The Department of Homeland Security (DHS) has issued a memorandum detailing new cybersecurity rules for owners and operators of pipelines, a decision seen as a victory by the pipeline industry.
According to the new SD02C guidelines, pipeline owners and operators are required to “1) Establish and implement a TSA-approved Cybersecurity Implementation Plan; 2) Develop and maintain a Cybersecurity Incident Response Plan to reduce the risk of operational disruption; and 3) Establish a Cybersecurity Assessment Program, and submit an annual plan that describes how the Owner/Operator will assess the effectiveness of cybersecurity measures.”
Pipeline owners and operators must submit the Cybersecurity Implementation Plan for TSA approval 90 days after the effective date of the SD02C. Once TSA approves the plan, operators and owners must implement and maintain “all measures” within the plan’s schedule.
Developing the Guidelines
Following a ransomware attack on the Colonial Pipeline system last year that ended up shutting it down for days, the TSA issued a set of cybersecurity rules for pipeline operators and owners. However, the pipeline industry quickly pushed back, arguing that the rules were a one-size-fits-all approach and weren’t flexible enough.As there are several ways pipeline operators can set up their systems and cybersecurity infrastructure, having a single set of rules was challenging for many in the industry. Operators also argued that the rules lacked an understanding of the intricacies of pipeline infrastructure and could even end up triggering further disruptions.
“We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes,” he said.