Ratification of Security Directives

Ratification of Security Directives

Supplementary Information

I. Background

A. Cybersecurity Threat

The cyber threat to the country's critical infrastructure has only increased in the time since TSA issued its initial cybersecurity-related security directive (Security Directive Pipeline-2021-01) in response to the Colonial Pipeline incident. Cyber threats to surface transportation systems, including pipelines, continue to proliferate, as both nation-states and criminal cyber groups continue to target critical infrastructure in order to cause operational disruption and economic harm. ⁽¹⁾ Cyber incidents, particularly ransomware attacks, are likely to increase in the near and long term, due in part to vulnerabilities identified by threat actors in U.S. networks. ⁽²⁾ Particularly in light of the ongoing Russia-Ukraine conflict, ⁽³⁾ these threats remain elevated and pose a risk to the national and economic security of the United States.

B. Security Directive Pipeline-2021-01C

On May 27, 2021, TSA issued Security Directive Pipeline-2021-01, which was the first of two security directives issued by TSA to enhance the cybersecurity of critical pipeline systems in response to the Colonial Pipeline attack on May 7, 2021. Security Directive Pipeline-2021-01, and the subsequent amendments in this series, required covered owner/operators to: (1) report cybersecurity incidents to CISA; (2) appoint a cybersecurity coordinator to be available 24/7 to coordinate with TSA and CISA; and (3) conduct a self-assessment of cybersecurity practices, identify any gaps, and develop a plan and timeline for remediation. ⁽⁴⁾ This first security directive went into effect on May 28, 2021, was ratified by the TSOB on July 3, 2021, and was set to expire on May 28, 2022. ⁽⁵⁾

On December 2, 2021, TSA issued Security Directive Pipeline-2021-01A, amending Security Directive Pipeline-2021-01, to update the definition of cybersecurity incident covered by the directive's reporting requirement and align it with the definition applicable to the other modes. ⁽⁶⁾ The TSOB ratified Security Directive Pipeline-2021-01A on December 29, 2021. ⁽⁷⁾ Security Directive Pipeline-2021-01, as amended by Security Directive Pipeline-2021-01A, was set to expire May 28, 2022. On May 27, 2022, TSA issued Security Directive Pipeline-2021-01B to extend the requirements of Security Directive Pipeline-2021-01A for an additional year. ⁽⁸⁾ Security Directive Pipeline-2021-01B became effective May 29, 2022 and was set to expire on May 29, 2023. The TSOB ratified Security Directive Pipeline-2021-01B on June 24, 2021. ⁽⁹⁾

In light of the continuing threat, TSA determined that the measures required by the Security Directive Pipeline-2021-01, as amended and extended by Security Directive Pipeline-2021-01A and Security Directive Pipeline-2021-01B, remain necessary to protect the Nation's critical pipeline infrastructure beyond Security Directive Pipeline-2021-01B's expiration date of May 29, 2023. On May 22, 2023, TSA issued Security Directive Pipeline-2021-01C to extend the requirements of Security Directive Pipeline-2021-01B for an additional year. Security Directive Pipeline-2021-01C became effective May 29, 2023 and expires on May 29, 2024. Security Directive Pipeline-2021-01C contains no substantive changes from Security Directive Pipeline-2021-01B. Security Directive Pipeline-2021-01C is available online in TSA's Surface Transportation Cybersecurity Toolkit. ⁽¹⁰⁾

C. Security Directive Pipeline-2021-02D

On July 19, 2021, TSA issued Security Directive Pipeline-2021-02, the second security directive TSA issued in response to the attack on Colonial Pipeline. This directive required owner/operators to implement additional cybersecurity measures to prevent disruption and degradation to their infrastructure in response to the ongoing threat, including a number of specific, prescribed mitigation measures. ⁽¹¹⁾ On December 17, 2021, TSA issued Security Directive Pipeline-2021-02B, revising Security Directive Pipeline-2021-02 to provide additional flexibility to owner/operators in complying with certain requirements. The TSOB ratified Security Directive Pipeline-2021-02B on January 13, 2022. ⁽¹²⁾

