TSA revises cyber rules for pipelines

The Transportation Security Administration revised its cybersecurity guidelines for the nation's critical pipeline operators and companies, to take into account industry requests for more flexibility in defending their networks.

Guidelines were first put in place last July in response to the May 2021 hack of Colonial Pipeline's business systems. The company shut off fuel delivery to much of the East Coast for six days to recover from the attack.  

Covered companies responded with a flurry of requests to TSA for individual exceptions to the original directive. According to a TSA fact sheet, there were more than 380 requests from operators to implement alternative measures to those specified in the first security directive. 

The new security directive shifts the policy to offer pipeline operators "more flexibility to meet the intended security outcomes." The guidelines also extend the mandatory notification period from 12 to 24 hours of a company's identification of a breach.

TSA Administrator David Pekoske said in a statement announcing the updated directive that the reissued guidelines follow "significant collaboration" between the agency and key stakeholders in the oil and natural gas pipeline industry.

"The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” he said. "We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes."