March 31, 2023

Volume XIII, Number 90
Advertisement

49

New Articles
Bottom Row Image
Advertisement

March 31, 2023

Subscribe to Latest Legal News and Analysis

March 30, 2023

Subscribe to Latest Legal News and Analysis

March 29, 2023

Subscribe to Latest Legal News and Analysis

Article By

Catherine D. Little
Annie Cook
Seth D. DuCharme
Anissa L. Adas
Mandi Moroz

Bracewell LLP
Update

Related Practices & Jurisdictions
Advertisement

TSA Revises Cybersecurity Directive for Critical Pipeline and LNG Facilities

Sunday, July 31, 2022


Following significant collaboration with the industry, the Transportation Security Administration (TSA) issued a revised directive, effective July 27, 2022, which updates one of the prior directives issued in the wake of a May 2021 cyberattack on one of the nation’s largest interstate oil pipelines. Similar to the prior directives, this latest version, Security Directive Pipeline-2021-02C, incorporates several key modifications that provide more flexibility for operators of critical pipeline and LNG infrastructure who are subject to the directives.  This includes reliance on a performance-based, rather than prescriptive, security outcome model, which is more aligned with the federal pipeline safety regulations and allows operators to develop plans that are tailored to their pipeline systems. The updated directive, along with a portion of previous Directive 2021-02B, is set to expire within one year, on July 27, 2023, during which time the TSA intends to pursue formal rulemaking.

TSA remains concerned that risks to critical pipeline systems and LNG facilities continue to be high.  As such, TSA mandates in its most recent directive that the following additional protocols be developed and incorporated into response plans:

  • Cybersecurity Implementation Plan. This plan must be submitted to TSA for approval within 90 days of the effective date of the directive (i.e., by Oct. 25, 2022). The plan must provide specific measures and a proposed schedule for implementation of network segmentation policies and controls, access control measures, policies and controls to manage access rights; policies that limit the availability and use of shared accounts, continued monitoring and detection procedures; and policies to reduce the exploitation risks of unpatched systems.
  • Cybersecurity Incident Response Plan.
  • Cybersecurity Assessment Program (including annual submission of plans to assess cybersecurity effectiveness and vulnerabilities).

Notably, until a Cybersecurity Implementation Plan is approved by TSA, owner/operators of critical pipeline and LNG facilities are required to continue to implement the July 2021 Security Directive Pipeline-2021-02B, attached to the new Security Directive Pipeline-2021-02C, along with any TSA approved action plans or alternative measures.  In part, these new requirements reflect feedback from the pipeline and LNG industry on the prior directives, particularly with respect to allowing more flexibility for security practices involving operational technology (OT) systems as opposed to the previous emphasis on information technology (IT) systems.  In addition, updated Security Directive Pipeline-2021-01B (which, on May 29, 2022, replaced and superseded the May 2021 Security Directive Pipeline-2021-01A) revised the reporting requirements to mandate reporting within 24 hours (rather than 12 hours). 

TSA’s demands on owners and operators of critical pipelines and LNG facilities, however, remain stringent. In a press release about the latest directive, TSA Administrator David Pekoske said, “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.” Whether or not the performance-based approach actually facilitates sufficient flexibility for critical pipeline and LNG owners and operators remains to be seen, and a number of prescriptive requirements remain in the updated directive.

While the latest revision is encouraging and the directive’s language indicates more flexible requirements for the industry, pipeline and LNG critical facility owners and operators should seek expert advice when developing, implementing, and assessing their incident response plans to ensure that they remain on track with the ever-evolving standards. 


© 2023 Bracewell LLPNational Law Review, Volume XII, Number 212
Advertisement
Advertisement
Advertisement

About this Author

Catherine Little Energy Law Attorney Bracewell Washington DC
Catherine D. Little
Partner

For more than 30 years, Catherine Little has counseled oil and gas pipeline, terminal and LNG clients across the United States on energy, transportation and safety-related legal matters at the federal, state and local levels. In particular, Catherine regularly advises on a full range of regulatory compliance and enforcement defense matters, including construction and siting, operations, maintenance, inspection, incident response and security issues. Catherine counsels clients with respect to litigation strategy and frequently manages large-scale confidential investigations and compliance...

[email protected]
1.202.828.7403
www.bracewell.com
Annie Cook
Annie Cook Energy Law Attorney Bracewell Law Firm Washington DC
Partner

Annie Cook represents oil and natural gas pipeline, terminal and LNG facility operators with regard to transportation, safety and related laws. Annie regularly advises clients on construction and siting, incident response, regulatory compliance, litigation strategy and enforcement defense under the Pipeline Safety Act, the Natural Gas Act and related state laws. Annie has assisted clients in successfully challenging administrative agency actions at the federal appellate level. She also assists with confidential and large-scale investigations and compliance audits to identify legal risks...

[email protected]
1.202.828.7404
www.bracewell.com
Seth D. DuCharme
Seth DuCharme Insurance Lawyer Bracewell LLP
Partner

Seth DuCharme draws on his 14 years of experience as a senior-level law enforcement officer to advise companies and individuals on cases involving cybersecurity and breach response, Foreign Corrupt Practices Act (FCPA) diligence and litigation, export controls, sanctions compliance and anti-money laundering.

Seth served in the United States Attorney’s Office for the Eastern District of New York from 2008 through 2021. He held various positions at the Eastern District, including Chief of the Criminal Division, Chief of the National Security & Cybercrime Section, and Acting United...

[email protected]
212-508-6165
bracewell.com/
Anissa L. Adas
Anissa L. Adas Commercial Litigation Lawyer Bracewell
Associate

Anissa Adas focuses her practice on complex commercial litigation and appeals, compliance reviews and white collar criminal defense. During law school, she served as a judicial intern for the Honorable Marian Blank Horn of the United States Court of Federal Claims.

Anissa has also handled pro bono matters involving immigration and criminal defense.

[email protected]
1.212-938-6403
www.bracewell.com
Mandi Moroz
Assocaite

Mandi Moroz assists clients with both energy and environmental regulatory matters. She has extensive experience advising oil and natural gas pipeline, terminal and LNG facility operators on a variety of regulatory compliance matters under the Pipeline Safety Act. This work includes enforcement defense and counseling clients on matters related to operations, maintenance, incident response, integrity management and other regulatory requirements. In her practice, Mandi also has experience collaborating with trade groups, advising clients on protections for confidential and security...

[email protected]
1.202.828.5873
www.bracewell.com