December 2023, Vol. 250, No. 12
Guest Perspective
Implementing the New Pipeline Security Directive
By Jeffrey Wells, Partner, Sigma7
(P&GJ) — The digital era has ushered in unprecedented opportunities and new vulnerabilities that can create ripple effects across our nation’s critical infrastructure. Nowhere is this more evident than in our essential pipeline systems.
The introduction of Security Directive Pipeline-2021-02D (SD-02D) by the Transportation Security Administration (TSA) is not just another regulatory compliance demand; it’s a clarion call. It’s about safeguarding the lifelines of our economy — our way of life.
Are you an asset owner or operator in this essential sector? Then this directive signals a pivotal moment to act, adapt and fortify. Your proactive engagement today shapes the resilience of tomorrow. With its introduction — effective July 27 — a roadmap has been set forth for asset owners and operators, to heighten their cybersecurity preparedness.
SD-02D aims to reduce the risks posed by cybersecurity threats by implementing layered cybersecurity measures. Developed in collaboration with industry stakeholders and federal partners — like the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation (DoT) — the directive continues to require performance-based regulatory cybersecurity measures.
The update seeks to provide flexibility to owners/operators and ensure the efficacy of requirements in mitigating system vulnerabilities. It also emphasizes network segmentation, zone boundary security, multi-factor authentication and procedures for changes in critical cyber systems.
Why SD-02D Matters
SD-02D is a partial overhaul but also a strategic enhancement, focusing on critical areas like network segmentation, multi-factor authentication, regular cybersecurity assessments and actionable incident response plans. It’s an incremental yet significant step towards a resilient infrastructure, reflecting the need for a collaborative, community-driven approach.
Key requirements:
- Revisit your system designations: asset owners/operators must be ready to justify their decisions on specific system designations, aligning with TSA’s requirements.
- Commit to cybersecurity exercises: annual exercises are mandatory, bringing real-world scenarios into training environments.
- Implement a robust assessment schedule: a systematic yearly plan must be implemented, regularly reporting to the TSA.
- Develop cybersecurity implementation plans (CIP): Detail your cybersecurity measures and timelines, ensuring compliance with TSA-approved standards.
- Ensure an up-to-date incident response plan (CIRP): critical to mitigating risks, your CIRP must be current and comprehensive.
- Embrace a collaborative approach: actively involve employees in annual exercises and objectives, for a holistic understanding of potential scenarios.
- Regularly assess cybersecurity measures: regular assessments and annual reporting maintain transparency and accountability.
- Adopt network segmentation policies: delineate your IT and OT systems, to maintain integrity and prevent disruptions.
- Strengthen access control measures: secure your cyber systems with proven methods, like multi-factor authentication.
- Adapt to changes in operations: if your operations evolve, reevaluate your critical systems promptly.
- Follow the right procedures to amend TSA-approved CIP: adhere to the proper protocols in amending your CIP, based on changes to the directive.
The Time to Act is Now
This directive is not a mere regulatory update; it’s an opportunity for asset owners and operators to reinforce their commitment to national security. Collaboration with federal partners like CISA and DoT makes this a concerted effort to protect against evolving cybersecurity threats.
SD-02D calls to invest in our critical infrastructure’s ongoing resilience and security. This is a shared responsibility, rather than a mere compliance requirement. We stand for our nation’s integrity, security and future by embracing these guidelines.
In the face of a dynamic and increasingly complex threat landscape, let’s make SD-02D not just a document but a living, actionable commitment. The future of our security depends on our collective action today. Act now, be prepared and build a secure tomorrow.
Comments