A year after the Transportation Security Administration (TSA) updated requirements for pipeline owners and operators to improve their defenses against cyberattacks in the wake of the Colonial Pipeline debacle, it has released an updated version with additional cybersecurity requirements to be fulfilled.
Owners and operators will now be required to "enhance cyber resilience through implementation of a TSA-approved Cybersecurity Implementation Plan (CIP)," along with testing of at least two objectives in the proposed plans.
TSA administrator David Pekoske said that while earlier versions of the policy required these processes and plans to be developed, owners and operators are now required to actually test the plans and evaluate them. The plans, a schedule for assessing and auditing those cyber measures, and a report of the previous year's assessment will all be required to be submitted annually.
All of the existing requirements, such as reporting significant cyber-related incidents to CISA, designating a point of contact, and conducting a vulnerability assessment, will also remain in place.
These changes continue to roll in years after the Colonial Pipeline hack, which exposed severe cyber vulnerabilities in critical infrastructure that threat actors are all too willing to take advantage of.
"This revision retains the transition to a more flexible, performance-based approach requiring all Owner/Operators to submit a Cybersecurity Implementation Plan for TSA approval. All currently identified critical Owner/Operators have a TSA-approved Cybersecurity Implementation Plan in place," stated the US Department of Homeland Security memorandum.