TSA directives for oil and natural gas pipeline cybersecurity address evolving, intensified threat of cyberattacks

Industry was quick to react to the release of the latest Security Directive covering oil and natural gas pipeline cybersecurity released by the U.S. Transportation Security Administration (TSA). The agency mandates TSA-specified owners/operators of pipeline and liquefied natural gas facilities to implement cybersecurity measures, in order to prevent disruption and degradation to their infrastructure. 

Commenting on the latest TSA Security Directive for pipeline operators, Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos, wrote in an emailed statement that like the last version TSA’s update to its Security Directive for oil and natural gas pipeline cybersecurity focuses on performance-based, rather than prescriptive, measures. 

“That, along with the fact that pipeline companies can incorporate these measures into their existing Cybersecurity Implementation Plans (CIP) to achieve the right outcomes while accommodating differences in systems and operations, shows strong progress in TSA’s support for the distinct needs of the sector and of individual companies,” Christopher said. 

He added that the update also gives owners and operators important flexibility to leverage various industry standards they already use—such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series. The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represent major improvements for all pipeline owners and operators.

“Given the increased audit language and reporting requirements in the updated regulation, we hope that TSA continues to align such requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities,” according to Christopher. “We also hope that TSA continues to engage with private sector and industry experts as they update and revise the Security Directives moving forward.” 

Christopher also pointed out that operators are the experts in their own systems and contribute valuable input that allows for the best possible security outcomes from the regulatory process, putting oil and gas companies in a better position to address the evolving and intensified threat of cyberattacks and to improve resilience throughout the nation’s infrastructure.

Ron Fabela, field CTO at XONA Systems said that some minor but interesting updates have been made to TSA SD Pipeline-2021-02D. 

Addressing Section II, Fabela identified that the TSA seems to be making some clarifications, additions, and removals of sections based on feedback from the pipeline community or as a result of successes (or lack thereof) with certain requirements.  

“For instance, those owner/operators that have identified no ‘critical cyber systems’ will have to reevaluate when operations change, or now TSA may add ‘critical cyber systems’ that were not previously included before,” Fabela pointed out in an emailed statement. “This may be an indication in owner/operator requirement avoidance by simply stating they have no systems applicable to new regulation. NERC had similar challenges early in CIP regulation days when asset owners were allowed to self identify if they had any ‘Critical Cyber Assets.’ Of course the answer at the time was ‘none here, regulation not applicable’,” he added.

Fabela added that Section III changes incident response plans testing and introduces a new term ‘Cybersecurity Assessment Plan.’ “Changes to exercising the cybersecurity incident response plan are interesting in that they now only require that half of the requirements (at least 2 out of the 4 objectives) be tested annually instead of all. These requirements are not especially rigorous, so one wonders what prompted the change,” he added.

Similarly, while Cybersecurity Assessment Plans must now be reviewed and approved by TSA a section was added only requiring 30% coverage of requirements to be assessed each year, with 100% assessed over any three-year period, Fabela pointed out. “Ignoring the obvious math error (3×30%=90%, not 100%), assessing only one third of your security measures a year is a bold outlier to an effective security program.”

“Section IV changes make an interesting clarification. Use of previous plans, assessments, tests, and evaluations as evidence to meet the SD security directives must now explicitly incorporate these by reference into the CIP and made available to TSA upon request,” according to Fabela. “With TSA having to make these specific changes, I speculate that owner/operators may have said that they have requirements met by other artifacts but then failed to produce said evidence.”

Lastly, Fabela added that overall it’s great to see updates being made by TSA to clarify the requirements and in some cases, remove any loopholes as a result of practical application of these Security Directives in the field. “I would expect more revisions as assessments and technical evaluation of control effectiveness are conducted in the years to come,” he added.

Chris Warner, OT senior security consultant at GuidePoint Security, said that the TSA has announced updates to its SD aimed at strengthening the operational resilience of oil and natural gas pipeline owners and operators against cyber-attacks. These updates, effective from July 27th, 2023, introduce certain requirements that may demand additional resources from organizations to comply. 

At a high level, Warner identified that the updated SD includes annual submission of an Updated Cybersecurity Assessment Plan (CAP) for TSA review and approval; and reporting of the previous year’s assessment results and providing an annual schedule for auditing cybersecurity measures, with 100  assessment of security measures required every three years. 

He also listed annual testing of at least two objectives of the Cybersecurity Incident Response Plan (CIRP), involving relevant individuals identified in the plan, and maintaining existing requirements, such as reporting significant cybersecurity incidents to CISA, designating a cybersecurity point of contact, and conducting a cybersecurity vulnerability assessment (SD Pipeline 2021-01C).

Warner added that the newly introduced provisions mandate pipeline owners and operators take proactive steps to enhance their systems’ security and protect against potential cybersecurity threats in the oil and natural gas sector. “Despite the resource challenges, pipeline owners and operators understand the critical importance of strengthening their cybersecurity measures. 

He added that while the implementation may be demanding, it is essential to safeguard their systems against potential cyber threats in the oil and natural gas sector. “This calls for strategic planning and resource allocation to effectively address the new TSA SD requirements and enhance the overall security posture of these vital infrastructure systems.”

“The encouraging piece here is that it treats cyber strategy as something that needs to evolve. Most of the changes related to ensuring cybersecurity strategy and implementation are reviewed at least annually seem apparent, but it is a pretty impactful task,” Josh Thorngren, senior DevSecOps engineer at ForAllSecure wrote in an emailed statement. “It’s easy to think about cybersecurity as ‘maintaining walls’ – a legacy of the era where we just cared about the perimeter is an acceptance and encouragement to play active defense instead. To continually update and reevaluate. It’s too early to tell the impact, but it’s incredibly encouraging to treat cyber as an evolving posture vs a fixed one.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.