TSA Issues Revised Security Directive Requirements for US Pipelines

On July 21, 2022, the United States Transportation Security Administration (TSA) announced that they have revised and reissued their Security Directive on oil and natural gas pipeline cybersecurity to focus more on performance-based measures. The original Security Directive was published in 2021 following the Colonial Pipeline incident which caused gas shortages across the southeastern United States.

As a reminder, TSA’s initial Security Directive required pipeline owners and operators to:

1. Report confirmed and potential cybersecurity incidents to CISA
2. Designate a Cybersecurity Coordinator to be available 24/7
3. Review current cybersecurity practices
4. Identify gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days

Critics of the 2021 Directive claimed that it was a one-size-fits-all approach and felt very reactionary since the TSA didn’t consult with industry leaders for input. This new version aims to encourage more public and private cooperation by incorporating variances that recognize the uniqueness of each company’s operations and infrastructure into their model.

As stated by TSA Administrator, David Pekoske, “TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements…We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”

The reissued Security Directive focuses on performance-based objectives, rather than prescriptive check boxes, to allow the industry to leverage the processes and technologies that are most appropriate for each company’s unique and dynamic environment. TSA’s new security outcomes for owners and operators of pipeline and liquefied natural gas facilities include:

1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa
2. Create access control measures to secure and prevent unauthorized access to critical cyber systems
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology

Additionally, the TSA is requiring pipeline owners and operators to establish and execute a Cybersecurity Implementation Plan explaining how they will achieve these security outcomes, develop and maintain a comprehensive Cybersecurity Incident Response Plan and establish a Cybersecurity Assessment Program to regularly test and audit the effectiveness of cybersecurity measures.

For pipeline owners and operators to successfully attain these outcomes, they need to have the right people, process and technologies in place. A solid starting point for the industry will be choosing a cybersecurity standard to help operationalize these objectives for achieving cyber resilience. We always recommend using the NIST Cybersecurity Framework  or the CIS Controls because both technical stakeholders and executives can understand them.

Implementing the right OT cyber risk management foundation will ensure that pipeline owners and operators can identify, monitor and manage everything happening inside their operational technology infrastructure. Any technology investment should be reviewed carefully to confirm that it can enable these specific outcomes. A comprehensive solution will identify and baseline every asset, detect and report on security and operational events in endpoints and networks, and monitor and manage vulnerability and patch data using risk-based prioritization. For the user access control and network segmentation related objectives, pipeline owners and operators should also ensure that any OT monitoring technology they deploy is sophisticated enough to detect events such as successful/failed user login attempts, firewall rule changes, and user privilege changes.

With the expanding anxiety around cyberattacks targeting critical infrastructure over the past two years, it's clear that having strong cyber resilience plans in place has never been more important, and is going to be a non-negotiable objective for pipeline owners and operators in the 21^st century.