Addressing TSA’s Security Directive for Pipeline Owners/Operators
Update: On July 19, the Transportation Security Administration (TSA) released their second security directive for pipelines (SD-2021-02), contents of which were made public by the Washington Post on October 3. While the first security directive focused on establishing key roles (e.g. cybersecurity coordinator), definitions, and responsibilities, the second security directive requires adherence to security controls that include: multi-factor authentication, network segmentation, monitoring and filtering traffic between networks and much more. Pipeline owners/operators should evaluate their current OT and IT environments to ensure compliance with SD-2021-02. Forescout has mapped existing Forescout platform capabilities to SD-2021-02 which can be found here.
On May 28th, a new security directive by the Transportation Security Administration (TSA) went into effect. The directive requires pipeline owners and operators to designate a cybersecurity coordinator; report cyber incidents to the TSA and Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of discovery; and review current security practices against existing TSA guidance to identify gaps and develop remediation measures – results of this review must be reported to TSA and CISA within 30 days (June 27). These requirements – designating a cyber coordinator, incident reporting, and aligning practices to existing guidance – seem almost expected given recent events. There are, however, important nuances in the directive of which pipeline owners and operators should be aware.
Designating a Cybersecurity Coordinator
The requirement to designate a cybersecurity coordinator and an alternate is straightforward and most pipeline companies will be able to meet this requirement easily. The key here is to designate someone with the ability and authority to be able to “coordinate cyber and related security practices and procedures.” The designated cybersecurity coordinator must be sufficiently senior to implement organization-wide security measures and ensure their enforcement.
Mandatory Reporting to CISA – 12 Hours Upon Discovery
A mandatory reporting requirement was envisaged by many after recent events that impacted gas supplies on the eastern coast. TSA’s incident reporting requirement, while expected, is also expansive. Specifically, owners/operators must report to CISA every incident of “unauthorized access of an Information or Operational Technology (OT) system” and any cyber incident that “results in… or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases [emphasis added].” Further, in the event where an incident report must be made, the directive requires the reporting of information to which pipeline owners may not yet possess. The assumption is that owners/operators have the ability to retrieve this information; this includes information about: malicious IP addresses; malware; abuse of legitimate software or accounts; threat information including the source of the threat or attack; description of the incident’s impact or potential impact on IT or OT systems, among other information. Arguably, the easiest part of the reporting requirement is the act of reporting. Beyond making the report, pipeline owners/operators must possess the ability to see into both IT and OT environments to adequately remediate vulnerabilities and to provide TSA and CISA with the additional information these agencies expect.
Alignment with existing TSA Pipeline Security Guidelines
Within 30 days of the directive, owners/operators must review section 7 of TSA’s 2018 Pipeline Security Guidelines and report to TSA and CISA on whether current practices sufficiently align to the guidelines, identify gaps, and identify remediation measures to address known gaps. Section 7 guidelines list several cybersecurity measures categorized either as “baseline” or “enhanced” – application of which depends on whether a pipeline’s cyber assets are either “critical” (enhanced security measures would apply) or “non-critical” (baseline security measures apply). This classification assumes visibility of all cyber assets and ongoing awareness of both IT and OT systems and networks.
Actionable Next Steps
Because the definition of cybersecurity incident is broad and includes the mandatory reporting of events that “actually, imminently, or potentially” impacts the availability and integrity of both the information (data) and the system on which it resides, pipeline owners/operators must be ready to address known threats. Several information sharing and analysis organizations like the Downstream Natural Gas ISAC and the ONG-ISAC and membership organizations (e.g. American Gas Association) can assist pipeline owners/operators to stay abreast of the dynamic cyber landscape.
With regard to the technical security measures listed in section 7 of TSA’s security guidelines, there are many technologies that can adequately address the IT-side of operations. OT-environments are generally more sensitive to probing so special attention needs to be paid to ensure operational disruptions do not occur. However, ensuring both IT and OT security is feasible and there are existing examples of pipeline organizations achieving heightened levels of security in IT-OT converged environments. While the TSA Directive does leave room for potential changes to its requirements, pipeline owners/operators may find great value in examining current practices to ensure they are ready to embrace new directives for a more secure future that contemplates both IT and OT security from the start.
Click here for more information on how Forescout can address section 7 security measures.