TSA directives enhance oil and gas pipeline cybersecurity, as focus shifts to evaluation of implemented measures

Following the July release of the U.S. TSA (Transportation Security Administration) oil and gas pipeline cybersecurity directives, asset owners and operators must focus on adopting a performance-based approach to enhancing security, allowing operators to leverage new technologies and be adaptive to changing environments. These initiatives take a performance-based approach, instead of the earlier prescriptive measures, when it comes to enhancing security. They also allow for the evaluation of the effectiveness of implemented security measures.

The TSA Security Directive Pipeline-2021-02D Security Directive Pipeline 2021-02D is a continuation of the SD Pipeline-2021-02 series that cancels and supersedes SD Pipeline-2021-02C. While most of the requirements and compliance elements remain the same, SD-02D does provide audit language, new timelines, and processes for specific requirements of the TSA compliance program. 

Asset owners and operators of hazardous liquid and natural gas pipelines or liquified natural gas facilities must take note of the direct language added to inform asset owners/operators that if TSA disagrees with any critical system designations submitted, asset owners/operators may be required to provide a rationale for excluding systems or require that additional systems be included. 

Additionally, tabletop exercises to test cybersecurity Incident Response (IR) plans are now mandatory annually and must include two objectives being tested from the IR plan and must include the positions (named roles) that are active participants in those exercises.

Furthermore, asset owners/operators must provide a schedule for assessing and auditing the ‘cybersecurity assessment plan,’ ensuring at least 30 percent of the policies, procedures, measures, and capabilities are assessed each year so that 100 percent of the Assessment Plan is assessed every three years. These audit results must be captured in an annual assessment report and submitted to TSA.

Clearly, the impact of these directives mandates the implementation of robust security controls and the adoption of advanced threat detection and response capabilities to safeguard against cyberattacks. Oil and gas pipeline owners and operators must work to detect critical cyber systems across their operational infrastructure; and adopt appropriate network segmentation policies and control, access control measures, and multi-factor authentication. These environments must also review existing domain trust relationships, bring in threat monitoring capabilities, and craft a cybersecurity assessment plan to adhere to compliance requirements.

Compliance with these directives necessitates substantial financial investments requiring pipeline owners and operators to allocate resources and upgrade their cybersecurity infrastructure, develop incident response plans, and train personnel to monitor and protect their systems, detect vulnerabilities, and swiftly respond to cyber incidents. 

Industrial Cyber reached out to industrial cybersecurity experts to discuss the potential impact of the TSA Oil and Gas Security Directive Pipeline-2021-02D on the oil and gas pipeline industry. They also aim to chalk out how it differs from previous directives. aimed to understand how this directive differs from previous cybersecurity directives in the industry. They also analyze how Security Directive Pipeline-2021-02D ensures that the oil and gas pipeline industry remains ahead of emerging cyber threats.

“This Security Directive is the fourth iteration of the Pipeline-2021-02 series. TSA Security Directives are intended to be temporary measures, so they are typically issued to be in effect for one year. TSA evaluates the implementation of the security directives and makes modifications as needed and warranted,” Scott Gorton, executive director of surface policy at the TSA, told Industrial Cyber. “This particular security directive builds on the previous versions and takes an iterative approach to having the regulated parties develop and implement an effective cybersecurity management plan with performance-based measures focused on outcomes.” 

TSA is committed to keeping the nation’s transportation systems secure in this challenging cyber threat environment, according to Gorton. “This revised security directive sustains the strong performance-based cybersecurity measures already in place for the oil and natural gas pipeline industry. This version expands on the requirement that operators test and evaluate the effectiveness of security measures they have implemented.” 

Gorton added that the TSA will continue to work with its federal partners, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation (DOT), and industry stakeholders in the transportation sector to increase cybersecurity resilience throughout the transportation system, and “we acknowledge the significant work over the past year to protect critical infrastructure.”

