TSA Security Directive addresses OT cybersecurity, as it adopts performance-based rules for pipeline operators
In the wake of ongoing cybersecurity threats to pipeline systems, the U.S. Transportation Security Administration (TSA) updated on Wednesday its Security Directive regarding oil and natural gas pipeline cybersecurity, in its continued effort to reinforce cybersecurity preparedness and resilience for the nation’s critical pipelines. The agency uses this Security Directive to mandate TSA-specified owners/operators of pipeline and liquefied natural gas facilities to implement cybersecurity measures, in order to prevent disruption and degradation to their infrastructure.
The latest requirements, Security Directive Pipeline-2021-02D, are a continuation of the SD Pipeline-2021-02 series that cancels and supersedes SD Pipeline-2021-02C, issued last July. The document continues to require performance-based regulatory cybersecurity measures first issued by TSA on July 26, 2021, under the Security Directive Pipeline-2021-02 series. It has been developed with input from industry stakeholders and federal partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation (DoT), following the initial directive announced in July 2021, issued after the Colonial Pipeline attack, and renewed in July 2022.
The TSA specified that these cybersecurity measures expire on July 27, 2024.
“The goal of this Security Directive is to reduce the risk that cybersecurity threats pose to critical pipeline systems and facilities by implementing layered cybersecurity measures that demonstrate a defense-in-depth approach against such threats,” the TSA disclosed. “Recent and evolving intelligence emphasizes the growing sophistication of nefarious persons, organizations, and governments, highlights vulnerabilities, and intensifies the urgency of implementing and sustaining the requirements in this Security Directive series.”
The security directive is fairly similar to the cybersecurity amendment issued by the TSA in March this year on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced last October for passenger and freight railroad carriers. The agency had at the time called for developing network segmentation policies and controls to ensure that operational technology (OT) systems can continue to operate if an information technology (IT) system has been compromised safely, and vice versa.
Applicable to owners/operators of TSA-designated hazardous liquid and natural gas pipelines or liquefied natural gas facilities, the latest security directive identifies that all owners/operators subject to these requirements have been previously notified by TSA. The latest revision maintains the requirement for owners/operators to enhance cyber resilience through the implementation of a TSA-approved Cybersecurity Implementation Plan (CIP).
Additionally, if the TSA identifies additional owners/operators with critical pipeline systems or facilities who were not previously subject to the SD Pipeline-2021-02 series, TSA will notify these owners/operators and provide specific compliance deadlines for the requirements of this SD, Stacey Fitzmaurice, executive assistant administrator for operations support at the TSA wrote in the security directive.
TSA stated that owners/operators must establish and implement a TSA-approved CIP that describes the specific cybersecurity measures employed and the schedule for achieving the outcomes. They must also develop and maintain an up-to-date cybersecurity incident response plan (CIRP) to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, as defined in this Security Directive, should the IT and/or OT systems of a gas or liquid pipeline be affected by a cybersecurity incident.
TSA identifies new requirements that the CIRP exercises must include as owners/operators are required to test at least two CIRP objectives (e.g., containment, segregation, security, and integrity of back-up data; and isolation of IT/OT) no less than annually. They must also include employees identified by position as active participants in the CIRP exercises.
The agency also proposed developing a cybersecurity assessment plan and submitting an annual update, for approval, that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities. It also recommends filing an annual report that provides Cybersecurity Assessment Plan results from the previous year.
The Security Directive identified that TSA significantly revised the Security Directive Pipeline 2021-02 series, initially issued in July 2021, to provide owner/operators with more flexibility to meet the intended security outcomes while ensuring sustainment of the cybersecurity enhancements accomplished through this Security Directive series. Cybersecurity experts from TSA and the CISA contributed to the development of the measures in this Security Directive series to ensure the efficacy of the requirements in mitigating system vulnerabilities.
Some of the cybersecurity measures laid down by the TSA are that owners/operators must implement network segmentation policies and controls designed to prevent operational disruption to the OT system if the IT system is compromised or vice versa. As applied to critical cyber systems, these policies and controls must include a list and description of IT and OT system interdependencies; all external connections to the OT system; and zone boundaries, including a description of how IT and OT are defined and organized into logical zones based on criticality, consequence, and operational necessity.
Additionally, the agency calls for the identification and description of measures for securing and defending zone boundaries, which includes security controls to prevent unauthorized communications between zones; and prohibit OT system services from traversing the IT system, unless the content of the OT system is encrypted while in transit.
It also proposes to implement access control measures, including local and remote access, to secure and prevent unauthorized access to critical cyber systems. These measures must identify and authenticate policies and procedures designed to prevent unauthorized access to critical cyber systems; adopt multi-factor authentication, or other logical and physical security controls that supplement password authentication to provide risk mitigation commensurate with multi-factor authentication.
The security directive also requires owners/operators without critical cyber systems to reevaluate whether or not they have critical cyber systems in the event that they change their method of operations. If these methods have changed, the owner/operator must notify TSA and determine a schedule for complying with the SD’s measures to protect those systems. Additionally, a new section has been added to clarify that if an owner/operator needs to amend their TSA-approved CIP based on revisions to this Security Directive SD, a procedure must be followed.
Last month, David P. Pekoske, a representative of the TSA, testified before the House Homeland Security Subcommittee on Transportation and Maritime Security last week that the agency is working on a rulemaking to permanently codify crucial cybersecurity requirements for pipeline and rail transportation. The hearing comes in a hearing on the U.S. administration’s TSA Fiscal Year 2024 Budget request.
Related
