Ratification of Security Directive

AGENCY:

Office of Strategy, Policy, and Plans, Department of Homeland Security (DHS).

ACTION:

Notification of ratification of directive.

SUMMARY:

DHS is publishing official notice that the Transportation Security Oversight Board (TSOB) has ratified Transportation Security Administration (TSA) Security Directive Pipeline-2021-01, which is applicable to certain owners and operators (Owner/Operators) of critical pipeline systems and facilities and requires actions to enhance pipeline cybersecurity.

DATES:

The ratification was executed on July 3, 2021, and took effect on that date.

FOR FURTHER INFORMATION CONTACT:

John D. Cohen, DHS Coordinator for Counterterrorism and Assistant Secretary for Counterterrorism and Threat Prevention, DHS Office of Strategy, Policy, and Plans, (202) 282-9708, john.cohen@hq.dhs.gov.

SUPPLEMENTARY INFORMATION:

I. Background

A. Ransomware Attack on the Colonial Pipeline Company

On May 8, 2021, the Colonial Pipeline Company announced that it had halted its pipeline operations due to a ransomware attack. This attack temporarily disrupted critical supplies of gasoline and other refined petroleum products throughout the East Coast of the United States. Cybersecurity incidents affecting surface transportation systems, including pipelines, are a growing threat. The cyber-attack on Colonial Pipeline and resulting disruption of gasoline supplies to the East Coast demonstrate how criminal cyber actors are able to disrupt pipeline systems and networks in ways that threaten our national and economic security.

B. TSA Security Directive Pipeline-2021-01

On May 27, 2021, the Senior Official Performing the Duties of the TSA Administrator issued Security Directive Pipeline-2021-01 (security directive) requiring Owner/Operators of critical pipeline systems and facilities to take crucial measures to enhance pipeline cybersecurity. TSA issued this security directive in accordance with 49 U.S.C. 114(l)(2)(A), which authorizes TSA to issue emergency regulations or security directives without providing notice or public comment where “the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security. . . .” TSA took this emergency action in response to the attack on Colonial Pipeline, which demonstrated the significant threat such attacks pose to the country's infrastructure and its national and economic security as a result. The directive became effective on May 28, 2021 and is set to expire on May 28, 2022.

This security directive seeks to immediately enhance the cybersecurity of critical pipeline systems and facilities by requiring covered Owner/Operators to take three crucial actions to enhance pipeline cybersecurity. First, it requires TSA-specified Owner/Operators of critical pipelines to promptly report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). Second, it requires those Owner/Operators to designate a Cybersecurity Coordinator who must be available to TSA and CISA at all times to coordinate cybersecurity practices and address any incidents that arise. Third, it requires Owner/Operators to review their current cybersecurity practices against TSA's Pipeline Security Guidelines related to cybersecurity and to assess cyber risks, identify any gaps, and develop necessary remediation measures, along with a timeline for achieving them.

II. TSOB Ratification

TSA has broad statutory responsibility and authority to safeguard the nation's transportation system, including pipelines. The TSOB—a body consisting of the heads of various interested Cabinet agencies, or their designees, and a representative of the National Security Council—reviews certain regulations and security directives consistent with law. Security directives issued pursuant to the procedures in 49 U.S.C. 114(l)(2) “shall remain effective for a period not to exceed 90 days unless ratified or disapproved by the Board or rescinded by the Administrator.” The chairman of the TSOB convened the Board for review of TSA Security Directive Pipeline-2021-01. Following its review, on July 3, 2021, the TSOB ratified the security directive.