TSA renews cybersecurity guidelines for pipelines

The Transportation Security Administration (TSA) renewed cybersecurity regulations on Thursday for the operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities.

The agency first issued of security directives in 2021 after the ransomware attack on Colonial Pipeline dominated headlines and caused a week-long run on gasoline along the East Coast. The attack kickstarted wide-ranging government efforts to better protect critical infrastructure. In May 2022, TSA reissued the the guidelines for critical pipelines after they expired.

The renewed guidelines contain minor changes but largely mirror the previous rules instituted after the Colonial Pipeline attack. Most of the changes close loopholes in the regulations or provide operators with increased flexibility in terms of how they protect their sites.

But the bulk of the directive is the same. Operators must confirm to TSA that they have instituted a range of cybersecurity measures, including an incident response plan, the creation of a cybersecurity coordinator position, vulnerability scans, network segmentation and more.

“The Transportation Security Administration (TSA) is issuing this Security Directive due to the ongoing cybersecurity threat to pipeline systems,” said Stacey Fitzmaurice, TSA executive assistant administrator of operations support.

“This Security Directive requires actions necessary to protect the national security, economy, and public health and safety of the United States and its citizens from the impact of malicious cyber intrusions affecting the nation's most critical gas and liquid pipelines.”

Fitzmaurice added that “even minor disruptions in critical pipeline systems may result in temporary product shortages that can cause significant harm to national security” and noted that prolonged disruptions could have ripple effects across the economy. Due to other sectors’ reliance on oil and gas, disruptions or delays would have a distinct effect on other critical infrastructure.

According to Fitzmaurice, TSA has gotten intelligence showing that “nefarious persons, organizations, and governments” are targeting vulnerabilities in critical infrastructure, necessitating the cybersecurity rules.

The rules include:

• Annual submission of an Updated Cybersecurity Assessment Plan (CAP) for TSA review and approval.
• Reporting of the previous year's assessment results and providing an annual schedule for auditing cybersecurity measures, with 100% assessment of security measures required every three years.
• Annual testing of at least two objectives of the Cybersecurity Incident Response Plan (CIRP), involving relevant individuals identified in the plan.
• Maintaining existing requirements, such as reporting significant cybersecurity incidents to CISA, designating a cybersecurity point of contact, and conducting a cybersecurity vulnerability assessment.

Fitzmaurice’s letter notes that the agency faced backlash from operators after first releasing the rules in July 2021, and was forced to revise the rules to provide more flexibility to cybersecurity officials.

The renewed rules have kept all of the changes made in the last update, officials said. They also give TSA officials the right to "inspect, maintain, and test security facilities, equipment, and systems" and "oversee the implementation, and ensure the adequacy of security measures at ... transportation facilities."

Several pipeline cybersecurity experts, including Chris Warner — senior operational technology security consultant at GuidePoint Security — told Recorded Future News that the directive also includes several minor updates, mostly centered on the idea that operators have to notify TSA of changes to their plans or pipeline operations.

Others lauded TSA for making the changes in response to requests from experts and operators in the field.

“Overall it's great to see updates being made by TSA to clarify the requirements and in some cases, remove any loopholes as a result of practical application of these Security Directives in the field,” said Ron Fabela, field CTO at XONA Systems. “I would expect more revisions as assessments and technical evaluation of control effectiveness are conducted in the years to come.”

ForAllSecure’s Josh Thorngren added that it was encouraging to see TSA acknowledge that cybersecurity strategies need to evolve over time.

The update also gives owners and operators flexibility to leverage various industry standards they already use — such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series, a set of benchmarks for industrial automation and control systems, Dragos cyber risk director Jason Christopher explained.

“Given the increased audit language and reporting requirements in the updated regulation, we hope that TSA continues to align such requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities,” Christopher said.

“We also hope that TSA continues to engage with private sector and industry experts as they update and revise the Security Directives moving forward.”

Multiple sector-specific security directives have been passed down over the last two years, including ones for water systems, higher-risk freight railroads, passenger rail, and rail transit. The Environmental Protection Agency is currently in court fighting to reinstate the rules for public water systems after Republican legislators obtained a court order stopping the agency from applying the regulations.