On July 21, 2022, TSA issued Security Directive Pipeline-2021-02C, transitioning the requirements of the previous versions in the series to be more performance-based and less prescriptive. The performance-based approach enhanced security by mandating that critical security outcomes are achieved while allowing owner/operators to choose the most appropriate security measures for their specific systems and operations. The directive became effective on July 27, 2022, and was set to expire on July 27, 2023. The TSOB ratified Security Directive Pipeline-2021-02C on August 19, 2022. ⁽¹³⁾

Security Directive Pipeline-2021-02C identified critical security outcomes that covered parties must achieve. To ensure that these outcomes are met, the directive requires owner/operators to:

• Establish and implement a TSA-approved Cybersecurity Implementation Plan (CIP) that describes the specific cybersecurity measures employed and the schedule for achieving the security outcomes identified;
• Develop and maintain an up-to-date Cybersecurity Incident Response Plan (CIRP) to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, as defined in the directive, should the Information and/or Operational Technology systems of a gas or liquid pipeline be affected by a cybersecurity incident; and
• Establish a Cybersecurity Assessment Program (CAP) and submit an annual plan that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities.

In light of the continuing threat, TSA issued Security Directive Pipeline-2021-02D on July 26, 2023, extending the requirements of Security Directive Pipeline-2021-02C for an additional year. The directive became effective on July 27, 2023, and expires on July 27, 2024.

In addition to extending the performance-based requirements, Security Directive Pipeline-2021-02D includes several revisions intended to strengthen the effectiveness of the directive's requirements and allow greater ability to respond to changing threats. Security Directive Pipeline-2021-02D modified the requirements related to CIRPS and CAPS to provide greater clarity and strengthen their effectiveness and to ensure the provisions related to defining Critical Cyber Systems allow flexibility to respond to emerging and evolving threats. The security directive also contains several other clarifications and refinements of the existing requirements. The revisions contained in the directive were made following engagement with covered entities and in consultation with federal partners. Security Directive Pipeline-2021-02D is available online in TSA's Surface Transportation Cybersecurity Toolkit. ⁽¹⁴⁾

II. TSOB Ratification

TSA has broad statutory responsibility and authority to safeguard the nation's transportation system. ⁽¹⁵⁾ The TSOB-a body consisting of the Secretary of Homeland Security, the Secretary of Transportation, the Attorney General, the Secretary of Defense, the Secretary of the Treasury, the Director of National Intelligence, or their designees, and a representative of the National Security Council-reviews certain TSA regulations and security directives as consistent with law. ⁽¹⁶⁾ TSA issued Security Directive Pipeline-2021-01C and Security Directive Pipeline-2021-02D under 49 U.S.C. 114( l )(2)(A), which authorizes TSA to issue emergency regulations or security directives without providing notice or the opportunity for public comment where "the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security." Security directives issued pursuant to the procedures in 49 U.S.C. 114( l )(2) "shall remain effective for a period not to exceed 90 days unless ratified or disapproved by the Board or rescinded by the Administrator."  ⁽¹⁷⁾

Following the issuance of Security Directive Pipeline-2021-01C on May 22, 2023, the chair of the TSOB convened the board to review the directive. In reviewing Security Directive Pipeline-2021-01C, the TSOB reviewed the required measures extended by the directive and the continuing need for TSA to maintain these requirements pursuant to its emergency authority under 49 U.S.C. 114( 1 )(2) to prevent the disruption and degradation of the country's critical transportation infrastructure. The TSOB also considered whether to authorize TSA to extend the security directive beyond its current expiration date of May 29, 2024, subject to certain conditions, should the TSA Administrator believe such an extension is necessary to address the evolving threat that may continue beyond the original expiration date.

