TSA’s July 2022 Security Directive provides pipeline operators with greater flexibility to fight cyber threats

The recent revision and re-issue of the TSA’s July 2022 Security Directive mark a paradigm shift from a prescriptive, compliance-based standard to a functional, performance-based standard. Covering cybersecurity requirements of oil and natural gas pipeline owners and operators, the guidance supersedes and replaces last year’s Security Directive, while considering the lessons learned by the Transportation Security Administration (TSA) after working with industry stakeholders and other federal agencies over the last year.

The latest requirements, Security Directive Pipeline-2021-02C, describe what should be accomplished and why, without specifying how to meet the requirement, thereby offering pipeline owners and operators the flexibility to determine the correct risk-based solutions to meet the cybersecurity requirements in the standard. It also synchronizes with existing industry standards, such as the NIST Cybersecurity Framework (CSF), API 1164, and the ISA/IEC 62443 series. By bringing the security directive in line with other standards, pipeline owners and operators can pull from a broader set of guidance, experience, and solutions to build and strengthen their cybersecurity posture. 

With Security Directive Pipeline-2021-02C, pipeline owners and operators will incorporate several key modifications that bring in greater flexibility using a performance-based security outcome model, more aligned with the federal pipeline safety regulations, and allows operators to develop plans that are tailored to their pipeline systems. The updated directive, along with a portion of the previous Directive 2021-02B, extends cybersecurity requirements for another year, during which time the TSA intends to pursue formal rulemaking. 

Industrial Cyber contacted industry experts to evaluate the level of preparedness and capability that pipeline owners and operators currently possess to bring in the cybersecurity requirements of the July 2022 Security Directive.

“It has to be taken on a case-by-case basis. For example, the top 10 oil and natural gas pipeline owners, ranging from $6B+ to $54B in sales this past year, are flush with cash resources to fund the cybersecurity technology stacks and programs to meet the TSA’s performance-based directives,” Don Ward, senior vice president for global services at Mission Secure, told Industrial Cyber. “Most have implemented major cybersecurity vendor products as well as smaller best-of-breed product solutions.” 

Ward cited the Colonial Pipeline last year, which had a rather deep cyber technology stack deployed across its IT and OT environments. “At a 35,000-foot view, it looks ok. However, these larger companies have been built over the years by acquiring smaller regional O&G companies and integrating them into the larger corporate entity. These integrations take years and many are stitched together with existing disparate tech stacks and resources without a company-wide fully enforced standard,” he added.  

“Cross-correlation of security events, from endpoint to network infrastructure and cloud into a SIEM/SOAR solution, much less the event/alert fatigue and lack of qualified cybersecurity resources aligned across regions creates blind spots in tracking, detecting, and responding to events throughout these companies,” according to Ward. “This is an arduous ongoing journey and the TSA’s performance-centric objectives realize that it has to be a lifecycle management process, identified, documented, prioritized, tracked, improved upon, and audited continually over time.” 

The TSA’s directives for segmentation, secure access control, patching, and continuous monitoring and detection are nothing new – as the industry has been striving for decades to implement and score these tenets for risk against this criterion per industry standard cybersecurity frameworks and guidelines, Ward said. “The intersection of IT and OT domains is where we need better collaboration, planning, and assignment of budgets and resources to ensure proper progress on all fronts for a unified implementation plan, incident response plan, and ongoing IT & OT assessments and audits,” he added.

In theory, TSA has done the due diligence, in partnership with the industry, to adapt directive two, Padraic O’Reilly, chief product officer and co-founder at CyberSaint, told Industrial Cyber. “The stated purpose—less prescriptive, more adaptive—should be sufficient to bring firms into compliance. This has been a process. The first version of directive 2 seemed like a steep climb to me, and it was less than surprising that the industry pushed back. But there were other considerations, namely that pipeline operators had been under a voluntary regime for years, through the API, and at least nominally, standards should have been in place.”

“In practice, OT and industrial cyber have some practical and systemic challenges. OT cyber is historically tricky with respect to patch cycles, and there is a great deal of variance across the industry,” O’Reilly said. “So a one size fits all approach that erred on the side of IT cyber—well, that stuck the practitioners as the wrong approach. But TSA was overburdened in a sense and, at first, a bit out of their depth. So really, the last few months have been about listening and fine-tuning the requirements. So, a softer timeline coupled with risk-based remediation should give most pipeline operators enough room to begin meeting the requirements,” he added. 

Device and firmware security in OT networks is like a wild wild west at the moment, ​​Alex Matrosov, CEO and co-founder at Binarly, told Industrial Cyber. “It was out of scope for a long time but recently started getting more attention with recent SBOM activities. Still, there are many gaps in the current CISO understanding of firmware security, especially when it comes to the ICS world. It is extremely important to protect the operating system activity, but real security begins from the hardware and firmware,” he added.

Addressing the challenges that pipeline owners and operators could face as they implement the provisions of the July 2022 Security Directive, Ward leaned towards a lack of communications and coordination between internal company resources, third-party resources, and the existing or planned cybersecurity vendor solutions.  

“Operational technology networks and the resources supporting them are focused on safety and reliability to keep revenue flowing and undisrupted,” Ward said. “However, these environments are managed and tracked via networks (not air-gapped islands anymore) that are accessed via internal and third parties with many avenues to the Internet.” 

Ward recommended a top-down approach for the chain of command, integrated IT and OT budgets, and resourcing would provide a robust foundational start. “With this in place, starting the process of identifying all gaps by prioritizing and conducting full OT and OT/IT-intersection network assessments that are monitored 24/7 and continuously updated would greatly speed up the performance-based directives process the TSA is driving,” he added.  

