Critical pipeline owners and operators are required to carry out vulnerability assessments of their equipment and return responses by Jun. 28, following a security directive issued by the U.S. Department of Homeland Security’s Transportation Security Administration (TSA). The pipeline companies were also required to meet new requirements for staffing and incident reporting.
The directive came in the wake of the Colonial Pipeline ransomware attack.
Effective from May 28, the security directive prescribed that critical pipeline owners and operators should immediately review and carry out a vulnerability assessment that adheres to Section 7 of TSA’ s 2018 Pipeline Security Guidelines, in order to assess whether current practices and activities to address cyber risks to owner and operators IT and OT (operational technology) systems align with the guidelines. It also seeks to identify any gaps, carry out remediation measures to fill those loopholes, and a timeline for implementing these remediation measures.
The assessment and identification of gaps must be completed using the form provided by the TSA. Critical pipeline owners and operators must provide a report containing all information required by the section to TSA and Cybersecurity and Infrastructure Security Agency (CISA) within 30 days of the effective date of the security directive. The assessment section requires pipeline owners/operators to review current cybersecurity procedures against 18 specific sections covered in the earlier 2018 security guidelines.
Section 7 of the guidelines cover the OT equipment used by the critical pipeline owners and operators to manage their infrastructure and products, which are vital to the pipeline system’s operations. It includes the various control systems including SCADA, process control systems (PCS) and distributed control systems (DCS), measurement systems, and telemetry systems.
To help critical pipeline owners and operators, SecurityGate.io has made available the cybersecurity assessment framework inside the company’s platform that will enable pipeline owners and operators to rapidly complete the assessment leveraging digital automation, instead of time-consuming manual efforts that put them at risk of missing DHS’s 30-day response requirement. The problem with the directive is that for industrial organizations, current cybersecurity assessments of OT environments are manual procedures that are very time-consuming, it added.
“As soon as the TSA framework came out we moved that to our top priority for our platform’s new capabilities. The fact is, without digital automation, industrial cyber assessments take a lot of time and put a tremendous amount of strain on a company’s operations team,” Bill Lawrence, chief information security officer at SecurityGate.io, said in a press statement.
“Making this assessment framework available in the SecurityGate.io platform means these pipeline companies will not only be able to complete the assessment faster, they’ll also have a full understanding of where their cybersecurity gaps are along with what to do about them,” Lawrence added.
“The assessment is a checklist with yes/no fields to respond to queries covering the full scope of the guidelines. The goal is to assess current risks, identify gaps and describe any current remediation measures underway,” Marco Ayala, director for ICS cybersecurity and sector lead at 1898 & Co., wrote in a company blog post.
“This should be viewed as a true self-assessment and truthful answers will be viewed favorably by the TSA and CISA. This should be viewed as a good-faith effort on the part of the Department of Homeland Security to work in partnership and assist pipelines and private industry in general,” Ayala added.
In addition to the vulnerability assessment, the security directive also called for critical pipeline owners and operators to report cybersecurity incidents to the CISA. It also demands that owners/operators designate a cybersecurity coordinator, to collaborate cybersecurity practices and address any incidents that arise. The critical pipeline owner and operators are required to provide in writing to the TSA the names, titles, phone number(s), and email address(es) of the cybersecurity coordinator, who shall be a U.S. citizen eligible for a security clearance.
The coordinator shall serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and CISA, be accessible to TSA and CISA 24 hours a day, seven days a week, coordinate cyber and related security practices and procedures internally, and work with appropriate law enforcement and emergency response agencies.
The directive also called for critical pipeline owners and operators to immediately report the cybersecurity incident to the CISA as soon as practicable, but no later than 12 hours after a cybersecurity incident is identified. Reports must be made to CISA Central using CISA’s Reporting System form. In case, the required information is not available at the time of reporting, owner/operators can submit an initial report within the specified timeframe and supplement as additional information becomes available. All reported information will be protected in a manner appropriate for the sensitivity and criticality of the information.
“New cybersecurity requirements for oil and gas pipelines signal important changes to the regulatory landscape for midstream companies,” Erica Youngstrom wrote in a post for Baker & Hostetler LLP. “The security directive also raises many new questions that companies will need to consider in their response efforts and highlights the potential for increased regulation going forward. In particular, media reports indicate that the security directive is a precursor to additional regulations that will include financial penalties for companies that fail to address cybersecurity vulnerabilities,” she added.
“The directive balances its cybersecurity requirements with latitude over how they choose to implement technical controls and safeguards in order to build resilience. Over time, pipeline companies will equip themselves to make better decisions around cyber policies, awareness, training, skill development, and the many other aspects that go into a holistic cybersecurity program,” Grant Geyer, Claroty’s chief product officer, wrote in a company blog post.
“Industry-wide compliance is not something that can happen overnight and this may be an arduous process for some organizations, depending on the current state of their cybersecurity posture. The important thing is that organizations get started, no matter where they are on their cybersecurity journey now,” he added.