TSA Cyber Directive
International Liquid Terminals Association
  • Join


A respected industry publication for ILTA members, this monthly newsletter highlights legislative and regulatory activities affecting terminal facilities. It also provides news on recent business development within the terminal industry, including new construction, expansions, acquisitions and additions to ILTA's membership, as well as important information about ILTA's committee meetings, conferences and training events. ILTA also offers ILTA News Plus to members. This publication, sent on weeks that ILTA News is not published, aggregates industry and member news.

Not a member? Join ILTA today and stay up-to-date withILTA News and ILTA News Plus.
Michael Stroud
/ Categories: ILTA News Articles

TSA Cyber Directive

In May 2022, the Transportation Security Administration (TSA) issued a Security Directive for Pipelines, generally referred to as SD02B. The goal of the May 2022 security directive was to prescribe efforts that owners and operators of hazardous liquid and natural gas pipelines or liquified natural gas (LNG) facilities needed to implement to improve cybersecurity awareness, reporting, and preparedness.

SD02B placed three general obligations on the entities contacted by TSA. First, the TSA identified owners and operators of covered hazardous liquid and natural gas pipelines and LNG facilities must report specific cybersecurity incidents to the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Second, the security directive required the applicable owners and operators to designate a Cybersecurity Coordinator who will be available to TSA and CISA round the clock, day or night (i.e., 24 hours a day and 7 days a week). Third, the security directive required impacted owners and operators to reconcile their systems and activities against those recommended by TSA for cyber risk assessment and to identify gaps, develop remediation plans and report the results to TSA and CISA.

In July 2022, TSA decided to issue another security directive, this one called Security Directive Pipeline-2021-02C or SD02C. While on its face, SD02C looks extremely similar to its May 2022 predecessor, there are key differences. The key difference is that SD02C is focused on performance-based versus prescriptive as to technique or solution required by TSA and contains specific action items and deadlines.

Of greatest importance to ILTA Members is that SD02C now requires impacted owners and operators to develop a TSA-approved Cybersecurity Implementation Plan (CIP), establish a cyber incident response plan, and implement a cybersecurity assessment program, requiring annual plan submission for maintaining effectiveness of the cybersecurity program. 

SD02C contains a strict schedule for compliance – 90 days to file the CIP for TSA approval. In addition to having the CIP approved by TSA, the new SD02C requires TSA to inspect the impacted facilities to assess compliance with the approved CIP. In other words, TSA is requiring impacted facilities to submit their homework and TSA will be checking it for accuracy and completeness. Finally, once the CIP is approved by TSA, the impacted owners and operators must develop and submit a Cybersecurity Assessment Program (CAP) to TSA no later than 60 days from the date that TSA approves the CIP. The CAP is intended to ensure that the CIP is routinely evaluated and updated.

ILTA convened a Work Group to address concerns on this and other cybersecurity issues. The cyber work group is also going to be developing comments on the anticipated forthcoming cybersecurity rulemaking from TSA, which will likely incorporate SD02C and any relevant aspects of SD02B.

Previous Article EPA Proposes “Superfund” Designation of PFOA and PFOS
Next Article ILTA Letter to White House on Rail Worker Strike
576 Rate this article:
No rating
Please login or register to post comments.