Prior to the 2021 Colonial pipeline ransomware attack, the Transportation and Security Administration (TSA), under the Department of Homeland Security, only suggested best practices for pipeline companies.[1]  But after Colonial's ransomware attack threatened to cripple all trade, consumer transportation, and manufacturing, the U.S. Government instituted executive orders, legislation, and empowered TSA to prevent future events for pipeline carriers. TSA will soon expand its cybersecurity regulations to apply to “surface carriers” of certain chemicals, including natural gas, which is estimated to cost the industry $300 Million, annually.

Previously, cybersecurity advisories in the chemical industry were issued through the Chemical Facility Anti-Terrorism Standards (CFATS), which applied to facilities with high-risk (explosive, valuable) chemicals.[2] CFATS, which since expired, previously required mandatory reporting of cybersecurity incidents to DHS.

In its absence, the U.S. Government issued more specific cybersecurity regulations, in part through the TSA, entitled the “Security Directive (SD) Pipeline-2021-02 series: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing.” The SD series is applicable to Owner/Operators of TSA-designated hazardous liquid and natural gas pipelines or liquefied natural gas facilities.

Since 2021, the SD Series was updated five (5) times, with each new iteration imposing new requirements and extending the authority of the TSA to enforce the requirements. Most recently, TSA issued SD 2021-02E, which expires on July 27, 2025. Collectively with its predecessors, SD 2021-02E imposes seven (7) requirements on pipeline companies and liquified natural gas facilities, three (3) of which are new:

1. Identify the Owner/Operator’s Critical Cyber Systems (those that if compromised, results in an operational interruption) for review of the TSA.

2. Implement network segmentation policies and controls designed to prevent operational disruption to the Operational Technology system in the event of a cybersecurity incident.

3. Implement access control measures, including for local and remote access, to secure and prevent unauthorized access to Critical Cyber Systems.

4. Implement continuous monitoring and detection policies and procedures that are designed to prevent, detect, and respond to cybersecurity threats and anomalies affecting Critical Cyber Systems

5. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems consistent with the Owner/Operator’s risk-based methodology.

6. Develop and maintain a Cybersecurity Incident Response Plan (CIRP).

7. Develop a Cybersecurity Assessment Plan for proactively assessing and auditing cybersecurity measures.

Although very generic, each of the requirements include specific subcomponents. These include the creation and implementation of procedures to audit unauthorized access to internet domains and addresses, as well as a demilitarized zone to prevent unauthorized communications with “Critical Cyber Systems.” The CIRP must include instructions on network segmentation and isolation, along with a named responsible party.

In November 2024, TSA announced similar proposed rules for surface carriers of hazardous chemicals and liquified natural gas in Federal Register Volume 89, Issue 216. Intended to strengthen cybersecurity and resiliency for the surface transportation sector, the proposed rule (to be codified in 49 CFR Parts 1500 et seq.) issues three (3) primary requirements on owners and operators:

1. Annually conduct an enterprise-wide cybersecurity evaluations (including physical and logical/virtual controls).

2. Develop a “Cybersecurity Operational Implementation Plan” (COIP) that includes the detailed measures to protect these Critical Cyber Systems and CIRP.

3. Develop a “Cybersecurity Assessment Program” (CAP) that includes assessments conducted by independent third-parties.

In addition to its “primary requirements,” the proposed rule includes minimum initial and reoccurring cybersecurity training (§§ 1580.319, 1582.219, and 1586.219). Certain employees with access or privileges to Critical Cyber Systems are required to receive both basic and role-based cybersecurity training. Curriculum requirements for basic cybersecurity training include best practices, acceptable use, risks associated with their level of privileged access, and awareness of security risks associated with their actions.

The proposed rule would require surface faculties to designate a Physical Security Coordinator to report significant physical security concerns.[3] TSA also gives itself the authority to inspect a facility, unannounced (including nights, weekends, and holidays[4] and set deadlines for when supporting documentation must be submitted to TSA for review and compliance confirmation.[5] TSA can bring an enforcement action against Owners/Operators who are not complying with these rules,[6] such as civil monetary penalties.[7]

TSA is reviewing over 10,000 industry comments before making revisions and/or rendering the rule as “Final.” With an estimated $307,000,000 annual price-tag for the industry, TSA will hopefully balance feasibility with effectivity. 

[1] https://www.law.georgetown.edu/environmental-law-review/blog/cybersecurity-policy-responses-to-the-colonial-pipeline-ransomware-attack/.

[2] https://www.cisa.gov/resources-tools/programs/chemical-facility-anti-terrorism-standards-cfats

[3] Fed. Reg. Vol. 89, No. 216 Pg. 88524.

[4] Fed. Reg. Vol. 89, No. 216 Pg. 88527.

[5] Fed. Reg. Vol. 89, No. 216 Pg. 88530.

[6] Fed. Reg. Vol. 89, No. 216 Pg. 88527.

[7] Fed. Reg. Vol. 89, No. 216 Pg. 88527.