As the deadline for responses to TSA’s pipeline security directive approaches, oil and gas pipeline operators have remained close-lipped about their ability to comply – and hopeful that a second directive will clarify their obligations
U.S. pipeline companies are approaching the target date set by the Transportation Security Administration (TSA) for evaluating their cybersecurity postures and drawing up plans to address any deficiencies. As the deadline grows closer, however, oil and gas pipeline operators and owners are not saying much about their ability to comply with the new requirements – and are also waiting for TSA to clarify its expectations by issuing another policy directive.
TSA directive arose from Colonial Pipeline ransomware attack
Concerns about pipelines have figured heavily in U.S. government officials’ discussions about cybersecurity solutions for critical infrastructure since May 7, when the Georgia-based Colonial Pipeline was hit by a ransomware attack staged by DarkSide, a group alleged to have links to the Russian government. Although the incident paralyzed Colonial Pipeline’s information technology (IT) networks, it had no direct impact on operational technology (OT) networks. Nevertheless, the company shut all of its OT down as a precautionary measure, in order to prevent malware from spreading beyond IT networks.
This measure succeeded, insofar as it prevented the OT that Colonial Pipeline depends on to bring petroleum products to market from being infected by malware. But it also caused no small amount of disruption to the U.S. economy. The company’s pipelines pass through 13 states, and they carry close to half of all the gasoline, diesel, and jet fuel consumed in the Northeast, the most densely populated part of the country. As a result, the stoppage led to temporary shortages of motor and jet fuel in many areas. It also pushed gasoline prices above $3.00 per gallon.
Additionally, it raised serious concerns in Washington about foreign interference in critical U.S. infrastructure systems. These concerns led TSA to issue Security Directive Pipeline-2021-01, which took effect on May 27.
In that directive, the agency notified the owners and operators of gas and liquid pipelines and liquefied natural gas (LNG) facilities designated as critical of several new requirements. Specifically, it instructed the relevant companies to perform the following tasks:
- identify their cybersecurity coordinators to TSA
- report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA)
- assess their current cybersecurity postures by comparing their own plans and strategies for addressing risks and vulnerabilities against the recommendations in “Pipeline Security Guidelines,” a TSA guide published in March 2018 and updated in April 2021
- use a form provided by TSA to identify gaps between their own practices and TSA recommendations
- develop a remediation plan for any identified gaps
Additionally, the directive gave the companies involved 30 days to meet these requirements.
Minimal public response from industry players
The 30-day period is due to expire on June 27, and it’s not yet clear how many of the companies affected by the directive have carried out TSA’s instructions – or, for that matter, to what degree they have been able to do so.
Over the last week, Industrial Cyber has contacted the press departments of multiple U.S. pipeline operators (including Colonial Pipeline) to request information about their responses to the directive. Nearly all of those requests went unanswered, though one company did suggest reaching out to the Association of Oil Pipe Lines (AOPL), a trade association based in Washington, for comment.
AOPL did not shed much light on the matter. Instead, John Stoody, the group’s vice president for government and public relations, indicated to Industrial Cyber that U.S. government officials were likely to clarify their expectations soon. “There’s a strong possibility of newly breaking news from TSA in the next 24-plus hours that could change things significantly,” Stoody wrote in an email dated June 22.
Meanwhile, the American Petroleum Institute (API), a trade association that has issued guidelines for cybersecurity in the oil and gas industry, declined to comment directly on its member companies’ response to TSA’s instructions. Suzanne Lemieux, API’s manager of operations security and emergency response, said in a statement emailed to Industrial Cyber: “Our industry works continuously with policymakers to strengthen cybersecurity, which is an economy-wide issue that requires constant collaboration and information sharing between the public and private sector. API is supportive of TSA’s efforts to strengthen cyber-reporting and is working closely with the administration to develop incident reporting policies and procedures that best protect our critical infrastructure, including pipelines. Any regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation’s critical infrastructure.”
Feedback from security providers
OT security solutions providers, by contrast, were more forthcoming. They were not in a position to comment directly about how much progress pipeline companies might have made thus far, but they had more to say about the challenges facing such organizations.
For example, Chris Bihary, the co-founder and CEO of Garland Technology, which specializes in network test access point (TAP) visibility, described the 30-day deadline set by TSA as “definitely aggressive.” In a conversation with Industrial Cyber, he pointed out that pipeline owners and operators that had already taken steps to follow cybersecurity best practices before the Colonial Pipeline ransomware attack were likely to have an easier time upholding the agency’s expectation.
Bihary declined to generalize about the overall state of preparedness for cyberattacks among oil, gas, and fuel pipeline operators, saying: “It varies from company to company.” He indicated, though, that the TSA directive was likely to cause bigger problems for organizations that hadn’t taken the trouble to adopt robust security strategies. Companies in this position will not be able to meet requirements unless they commit to basic tasks, such as conducting walk-throughs of all their facilities in order to identify and track every component in their OT systems, he explained. This is likely to prove extremely time-consuming if the facilities in question are dispersed over a wide geographical area, he said. It’s also absolutely necessary since security providers such as Dragos, Nozomi, and Claroty need the packets, logs, inventories, and other basic information collected in this manner to offer effective protection, he added.
Meanwhile, Bill Lawrence, the CISO of the SecurityGate.io risk management SaaS (Software-as-a-Service) platform for industrial cybersecurity, highlighted his own company’s efforts to help the organizations involved convey the necessary information to TSA quickly and effectively. “SecurityGate.io integrated the TSA framework into our platform to help pipeline owners and operators complete this short-fused task in a digitally automated manner and complete this security directive before the deadline,” he told Industrial Cyber on June 21.
Lawrence was referring to his company’s announcement in a press release dated June 14 that it was making the cybersecurity assessment framework for critical pipeline owners and operators from TSA available outside its own platform. In that statement, SecurityGate.io said it had taken this step so that companies could carry out cybersecurity assessments more quickly. The framework is a good alternative to “time-consuming manual efforts that put them at risk of missing DHS’s 30-day response requirement,” it said.
Too soon to assess the impact of Security Directive Pipeline-2021-01
It’s difficult to say at this time exactly what impact the TSA directive is likely to have on the midstream oil and gas sector. The pipeline operators themselves have not said much about the new requirements – and, if Stoody’s statement is any indication, may wait to do so until TSA goes into more details about its expectations with respect to reporting of incidents and cooperation with federal authorities.
In other words, even as the deadline grows closer, oil and gas pipeline companies still don’t have much to say about whether they can comply with the new requirements, so they are waiting for TSA to clarify its expectations in another policy directive. As a result, it’s too soon to assess the impact of Security Directive Pipeline-2021-01.
According to Lawrence, the matter may become clearer over time, as federal agencies assess responses to new cybersecurity requirements. “Time will tell whether this directive will make immediate, positive impacts to pipeline cybersecurity,” he told Industrial Cyber. “Much will depend on what TSA and CISA decide to do with the information they’re gathering.”
In the meantime, Bihary said, the best thing for pipeline owners and operators to do is to seek out OT security solutions that provide the visibility needed to identify and address vulnerabilities. “If I had a magic wand I could wave and see every single packet that had ever been through a given network, I’d know where to focus my efforts,” he said. “The next best thing is to maximize visibility.”