Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
Mining, Oil & Gas
News
OT Network security
Patch Management
Regulation, Standards and Compliance
Risk & Compliance
Secure Remote Access
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities
Zero Trust

DHS releases cybersecurity requirements for critical pipeline owners, operators

July 22, 2022
DHS releases cybersecurity requirements for critical pipeline owners, operators

The U.S. Department of Homeland Security (DHS) announced that its Transportation Security Administration (TSA) division has revised and re-issued its Security Directive concerning cybersecurity to oil and natural gas pipeline owners and operators. The directive also extends cybersecurity requirements for another year and focuses on performance-based rather than prescriptive measures to achieve critical cybersecurity outcomes.

The revised directive will continue the effort to build cybersecurity resiliency for the nation’s critical pipelines. It also requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement several urgently needed protections against cyber intrusions. 

The security directive now requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology (OT) systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.

“This is the second Security Directive that TSA has issued to the pipeline sector this year, building upon an initial Security Directive that TSA issued last May, following the ransomware attack on Colonial Pipeline,” the DHS said in a statement. Since 2001, TSA has worked closely with pipeline owners and operators and its partners across the federal government to enhance the physical security preparedness of U.S. hazardous liquid and natural gas pipeline systems. It added that TSA also works closely with the Cybersecurity and Infrastructure Security Agency (CISA) to execute this mission. 

Developed with extensive input from industry stakeholders and federal partners, including the Department’s CISA, the reissued security directive for critical pipeline companies follows the security directive announced in July 2021. In addition, CISA advised TSA on the technical countermeasures to prevent cybersecurity threats during the development of the second security directive.  

The performance-based approach of the reissued security directive enhances security while allowing the industry to leverage new technologies and be more adaptive to changing environments. The security directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas facilities take action to prevent disruption and degradation to their infrastructure to develop network segmentation policies and controls. The move will help ensure that the OT system can continue operations if an IT system has been compromised and vice versa. 

It also calls for the creation of access control measures to secure and prevent unauthorized access to critical cyber systems, while building continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations. The second security directive also promptly decreases the risk of exploitation of unpatched systems by applying security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems using a risk-based methodology.

Pipeline owners and operators must establish and execute a TSA-approved cybersecurity implementation plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes outlined in the security directive. 

Furthermore, these owners and operators must develop and maintain a cybersecurity incident response plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident. Additionally, the directive calls upon them to establish a cybersecurity assessment program to proactively and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.

The DHS said that these requirements are in addition to the previously established need to report significant cybersecurity incidents to CISA, establish a cybersecurity point of contact and conduct an annual cybersecurity vulnerability assessment.

“This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” David Pekoske, TSA administrator, said in a media statement. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”

“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Alejandro N. Mayorkas, secretary of Homeland Security, said in the DHS statement. “Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

The May 2021 Security Directive requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to CISA and designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week. It also called to review current practices, identify gaps, and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

After this came the July 2021 Security Directive that called upon TSA-designated critical pipeline owners and operators transporting hazardous liquids and natural gas to enforce several urgently needed protections against cyber intrusions. It asked owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to IT and OT systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review. 

Subsequently, the TSA announced last December two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure.

Commenting on Thursday’s announcement, Thomas Pace, former DoE head of cybersecurity and CEO of XIoT cybersecurity firm, NetRise, said that the updated TSA guidelines include a very key component around patching firmware vulnerabilities on critical cyber systems.

“At this point, most oil & gas operators lack the visibility into what firmware is actually running on their XIoT systems, let alone what vulnerabilities those devices house,” Pace said. “Unlike IT systems, XIoT devices are often running a variety of vulnerabilities unknown to both the operators who run them and manufacturers that build them. For this to be a realistic ask of oil & gas operators, TSA and CISA need to rally around trusted tools to scan firmware for vulnerabilities and create more information sharing through required software bill of materials (SBOMs) to make sure everyone’s eyes are wide open,” he added.

Last month, the TSA said it was relaxing its pipeline cybersecurity rules, giving companies a longer window to report cyber attacks and more flexibility to design their defenses. The move by the TSA comes as publicly traded companies call for the Securities and Exchange Commission to loosen proposed regulations that report hacks deemed material to their operations within four business days. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation