This article has been co-authored by summer associate Ross Weiser.

Last week, the Transportation Security Administration (TSA) announced, but did not release to the general public, a second Security Directive in response to the cybersecurity threats to U.S. pipeline companies that were the focus of public attention after the ransomware attack on the Colonial Pipeline. These Directives apply to “owners and operators of hazardous liquid and natural gas pipelines and liquified natural gas facilities that have been notified by TSA of such designated status.” The directive apparently establishes additional requirements for such owners and operators that will require them to implement specific security measures and complete certain higher-level security planning and review functions.

The First Directive

The first Directive, released in May, focused mostly on incident notification requirements and cybersecurity review protocols. It required the TSA-notified owners and operators to:

  1. report certain categories of cybersecurity incidents to CISA within 12 hours of discovery;
  2. designate a Cybersecurity Coordinator to be available 24/7 to discuss incidents with government officials;
  3. review current cybersecurity defenses and practices; and,
  4. identify any vulnerabilities and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

The Second Directive

The new, second Directive apparently adds additional layers of more specific security implementation protocols pertinent to implicated critical infrastructure. The DHS release appears to allude to more granular security specifications. While DHS has not yet released the Directive, it did publicly disclose three high-level requirements for TSA-notified pipelines. The companies must:

  1. implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems;
  2. develop and implement a cybersecurity contingency and recovery plan; and,
  3. conduct a cybersecurity architecture design review.

Federal trendlines in increasing mandatory requirements

The first point is particularly noteworthy, as it signals a growing willingness amongst federal authorities to more directly prescribe specific security techniques. Coming on the heels of the recent Executive Order on Protecting the Nation’s Cybersecurity (E.O. 14028), the Security and Exchange Commission’s forthcoming consideration of additional cyber disclosure requirements, and recent announcements on the Hill about ransomware legislation, the government, in short order, has set in motion several processes that will result in specific implementation demands on the security staff of private companies. The relevance of prescriptive requirements has been a hotly debated issue in Washington, as adversary techniques evolve in response to defender capabilities, and some detailed prescriptions risk irrelevance in a fast-moving environment. Whether such a regulatory misfit will arise here depends heavily on the content of the requirements, but interested parties should watch the evolution of these requirements and the consideration of similar mechanisms on Capitol Hill, which could expand the scope, in kind, of initiatives currently focused on a more limited portion of critical infrastructure owners and operators.

Proliferation of Applicable Frameworks

Finally, in the wake of the release of the second directive, the GAO has noted that the TSA will also be updating its “Pipeline Cyber Asset Security Measures” found in its “Pipeline Security Guidelines.” These “Measures” articulate baseline and enhanced steps that the Guidelines suggest across key categories established by yet another voluntary piece of guidance, the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The GAO asserts that these Guidelines lack “several known mitigation strategies for current cyber threats, including ransomware attacks.” It is currently not clear how such updates might interact with the content of the second directive. If nothing else, it may be prudent for the TSA to sharpen its own guidance, lest the breadth leads to inactionable complexity, such as the direction for pipeline operators to “consider the approach outlined in the NIST Framework and the guidance issued by DHS and the Department of Energy along with industry-specific or other established methodologies, standards and best practices.” The TSA has now entered the realm of regulatory mandates, and thus it would be helpful to the private sector if it were to reconcile some of these legacy pronouncements.

For now, this second security directive is yet another entry into the list of overlapping federal resources, but is more noteworthy for its prescriptive character. Yet, for those in the general public wishing to compare this new directive with the other relevant resources mentioned above, relief is not in sight. As of the date of publication, the Directive still has not been publicly released. We will monitor for its potential release, and related developments, and share relevant updates.