News

New TSA Pipeline Security Directive

On Friday, July 23, 2022, the Transportation Security Administration (TSA) issued Security Directive Pipeline 2021-02C (SD-02C). SD-02C has three main components and takes effect on July 27, 2022.

SD-02C focuses on performance-based – rather than prescriptive – measures to achieve TSA’s identified cybersecurity outcomes (i.e., TSA does not mandate the specific mechanisms to achieve the outcomes). SD-02C’s key elements are summarized below:

• Affected pipeline operators are those notified by TSA that their pipeline system or facility is critical. In other words, the same pipeline operators that have been implementing TSA’s previous Security Directives since mid-2021 must now implement SD-02C.

• In pertinent part, SD-02C requires affected operators to: (1) develop and implement a TSA-approved Cybersecurity Implementation Plan; (2) establish a Cybersecurity Incident Response Plan; and (3) implement a Cybersecurity Assessment Program.

• Affected operators must submit a Cybersecurity Implementation Plan to TSA for approval no later than October 25, 2022 (i.e., 90 days from the July 27, 2022 effective date). Once TSA approves an affected operator’s Cybersecurity Implementation Plan, TSA will inspect against it to determine compliance.

• Affected operators must develop and submit a Cybersecurity Assessment Program to TSA no later than 60 days from the date that TSA approves the operator’s Cybersecurity Implementation Plan.

• SD-02C supersedes previously issued Security Directives but affected operators must continue to implement Security Directive 2021-02B until a Cybersecurity Implementation Plan is submitted to, and approved by, TSA.

MTSA Cyber FAQs

The Coast Guard previously published Navigation and Vessel Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities as guidance for complying with Maritime Transportation Security Act (MTSA) cybersecurity requirements. As part of that initiative, the Coast Guard has published a Frequently Asked Questions (FAQ) document supporting NVIC 01-20 and cyber inclusion in Facility Security Plans (FSPs).

As the Coast Guard continues to work with its Facility Inspectors in the field and maritime industry stakeholders, it will continue to update the FAQs based on feedback.

MSIB: Cybersecurity Awareness and Action

The Coast Guard Assistant Commandant for Prevention Policy has published Marine Safety Information Bulletin (MSIB) 02-22: Cybersecurity Awareness and Action.

In MSIB 02-22, the Coast Guard provides that, in accordance with the Cybersecurity and Infrastructure Security Agency’s “Shields Up” guidance, every organization should have documented thresholds for reporting potential cyber incidents to senior management and the U.S. Government. In this heightened threat environment, the Coast Guard states that these thresholds should be significantly lower than normal.

MSIB 02-22 reminds Maritime Transportation Security Act (MTSA)-regulated facilities that they are required to report breaches of security and suspicious activity to the National Response Center (NRC) at 1-800-424-8802.

The Coast Guard also recommends contacting its Cyber Command for technical support that may help MTSA-regulated facilities prepare for or respond to a cyber-incident. Cyber Command’s 24×7 watch can be reached at 202-372-2904 or [email protected].

National Maritime Security Advisory Committee Meeting

The National Maritime Security Advisory Committee will meet on May 3^rd and 4^th 2022 to review and discuss matters relating to national maritime security, including enhancing the sharing of information related to cybersecurity risks that may cause a Transportation Security Incident between relevant Federal agencies and state and local governments, public safety and emergency response agencies, law enforcement, maritime industry, port owners and operators, and facility owners and operators.

During the meeting, among other topics, the Committee will provide feedback on cyber vulnerability assessments that are being conducted within the industry and provide input to support further development of the Maritime Cyber Risk Assessment Model.

TWIC Reader Rule Update

In response to industry and other concerns regarding the Transportation Worker Identification Credential (TWIC) Reader Rule, the United States Coast Guard (USCG) contracted with the RAND Corporation to conduct a second TWIC Reader Rule assessment. This assessment, which is nearing completion and will be shared with industry in the June 2022 timeframe, will (again) assess the TWIC Reader Rule’s costs, benefits, and overall risk reduction. The USCG could use the RAND Report as the basis for additional regulatory changes.

Against this backdrop, and with the May 8, 2023 compliance deadline looming, industry widely expects the USCG to exercise regulatory flexibility. As a result of compliance uncertainty since the USCG first published the TWIC Reader Rule in August 2016 among other reasons, the USCG understands that many affected facilities require more time to comply (and/or implement strategies to reduce the compliance burden). For its own part, the USCG also recognizes the need to raise awareness regarding the technical aspects of the rule. To support these efforts and increase dialogue on these topics, the American Chemistry Council and the American Fuel & Petrochemical Manufacturers hosted the 8^th Coast Guard District Commander and other senior USCG personnel at a Louisiana chemical facility in March 2022. The success of the event will spur future engagements.

Updated CFATS Compliance Inspection Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) recently updated internal guidance regarding additional areas of focus that its Chemical Security Inspectors may address during Chemical Facility Anti-Terrorism Standards (CFATS) Compliance Inspections. While the scope and level of detail may still vary from Inspector-to-Inspector, facilities can expect increased attention in the following areas:

• Cyber – A more detailed review of the facility’s critical cyber systems, including those that may be used to handle, manage, or order Chemicals of Interest (COIs) or control and monitor Closed-Circuit Television (CCTV) camera and electronic access control systems. It is suggested that facilities have local and/or corporate IT representatives available or “on call” to answer questions.

• Background Checks – Confirmation that “affected persons” have been screened for “terrorist ties.” If using Option 1, this may include checking the facility’s “affected persons” against the list of names uploaded to the Personnel Surety Portal in the Chemical Security Assessment Tool (CSAT).

• Detection and Response – A review of COI inventory controls, process safeguards, alarming and monitoring equipment, and/or automated mitigation measures, as applicable, to verify that the facility can promptly detect and respond to a COI release or theft.

Facilities should still be prepared to address other CFATS compliance areas, including physical security measures (e.g., fencing, gates, etc.), recordkeeping, and training.