Regulatory Submissions

APGA submitted comments to the Transportation Security Administration (TSA), responding to their second Security Directive (SD 02) that is still in draft. With both the first Security Directive (SD 01) and this latest proposal, TSA is requiring certain pipeline operators to implement cybersecurity measures that will be enforced by the agency. Given the importance of a resilient pipeline infrastructure, APGA appreciates the intent of TSA and is willing to work with them as the SDs are completed and implemented, which includes submitting comments that highlight concerns.

It appears that TSA used a risk-based approach in determining the pipelines that have to comply with SD 01 and SD 02, since only “critical facilities” must complete. However, in the actual requirements, there is little consideration for prioritization. In the natural gas supply chain, there are varying degrees of hazard, so the mandates overseeing all these aspects need to consider impacts should an incident occur. As well, APGA members have been managing threats on their systems in a risk-based way for many years, so there is experience with performance-based regulations. TSA also asks that all these new cybersecurity actions take place in unreasonable timelines. Importantly, APGA reminded its federal government partners that public natural gas utilities are unique, given they are community-owned and not-for-profit. Budgets are overseen by a city council, utility board, or other public officials. Technology upgrades that ensure secure infrastructure are considered when appropriate, but this requires significant time and conversation with their city leaders, oftentimes years in advance of execution.

In addition to the written response to draft SD 02, APGA participated in a call with TSA this Tuesday to further stress the challenges of SD 01, which is in effect, and the new proposal. APGA will continue to work with its members that have been asked to comply with these new SDs in encouraging TSA to take a risk-based approach in formulating cybersecurity mandates to be executed in reasonable timelines.