Cyber Personnel.
Strategize – Develop the cybersecurity implementation plan and cybersecurity incident response plan that can be tested and evaluated for projects and facilities that reside within the TSA directive requirements.
Execute – Complete and implement the plans utilizing Mangan Cybersecurity’s ICSSbD® methodology to provide comprehensive OT cybersecurity and remain in compliance with the TSA pipeline directive.
To engage with Mangan about an assessment to satisfy all of the TSA SD02D Requirements, chat live with a representative 24/7 so we can gather your contact information or reach out and contact us via phone or email.