Rick Kaun, vice president for solutions at Verve Industrial, told Industrial Cyber that “this edition makes some subtle but important changes – primarily around greater clarity (i.e., more details) but also relaxing needs/requirements to a ‘more reasonable’ expectation.  For example, owners/operators can still submit assets not deemed to be critical, however, they are now being explicitly asked to prepare and possibly present their analysis methodology, criteria, and outcomes.”  

“As for the ‘relaxation’ component, annual testing of incident response plans has been lowered to only require 2 specific tasks (i.e., containment, segregation, security and integrity backup of data and isolation of OT) annually,” according to Kaun. “These are just two examples but show that the TSA is trying to make the standard more ‘reasonable’ for newly anointed security practitioners but also provide greater detail in the specifics.”  

Kaun highlighted that the intent is clearly to get a higher level of adoption but also to hopefully drive more consistency across multiple entities.

“I think the directive does a great job communicating more detail on the value of implementing key cyber controls,” Ted Gutierrez, CEO and co-founder of SecurityGate, told Industrial Cyber. “The technically savvy authors undoubtedly have chosen to mandate controls I’d agree are at the top of the priority list. However, business-savvy cyber leaders are going to challenge the sheer cost of implementation. 12 months is short, budgets will need millions more, and few pipeline companies have the talent ready to deploy. So, it will be interesting to see how and if resource allotment matches the directive’s guidance.”

The executives address the potential challenges that oil and gas companies may encounter when implementing the new cybersecurity directives.

Gorton said that TSA is constantly in dialogue with its stakeholders regarding the implementation of the directive’s requirements. “While we will not comment on any specific challenges, together with TSA stakeholders we work through any impediment to full implementation of the security directives,” he added.

“The struggles for most companies will not change much with these edits. It was clear to what we were hearing that there were very similar growing pains for TSA entities to those experienced in the power industry when NERC CIP first started,” Kaun pointed out. “Namely that most operational companies did not adhere to such a rigorous security practice and so standing up but maintaining such a program was the biggest challenge. We still see a significant risk to entities in their ability to maintain these security practices.”  

Kaun said that “having easier testing requirements, more detail on what to do, etc will help to navigate what and how they should do things but actually executing consistently over time is where everyone falls down.”

Gutierrez sees two challenges facing the implementation of the new directive:  the ‘who’ and the ‘then what.’ 

“The directive doesn’t shy away from technical mandates, including highly specific guidance on access control and network segmentation,” according to Gutierrez. “Yet the directive does not address people, process, or program-oriented directives. Considering the positive correlation between a) technical controls/products and b) the resulting work created to implement, manage, and maintain such equipment and data, the real challenge the directive introduces is who will manage the effort effectively long-term.”

The executives analyze how oil and gas companies cope with the regular flow of cyber security directives since the Colonial Pipeline incident. They also examine the actual impact that these security directives have had on the cybersecurity posture of oil and gas installations, as well as how it is being measured.

Following the May 2021 ransomware attack that disrupted the supply chain, Gorton said that the TSA issued two security directives mandating that critical pipeline owners and operators implement urgently needed cybersecurity measures in light of the significant cyber threat facing the industry. “Since that attack, the threat continues to evolve and intensify,” he added. 

“With these revisions to the security directives to make them more performance-based/outcome-focused, TSA continues to take steps to reduce risks to pipeline infrastructure through collaboration with the agency’s public and private sector partners,” according to Gorton. “Pipeline operators have strengthened their cyber network defenses to reduce vulnerabilities and increase cybersecurity resilience. TSA monitors and measures progress through regular site inspections.”

Kaun said that part of any program (regulated or otherwise) has to have a ‘monitor’ or ‘detection’ component so ‘coping’ with a regular flow of directives should be a normal function in a newly established program and assigned to a person or role to liaise with industry bodies, mailing lists, conferences/webinars, etc and then turn that newly discovered data into both internal practices but also internal communications to spread the mission more widely and consistently.  

