Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

The Transportation Security Administration is locking in a pair of pipeline directives for additional years ahead of the looming White House transition.

In a posting to the Federal Register on Friday, the Department of Homeland Security component said it ratified the Security Directive Pipeline-2021-01 series and the Security Directive Pipeline-2021-02 series and would extend the requirements of each for another year, with some amendments made to the latter to "strengthen their effectiveness and provide additional clarity."

The cybersecurity requirements on pipeline owners came in the aftermath of the 2021 ransomware attack on Colonial Pipeline, which temporarily paused operations for one of the country's primary delivery services of gasoline.

At the time, TSA threatened to fine pipeline owners that failed to meet specific cybersecurity guidelines, while mandating new reporting procedures for cyber incidents.

Since those initial directives were issued, threat actors have targeted other transportation networks in the United States, including freight and passenger railroads and other railway systems. The intelligence community has also assessed that Chinese-sponsored hackers have been inside U.S. critical infrastructure networks for years, and ransomware attacks on those systems are likely to increase.

In light of those issues and other lingering geopolitical threats such as the Russia-Ukraine war, TSA said in Friday's posting that updates and extensions to the pipeline directives were necessary. The amendments to the requirements in the directives are focused on strengthening their effectiveness and addressing emerging cyber threats, TSA said.

The agency is also shifting the mandates in Security Directive Pipeline-2021-02 "to be more performance-based and less prescriptive," the posting states. "The performance-based approach enhances security by mandating that critical security outcomes are achieved while allowing owner/operators to choose the most appropriate security measures for their specific systems and operations."

Going forward, pipeline owners/operators will be required to create and institute a TSA-approved cybersecurity implementation plan and maintain a cybersecurity incident response plan. Another requirement involves the development of a cybersecurity assessment program and annual submissions that assess the effectiveness of cyber measures, among other provisions.

Representatives of the rail and pipeline industry have criticized TSA's cyber directives as overly onerous. During a November 2024 House Homeland Security Subcommittee on Transportation and Maritime Security hearing, those representatives found plenty of sympathy from Republicans, signaling what will likely be a willingness in the next administration to decrease industry-perceived regulatory burdens.