The ransomware attack on the petroleum Colonial Pipeline in May of 2021 highlighted the urgent need to protect critical pipeline infrastructure from cyber security threats. In response, the Department of Homeland Security issued its first two security directives for owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas. Seeing that since this attack the threat posed to pipelines has evolved and intensified, the Transportation Security Administration (TSA) revised and reissued its security directive in 2022 regarding oil and natural gas pipeline resiliency. The directive establishes a new, flexible model that accommodates variance in systems and operations to meet security requirements with fewer prescriptive rules while encouraging innovation and customization.
To recap, previous directives required TSA-specified owners and operators of pipeline and liquefied natural gas facilities to:
- Report confirmed and potential cyber security incidents to The Department’s Cybersecurity and Infrastructure Security Agency (CISA).
- Designate a Cyber security Coordinator to be available 24 hours a day, seven days a week.
- Review current practices.
- Identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
- Implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology (OT) systems.
- Develop and implement a cyber security contingency and recovery plan.
The reissued security directive takes an innovative, performance-based approach to enhancing security using new technologies and becoming better adaptive to changing environments. Operators have the freedom to customize cyber security programs rather than simply adopt enumerated controls. However, some safeguards must be included in an organization’s cyber security plan including segmenting OT and IT systems so that if one is compromised it doesn’t disturb the other, multifactor authentication and access control measures for employees, continuous security monitoring, and detecting and security patch management. Organizations must take action to prevent disruption and degradation to infrastructure to achieve:
- Network segmentation policies and controls ensure that the OT system can continue to safely operate if an IT system is compromised, and vice versa.
- Control measures to secure and prevent unauthorized access to critical cyber systems.
- Continuous monitoring and detection policies and procedures to detect cyber security threats and correct anomalies that affect critical cyber system operations.
- Reduced risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.
While the new directive relaxes more rigid regulations, it stresses that organizations must address potential IT and OT system threats and requires pipeline owners and operators to:
- Establish and execute a TSA-approved Cyber security Implementation Plan that describes the specific cyber security measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth in the security directive.
- Develop and maintain a Cyber security Incident Response Plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident.
- Establish a Cyber security Assessment Program to proactively test and regularly audit the effectiveness of cyber security measures and identify and resolve vulnerabilities within devices, networks, and systems.
How SecurityGate can help
Ensuring compliance with TSA pipeline security directives can be meticulous, but the SecurityGate Platform incorporates the TSA’s directives and guidance documents to simplify adherence for pipeline owners and operators. Users can simply log in to their account and click on the icon in their dashboard to begin running a Q&A framework-based assessment.
Users will then walk through a set of questions associated with each section of the framework. Taking this assessment in a digital format in the SecurityGate Platform ensures company controls will be assessed in a consistent manner without staff having to hunt for a physical binder containing all the information or worrying that a computer file might be out of date.
Each question is mapped to a set of linked controls to help identify associated risks and tie them to our People Process and Technology (PPT) Insight to highlight missing controls and better understand where to make improvements. The cloud based SecurityGate Platform, in combination with the critical infrastructure expertise of our team, ensures that all the assessment data is saved in a centralized location to make it easy for operators to secure their critical infrastructure and meet TSA directives.
As the cyber security landscape continues to evolve, companies must adapt to address new and emerging threats. Organizational collaboration and sharing of information around securing critical infrastructure will foster innovative approaches to safeguarding pipeline operations from rising cyber threats, better protecting our national and economic security. As more directives are released, our team will maintain our library of out-of-the-box cyber assessments and frameworks for pipeline operators and other industries.
To learn more, reach out to our team or book a demo to get started.