“The actual impact of the directives, however, has thus far been to force reluctant participants to act in some way shape, or form. The efficacy of this approach will only be measured over time but if it follows the NERC CIP path then we suspect there will initially be two ‘profiles’ of participation,” Kaun noted. “The first profile will be organizations who take this seriously, plan appropriately, and build out a sustainable, scalable approach. The other profile will be those that see directives as a nuisance, project, or time-based obstacle and want to provide a minimally compliant response to put this behind them.”  

Kaun added that the challenge for the second profile is that the only truly sustainable program is ‘baked into’ the DNA of an operational environment the same way safety already is. “That being said – this version of the directive does require at least 30% of implemented security controls are assessed annually (self-assessment though) and that a different 30% is assessed each year so that 100% of all controls are assessed at least within a 3-year cycle.”

“I think directives, regulations, and recommendations absolutely help the industry move forward; however, they add potency to the enduring challenge of resource allocation for the operators,” according to Gutierrez. “I don’t see (yet) a fair match between budget increases for cyber alongside increases in regulation.”

The executives also evaluate how the latest security directive addresses the issue of funding for cybersecurity measures. They also examine the practical consequences for companies that do not comply with the directives, including potential penalties and security vulnerabilities.

Gorton said that the stakeholders within the pipeline sector are working with TSA to protect their cyber systems and the intent is to build defenses and resilience from the effects of a cyber-attack. 

“While TSA can issue civil penalties for non-compliance with the security directives, this course of action is a last resort,” according to Gorton. “TSA’s best practice is working with operators to achieve successful implementation of cybersecurity requirements. TSA has collaborated with industry stakeholders in moving towards a performance-based/outcome-focused approach when it comes to regulation for pipelines and passenger/freight rail.”

Kaun said that at the moment he is not aware of any funding or punitive (monetary) mechanisms in the standards. “However the TSA in general does have the power to enforce security and, again, if they follow NERC would allow for some time (a couple of years?) for entities to get sorted out before they levied fines for non-compliance.  In other words, not yet but don’t bet against it either,” he added. 

Gutierrez said “I think the penalty is not transactional i.e. public fines, but rather time-oriented. As a previous auditor myself, the nature of the directive is rooted in alignment between the TSA and the asset owners, so only they know the incurred “penalties” for failure to meet their intent.” 

“I gather that the recent updates including technical requirements signal a previous lack of investment by the operators in the past 12 months,” he added.

The executives also check out how the latest security directive aligns with broader cybersecurity regulations and standards in the U.S., such as the CISA Cybersecurity Performance Goals (CPGs) and NIST CSF 2.0. They also look at whether there are any similar regulatory guidelines and directives outside the U.S.

TSA is responsible for developing cybersecurity regulations for transportation critical infrastructure, Gorton highlighted. “TSA has incorporated elements of both the CISA Cyber Performance Goals and the NIST Cybersecurity Framework into its security directives.” 

“TSA will continue to incorporate applicable portions of recognized standards of practice into its policies and regulations,” according to Gorton. “There is a common objective to have alignment and coordination across federal agencies as it applies to regulations and the different authorities that federal agencies have.”

He also said that some international standards and guidelines are similar in scope to the TSA security directives. “As such, TSA regularly consults with international partners to share best practices and enhance transportation security.”

“The NIST CSF 2.0 is a welcome improvement to the original in that it now includes a whole section on governance,” Kaun pointed out. “In other words, how to execute/staff such a technical program!  To compare NIST to TSA though – the TSA does require the ‘basics’ of a plan. I.e., Inventory (categorized as critical/non-critical) then expect network segmentation, access control, monitoring, maintenance (patching, etc.) Incident response, and recurring assessment of security controls but is not as detailed.”  

As for other directives outside of the U.S., Kaun said that “the NIS2 (European) is pretty significant in its expectations and as such will suffer similar growing pains for owners/operators in those geographies.”

“Overall, I think it is lacking comparatively in a holistic approach on people and process but adds significantly more valuable guidance on technical details,” according to Gutierrez. “The directives focus on access control, network segmentation, and incident response are superb, but I remain curious to see how pipeline security programs will achieve sustainable improvement without an equal focus on people and process,” he concluded.