The Transportation Security Administration (TSA) has updated its directive for oil and natural gas pipeline cybersecurity, providing owners and operators more flexibility in achieving the outlined goals.
After a ransomware attack conducted by a Russia-linked cybercrime group forced Colonial Pipeline to shut down systems in May 2021, the TSA issued a directive requiring pipeline owners and operators to improve their defenses and work with authorities in the event of an attack.
However, those requirements, described as inflexible and confusing, posed some serious issues to the pipeline industry. Organizations and experts in the pipeline and cybersecurity industries complained that some of the requirements seemed to be best practices designed for IT systems rather than operational technology (OT). Applying IT security principles to OT could result in significant disruptions and safety issues.
For example, one rule required resetting passwords on all industrial systems in a fairly short amount of time, a task far more difficult in the case of OT systems than in the case of IT.
Politico reported in May that problems like these led to many pipeline organizations requesting workarounds and more time to comply, their requests overwhelming the TSA’s cybersecurity team.
The latest version of the security directive, named Security Directive Pipeline-2021-02C, which goes into effect on July 27 and expires on the same date in 2023, aims to address many of these issues by providing owners and operators more flexibility.
The TSA says the new rules, which have been developed based on the feedback received from the industry, focus on “performance-based – rather than prescriptive – measures to achieve critical cybersecurity outcomes.” These outcomes include developing network segmentation policies and controls to ensure the safety of OT in case of an IT compromise, and creating access control measures to prevent unauthorized access to critical systems.
Pipeline organizations are also required to build continuous threat and anomaly monitoring and detection policies and procedures, as well as to reduce the risk of exploitation of unpatched systems.
Organizations also need to have plans for cybersecurity implementation and incident response, and they must have a cybersecurity assessment program to proactively test and audit the effectiveness of their cybersecurity measures.
“Perhaps what comes through most strongly is that TSA is seeking to provide greater choice in the methods operators use to enhance cybersecurity. While this idea was already present in last year’s draft regulations, under the name of ‘alternative methods’, this idea—now called ‘compensating controls’—has become central to the protections required,” commented Duncan Greatwood, CEO of Xage, a company that helps secure critical infrastructure.
“The TSA is saying that any critical infrastructure element that lacks strong built-in security (which is often the majority of operational assets) won’t need to be uprooted. Instead, these critical assets will need ‘compensating controls’ to protect them—in other words, a way to protect vulnerable assets that makes up for their lack of built-in security capabilities.
“A few months ago, the TSA approved a compensating control for one of the largest oil and gas pipeline operators in North America. The operator adopted access controls via a mesh overlay, allowing them to rollout a zero trust solution across 750+ sites without any impact to their existing 5000+ operational technology assets. Approval of this strategy demonstrated TSA’s willingness to assess and approve compensating controls that achieve that ultimate objective of cyber hardening the oil & gas pipeline infrastructure,” Greatwood added.
Ben Miller, VP of services at industrial cybersecurity firm Dragos, applauded the government for creating new directives that are based on collaboration with industry stakeholders.
“The new focus on performance-based, rather than prescriptive, measures to achieve strategic cybersecurity outcomes and to accommodate differences in systems and operations will help support the distinct needs and challenges of the sector and of individual companies. In addition, TSA will partner and work with owners and operators to set dates and other decisions, making it a conversation rather than a command, and help to refine tactical execution. Further, the focus on continuous monitoring and auditing to assess the achievement of outcomes, as well as the approval to use compensating controls, represents a major improvement for all pipeline owners and operators,” Miller said via email.
The TSA also announced that it intends to start the formal rulemaking process, which opens up the security directives to public comment.
“This is key to any successful regulatory framework and a welcome addition to the directives,” Ron Fabela, CTO of OT cybersecurity firm SynSaber, told SecurityWeek.
Jim Guinn, senior managing director and global cybersecurity industry groups lead at Accenture, said the latest directive modification provides pipeline owners and operators the flexibility they need to personalize their defense strategy and become more resilient.
“While we are making progress, there is still room to improve, including maintaining evergreen asset inventories and information sharing practices for alternative measures, which will result in better ways to secure the entire energy value chain,” Guinn said.
While the new security directive makes a better distinction between IT and OT, there are still some issues that need to be addressed.
“The previous security directive requirements are still in effect until an approved Cybersecurity Implementation Plan (CIP) is in place. Although plans must be submitted within 90 days there is no timeline on when approvals will occur, so there’s still a careful balancing act of time, resources, and risk to operations in rapidly executing the requirements as well as the compliance management overhead of tracking such actions and justifications,” said SynSaber’s Fabela. “For instance, the previous directive mandated a complete password reset of OT (operating technology) systems while the new directive simply requires a plan that includes ‘A schedule for memorized secret authenticator resets’.”
“What this means for the industry is detailed consideration for what is included and approved within their implementation plans. Understanding the nuance of pipeline operations and fighting for measurable and attainable requirements that do not disrupt operations will be a challenge as these directives move towards audit review by TSA,” Fabela added.
Thomas Pace, CEO of XIoT cybersecurity firm NetRise and former DoE head of cybersecurity, pointed to what he described as a key component in the updated guidelines: patching firmware vulnerabilities on critical cyber systems.
“At this point, most oil & gas operators lack the visibility into what firmware is actually running on their XIoT systems, let alone what vulnerabilities those devices house. Unlike IT systems, XIoT devices are often running a variety of vulnerabilities unknown to both the operators who run them and manufacturers that build them,” Pace explained. “For this to be a realistic ask of oil & gas operators, TSA and CISA need to rally around trusted tools to scan firmware for vulnerabilities and create more information sharing through required software bill of materials (SBOMs) to make sure everyone’s eyes are wide open.”
Related: Lawmakers Reintroduce ‘Pipeline Security Act’ Following Colonial Hack
Related: TSA Requires Rail and Airports to Strengthen Cybersecurity
Related: New Edition of Pipeline Cybersecurity Standard Covers All Control Systems