Following its review, the TSOB ratified Security Directive Pipeline-2021-01C on June 21, 2023. The TSOB also authorized TSA to extend the security directive beyond its current expiration date, should the TSA Administrator determine such an extension is necessary to address the evolving threat that may continue beyond the original expiration date. Such an extension is subject to the following conditions: (1) there are no changes to the security directive other than an extended expiration date; (2) the TSA Administrator makes an affirmative determination that conditions warrant the extension of the directive's requirements; and (3) the TSA Administrator documents such a determination and notifies the TSOB.

After TSA issued Security Directive Pipeline-2021-02D on July 26, 2023, the chair of the TSOB again convened the board to review that directive. In reviewing Security Directive Pipeline-2021-02D, the TSOB reviewed the amended required measures extended by the directive as well as the continuing need for TSA to maintain these requirements pursuant to its emergency authority under 49 U.S.C. 114( l )(2) to protect critical transportation infrastructure. Again, the TSOB also considered whether to authorize TSA to extend Security Directive Pipeline-2021-02D beyond its current expiration date of July 27, 2024, subject to the same conditions, should the TSA Administrator believe such an extension is necessary to address the threat.

The TSOB ratified Security Directive Pipeline-2021-02D on August 24, 2023. The TSOB also authorized TSA to extend the security directive beyond its current expiration date, should the TSA Administrator determine such an extension is necessary to address the evolving threat that may continue beyond the original expiration date. Such an extension is subject to the following conditions: (1) there are no changes to the security directive other than an extended expiration date; (2) the TSA Administrator makes an affirmative determination that conditions warrant the extension of the directive's requirements; and (3) the TSA Administrator documents such a determination and notifies the TSOB.

⁽¹⁾  Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence, 10, 15 (February 2023); Press Release 23-530, Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia's Federal Security Service, Department of Justice, issued on May 9, 2023, available at https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled; Joint Cybersecurity Advisory (AA23-144a), People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, released by CISA on May 24, 2023.

⁽²⁾  Alert (AA22-040A), 2021 Trends Show Increased Globalized Threat of Ransomware, released by CISA on February 10, 2022 (as revised).

⁽³⁾  Joint Cybersecurity Alert-Alert (AA22-011A), Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, released by CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) on January 11, 2022 (as revised); Joint Cybersecurity Alert-Alert (AA22-110A), Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, released cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom on April 20, 2022 (as revised).

⁽⁴⁾  Security Directive Pipeline-2021-01: Enhancing Pipeline Cybersecurity.

⁽⁵⁾  86 FR 38209.

⁽⁶⁾  During TSA's development of cybersecurity actions applicable to other transportation modes, TSA made a determination to modify the definition of cybersecurity incident it had used in the first security directive following industry input and consultation with DHS cybersecurity experts.

⁽⁷⁾  87 FR 31093.

⁽⁸⁾  88 FR 36919. Security Directive Pipeline-2021-01B also extended the deadline by which cybersecurity incidents must be reported to CISA from 12 hours to 24 hours after an incident is identified. This change aligned the reporting timeline for critical pipeline entities to mirror the reporting requirements applicable to other surface transportation entities and aviation entities.

⁽⁹⁾ Id.

⁽¹⁰⁾  TSA Surface Transportation Cybersecurity Toolkit, available at https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit.

⁽¹¹⁾  Security Directive Pipeline-2021-02 became effective on July 26, 2021, and was ratified by the TSOB on August 17, 2021.

⁽¹²⁾ See 87 FR 31093 (May 23, 2022).

⁽¹³⁾ See 88 FR 36919 (May 6, 2023). The TSOB also authorized TSA to extend Security Directive Pipeline-2021-02C beyond its expiration date of July 27, 2023, subject to certain conditions, including that such an extension would make no changes other than the extension of the expiration date.

⁽¹⁴⁾  TSA Surface Transportation Cybersecurity Toolkit, available at https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit.

⁽¹⁵⁾ See, e.g., 49 U.S.C. 114(d), (f), ( l ), (m).

⁽¹⁶⁾ See, e.g., 49 U.S.C. 115; 49 U.S.C. 114( l )(2)(B).

⁽¹⁷⁾  49 U.S.C. 114( l )(2)(B).