The Transportation Security Administration (TSA) on July 20, 2021, reversed two decades of pipeline cybersecurity policies.1 Having previously advocated for voluntary pipeline cybersecurity standards, the TSA quickly issued mandatory cybersecurity rules on owners and operators of pipelines (hereinafter, pipeline companies) in response to the Colonial Pipeline ransomware attack.2
The latest TSA security directive (Second Directive) was deemed sensitive and was shielded from public disclosure. What is publicly known about the Second Directive is that it requires pipeline companies to immediately implement mitigation measures to protect against cyberattacks, to develop a cybersecurity contingency and recovery plan, and to conduct a cybersecurity architecture design review. These new mandatory cybersecurity rules are backed up with fines, which could be as high as $11,904 per day, per violation.3
These new mandatory rules appear to be burdensome and may not be readily attainable.4 Nevertheless, more cybersecurity rules and regulations are likely to follow. Pipeline companies should immediately assess their cybersecurity policies and procedures. Revising such policies and…
