The Transportation Security Administration (TSA) has released a series of revisions to its security directive for oil and natural gas pipeline owners and operators, initially posted a year ago following the ransomware attack on Colonial Pipeline.
In the aftermath of the Colonial Pipeline incident that hobbled its operations for days, the TSA issued a series of directives requiring owners and operators to:
- Report significant cybersecurity incidents to CISA
- Establish a cybersecurity point of contact
- Conduct an annual cybersecurity vulnerability assessment
The additional requirements are:
- Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth in the security directive.
- Develop and maintain a Cybersecurity Incident Response Plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident.
- Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks and systems.
More TSA Directives
The security directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas facilities act to prevent disruption and degradation to their infrastructure. To achieve security outcomes, TSA directs owners and operators to:
- Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa.
- Create access control measures to secure and prevent unauthorized access to critical cyber systems.
- Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations.
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
TSA Gathers Input from CISA
According to the TSA, the security directive was developed with input from industry stakeholders and federal partners, including the Cybersecurity and Infrastructure Security Agency (CISA).
TSA Administrator David Pekoske explained that the directives are designed to be performance-based rather than prescriptive:
"The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements. We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”