USNational Security

DHS Rolls Out New Cybersecurity Rules for Pipeline Owners, Operators

Save
DHS Rolls Out New Cybersecurity Rules for Pipeline Owners, Operators
Export oil pipelines at an oil facility in the Khark Island, on the shore of the Gulf, on Feb. 23, 2016. (STR/AFP via Getty Images)
Naveen Athrappully
7/24/2022
Updated:
7/26/2022
0:00

The Department of Homeland Security (DHS) has issued a memorandum detailing new cybersecurity rules for owners and operators of pipelines, a decision seen as a victory by the pipeline industry.

The Security Directive Pipeline-2021-02C (SD02C) is applicable to operators or owners of hazardous liquid and natural gas pipelines or a liquefied natural gas facility who have already been notified by the Transportation Security Administration (TSA) that their “pipeline system or facility is critical,” the memorandum states. The new rules take effect on July 27. The TSA is an agency of the DHS.

According to the new SD02C guidelines, pipeline owners and operators are required to “1) Establish and implement a TSA-approved Cybersecurity Implementation Plan; 2) Develop and maintain a Cybersecurity Incident Response Plan to reduce the risk of operational disruption; and 3) Establish a Cybersecurity Assessment Program, and submit an annual plan that describes how the Owner/Operator will assess the effectiveness of cybersecurity measures.”

Pipeline owners and operators must submit the Cybersecurity Implementation Plan for TSA approval 90 days after the effective date of the SD02C. Once TSA approves the plan, operators and owners must implement and maintain “all measures” within the plan’s schedule.

The owners and operators must implement network segmentation policies and controls to prevent operational disruptions, implement access control measures, implement continuous monitoring and detection policies to detect, prevent, and respond to cybersecurity threats, and reduce the risk of unpatched systems being exploited by applying security patches and updates for operating systems, firmware, drivers, etc.

Developing the Guidelines

Following a ransomware attack on the Colonial Pipeline system last year that ended up shutting it down for days, the TSA issued a set of cybersecurity rules for pipeline operators and owners. However, the pipeline industry quickly pushed back, arguing that the rules were a one-size-fits-all approach and weren’t flexible enough.

As there are several ways pipeline operators can set up their systems and cybersecurity infrastructure, having a single set of rules was challenging for many in the industry. Operators also argued that the rules lacked an understanding of the intricacies of pipeline infrastructure and could even end up triggering further disruptions.

The new SD02C rules focus on security outcomes that the TSA expects from pipeline operators rather than the processes operators must follow to achieve those outcomes. In a July 21 statement, TSA Administrator David Pekoske said that new rules were developed after taking into account the concerns of pipeline operators.

“We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes,” he said.