A revised Security Directive from the Transportation Security Administration (TSA) focuses on giving oil and natural gas pipeline owners more flexibility in meeting cybersecurity requirements by relying on “performance-based,” rather than “prescriptive,” measures.
The TSA, which is part of the DHS, had previously outlined an updated Security Directive in July 2021 on the heels of the Colonial Pipeline ransomware attack in May 2021. However, a Politico report in March outlined struggles by pipeline operators that were trying to comply with this original directive, which they said pushed security practices developed for information technology systems rather than operational technology (OT) systems. TSA Administrator David Pekoske said that the department has since worked with the pipeline industry to address these issues before reissuing the latest Security Directive, which goes into effect on July 27.
“The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said Pekoske in a statement last week. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”
These security outcomes include the development of network segmentation policies and controls to make sure systems can still safely operate if they have been compromised; the creation of access control measures to prevent unauthorized access; the buildout of monitoring and detection policies to sniff out any threats; and the application of security updates for systems “in a timely manner using a risk-based methodology.”
In order to meet these outcomes, operators are required to establish a Cybersecurity Implementation Plan, approved by the TSA, which outlines the specific security measures in place. They must also develop an incident response plan that includes the steps that the operators will take in the event of a security incident that causes operational or business disruption. Finally, they must create a Cybersecurity Assessment Program that helps proactively test and audit the effectiveness of these security measures and identify flaws across devices, networks and systems.
“While the threat landscape is still very diverse, I still believe that the most significant risk that pipeline operators face is the threat of criminal ransomware operators impacting their production."
The outcry against the previous directive highlights, in part, the very different environmental factors that OT systems face compared to IT systems. For instance, factors like critical downtime and the complexity of legacy systems often complicate the process of patch management. The previous directive said that pipeline operators could make a request to get permission to use their own techniques if these security requirements were unattainable. However, according to the Politico report this led to a quick backup due in part to an unanticipated volume of requests and limited staffing at the TSA.
The new directive comes with wording that intends to give more flexibility to deal with these factors. For instance, when it comes to applying multi-factor authentication or other security controls to improve password authentication, “if an owner/operator does not apply multi-factor authentication for access to industrial control workstations in control rooms regulated under 49 CFR parts 192 or 195, the owner/operator shall specify what compensating controls are used to manage access,” specified the new directive.
“In general, it appears that the TSA listened to the feedback provided by the industry on the prior security directive, and moved this recent directive towards a more objective set of achievable requirements rather than prescriptive,” said Marty Edwards, vice president of Operational Technology Security at Tenable. “However, it still appears that there are a number of fairly prescriptive requirements that pipeline operators will be required to comply with. This is an incredibly difficult balance to try to get right, and from my perspective, the TSA has done a reasonable job with this new set of security measures.”
In the fourteen months since the Colonial Pipeline attack, the pipeline sector has faced an “evolved and intensified” security threat, reinforcing the need for improved security measures, said the TSA. Edwards said the “bottom line” is that investment needs to continue in OT cybersecurity, both in the pipeline sector and across all critical infrastructure sectors.
“While the threat landscape is still very diverse, I still believe that the most significant risk that pipeline operators face is the threat of criminal ransomware operators impacting their production,” said Edwards. “Ensuring a baseline standard of care and implementing basic cybersecurity protections goes a long way to prevent these types of attacks from succeeding.”