TSA unveils updated cybersecurity regulations of oil and gas pipelines
The Transportation Security Administration on Thursday officially unveiled revised cybersecurity directives for oil and natural gas pipelines after significant backlash from the industry, lawmakers and experts.
Rumors of the changes leaked last month and caused a stir, with many airing harsh criticism at the original directives which were released in July 2021 following the headline-grabbing ransomware attack on Colonial Pipeline that May.
The first directive forced owners and operators of critical pipelines to report cybersecurity incidents, designate a cybersecurity coordinator, and conduct vulnerability assessments. The reissued security directive changed the incident reporting time from 12 to 24 hours.
In July 2021, TSA said it worked with the Cybersecurity and Infrastructure Security Agency (CISA) on a second directive with more “technical countermeasures” designed to prevent threats they’ve discovered in their research of the pipeline industry.
Details were not released publicly, but TSA said last year that the directive required owners to “implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
Critical infrastructure cybersecurity experts like SynSaber CTO Ron Fabela told The Record that the second directive from TSA was “an alphabet soup of buzzwords (zero trust, MFA) and kitchen sink requirements that just didn’t apply to pipeline environments.”
On Thursday, TSA said the newly revised directive was developed “with extensive input from industry stakeholders and federal partners” like CISA.
The reissued directive extends the cybersecurity requirements for another year, and according to TSA “focuses on performance-based – rather than prescriptive – measures to achieve critical cybersecurity outcomes.”
Pipeline operators and owners are ordered to develop network segmentation policies and controls as a way to make sure that operation technology systems can continue functioning even if IT systems are compromised or vice versa.
Access control measures will need to be created to block off access to critical systems and continuous monitoring as well as detection policies will need to be built out to “detect cybersecurity threats and correct anomalies.”
There is also general guidance in the directive ordering operators to apply security patches and updates for all “operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
The directive also says pipeline operators need to create a TSA-approved Cybersecurity Implementation Plan sketching out how the company plans to enact the measures in the revised rules.
Operators are also ordered to create an incident response plan and an assessment program to “roactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.”
TSA noted that the revised rules are in addition to the regulations sketched out in the first directive, which include the need to report significant cybersecurity incidents to CISA, establish a cybersecurity point of contact and conduct an annual cybersecurity vulnerability assessment.
TSA Administrator David Pekoske said TSA worked extensively with the oil and natural gas pipeline industry on the directives and established a “new model that accommodates variance in systems and operations to meet our security requirements,” addressing one of the biggest complaints experts had.
“We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes,” Pekoske said. “We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”
Pipeline threats have “evolved and intensified”
TSA noted that since the attack on Colonial Pipeline, the threats of cyberattacks on the oil and gas industry have “evolved and intensified,” making it a national security priority to increase “public and private collaboration.”
Duncan Greatwood, CEO of cybersecurity firm Xage, said that after seeing a draft of the specific regulations in the directive, he noted that TSA is doubling down in some areas, such as access control and credential management for critical infrastructure systems, while relaxing some rules in other areas, such as lead times for incident reporting.
“The TSA is saying that any critical infrastructure element that lacks strong built-in security (which is often the majority of operational assets) won’t need to be uprooted. Instead, these critical assets will need ‘compensating controls’ to protect them – in other words, a way to protect vulnerable assets that makes up for their lack of built-in security capabilities.”
Greatwood added that a few months ago, TSA approved a compensating control for one of the largest oil and gas pipeline operators in North America. The operator adopted access controls via a mesh overlay, allowing them to rollout a zero trust solution across more than 750 sites without any impact to their existing 5,000+ operational technology assets, he explained.
To Greatwood, the approval of this strategy “demonstrated TSA’s willingness to assess and approve compensating controls that achieve that ultimate objective of cyber hardening the oil and gas pipeline infrastructure.”
“We work with some of the largest pipeline operators in the U.S., and overall they see this pending update as an accelerator of cyber-hardening, not an indication that they can sit back and relax,” Greatwood explained.
NetRise CEO Thomas Pace said one key aspect of the measures that stood out to him was the measures around patching firmware vulnerabilities on critical cyber systems.
Many oil and gas operators lack the visibility into what firmware is actually running on their XIoT systems, let alone what vulnerabilities those devices house, Pace said.
“Unlike IT systems, XIoT devices are often running a variety of vulnerabilities unknown to both the operators who run them and manufacturers that build them,” he said, adding that TSA and CISA need to create more information sharing through required software bill of materials (SBOMs) “to make sure everyone’s eyes are wide open.”