“Organizing cross-functional IT and OT teams for success with a unified plan, while also starting the process to assess and address the most critical blind spots within critical OT infrastructure are key starters that these companies should focus on,” according to Ward. “The process of eating this elephant of directives starts one bite at a time,” he added.

O’Reilly expects the challenges will come around risk-based prioritization of patching, which is notoriously complex in OT systems. “Many firms have not approached this in a risk prioritized manner, or if they have, they have done so with an ad hoc approach. The good news is that when done properly, a risk-based approach can be far more efficient than a patching policy that is more general.”

“Operators can outsource monitoring and contingency planning at a reasonable cost, but proper network segmentation can be a significant lift architecturally and financially and is potentially disruptive,” according to O’Reilly. “Operators will also have difficulty with IT/OT segmentation, which can be an architectural challenge, particularly over large distances that rely upon telecommunications. That said, these are best practices that should be in place for the sake of reliability and safety.”

The integrity monitoring solutions and patching of the firmware does not guarantee that there are no vulnerabilities left afterward, Matrosov said. “It is imperative to implement the right vulnerability management approach by going deeper with binary code analysis and detecting the vulnerabilities at the code level rather than just checking the firmware version number.” 

Matrosov also said that the most recent firmware could contain multiple vulnerabilities coming from the supply chain and the complexity of the existing firmware supply chain always reveals surprises in terms of n-day vulnerabilities. “Trust but verify is the only right approach to device and firmware security,” he added. 

While there will certainly be challenges pipeline owners and operators will face unique to their tech stack, supply chain, and domain regarding the July 2022 Security Directive, two challenges bubble up that point back to macro challenges facing infrastructure operators across sectors, Josh Lospinoso, CEO and co-founder at Shift5, told Industrial Cyber.

“The ‘skills gap’ is an enduring problem plaguing the cybersecurity domain,” according to Lospinoso. “The White House deemed it a national security challenge last month, estimating approximately 700,000 cybersecurity positions remain open today. When it comes to the operational technology domain, there’s an even greater dearth of cybersecurity professionals uniquely qualified to defend cyber-physical systems,” he added.

Lospinoso said that the fact that the TSA is ramping up regulations for critical infrastructure operators that capture OT needs sends the signal that the U.S. government is well aware of the need to protect every layer of cyber-physical systems. “However, the pipeline industry will struggle to move aggressively towards modern cybersecurity best practices without enough skilled talent to fill open positions.” 

The TSA regulations also call for pipeline operators and owners to develop network segmentation policies and controls to ensure the uptime of operation technology systems even if IT systems are compromised, Lospinoso said. “Network segmentation is a useful and worthwhile cybersecurity strategy to leverage in a critical infrastructure environment. I caution that it isn’t a magical solution. If an adversary perceives their target is important enough, I’ve seen sophisticated actors spend millions of dollars mocking up target environments and coming up with some truly brilliant feats of engineering to bypass defenses such as network segmentation. This emphasizes the need for defense in depth. Simply air-gapping systems are never enough,” he added. 

“With time and resources, ingenious attackers will come up with novel techniques for defeating static defensive techniques,” according to Lospinoso. “Much like the pipeline regulations request, critical infrastructure requires continuous monitoring of systems for signs of anomalous behavior.”

Analyzing whether pipeline owners and operators have the ability to comply with the other requirements of network segmentation and patching firmware of the July 2022 Security Directive, Ward said that pipeline owners and operators have the ability to comply with the other requirements like network segmentation and patching firmware. Additionally, vendors provide a full OT suite of cybersecurity products and services to implement segmentation, access control, and 24/7 continuous monitoring and incident response, he added.

“The patching process in OT environments is always a challenge as the operating systems and OT applications that run on them all have to be tested extensively against each patch update,” Ward said. “This is done offline in a digital twin environment and can take an extensive amount of time to certify and roll out across the OT/PCNs.” 

In the interim, companies can provide full OT network assessments that prioritize remediating the most critical indicators of compromise, implement recommended segmentation and secure access control, and provide 24/7 SOC monitoring for these environments to track any attempts to exploit unpatched vulnerabilities until customers/vendors get around to rolling out certified patches, according to Ward.

O’Reilly said that there could conceivably be shortfalls in the implementation of all the requirements in directive 2, but TSA has been clear that they are mindful of ‘differing infrastructures across different operators.’ He also pointed out that the agency has used the phrases, ‘performance-based approach,’ and ‘leverage new technologies,’ both of which imply that TSA will be wanting to see progress rather than perfection, at least at first. 

“There are many consultancies that specialize in the kinds of remediations that TSA has specified, so it should not be a shortage of expertise that stifles compliance,” O’Reilly said. “It will come down to whether the operators feel that the investment—which is significant—is worth the effort. From the standpoint of a risk management professional such as myself, the required investment is well worth it and will add to the business value of the operators. But there will likely be lower maturity firms that will struggle with implementation, though even these will have time to demonstrate they are on the right course,” he added.

Matrosov said that, according to NIST, firmware is a critical piece of software that requires more attention not only for patching but also for vulnerability management. “Most of the existing solutions are focused on integrity monitoring and creating opaque alerts. To find the right solution to resolve such problems, we need to pay much more attention to the explainability of such alerts. As of now, there are few solutions on the market to help operators comply with the July 2022 Security Directive and provide more than just a checkbox for compliance,” he concluded.