Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Threat Landscape
Transportation
Vulnerabilities

Network segmentation, MFA among cybersecurity measures laid down in TSA Security Directive for pipeline operators

July 27, 2023
Network segmentation, MFA among cybersecurity measures laid down in TSA Security Directive for pipeline operators

The U.S. Transportation Security Administration (TSA) rolled out on Wednesday its updated Security Directive covering oil and natural gas pipeline cybersecurity, in its continued effort to reinforce cybersecurity preparedness and resilience for the nation’s critical pipelines. The agency uses this Security Directive to mandate TSA-specified owners/operators of pipeline and liquefied natural gas facilities to implement cybersecurity measures, in order to prevent disruption and degradation to their infrastructure. 

Released in the wake of ongoing cybersecurity threats to pipeline systems, the latest requirements, Security Directive Pipeline-2021-02D, is a continuation of the SD Pipeline-2021-02 series that cancels and supersedes SD Pipeline-2021-02C, issued last July. These cybersecurity measures are set to expire on July 27, 2024. 

When it came to cybersecurity measures laid down by the TSA, the document stipulated that owners/operators must implement network segmentation policies and controls designed to prevent operational disruption to the OT (operational technology) system if the IT system is compromised or vice versa. As applied to critical cyber systems, these policies and controls must include a list and description of  IT and OT system interdependencies; all external connections to the OT system; and zone boundaries, including a description of how IT and OT are defined and organized into logical zones based on criticality, consequence, and operational necessity. 

Additionally, the agency calls for the identification and description of measures for securing and defending zone boundaries, which includes security controls to prevent unauthorized communications between zones; and prohibit OT system services from traversing the IT system, unless the content of the OT system is encrypted while in transit. 

It also proposes to implement access control measures, including local and remote access, to secure and prevent unauthorized access to critical cyber systems. These measures must identify and authenticate policies and procedures designed to prevent unauthorized access to critical cyber systems; adopt multi-factor authentication (MFA), or other logical and physical security controls that supplement password authentication to provide risk mitigation commensurate with MFA. 

Other cybersecurity measures outlined by the TSA included policies and procedures to manage access rights based on the principles of least privilege and separation of duties; enforcement of standards that limit availability and use of shared accounts to those that are critical for operations, and then only if absolutely necessary. 

When the owner/operator uses shared accounts for operational purposes, the policies and procedures must ensure access to shared accounts is limited through account management that uses principles of least privilege and separation of duties; and individuals who no longer need access do not have knowledge of the password necessary to access the shared account. It also put forward a schedule for review of existing domain trust relationships to ensure their necessity and policies to manage domain trusts.

The TSA recommends implementing continuous monitoring and detection policies and procedures that are designed to prevent, detect, and respond to cybersecurity threats and anomalies affecting critical cyber systems. 

These cybersecurity measures cover capabilities to prevent malicious emails, such as spam and phishing emails, from adversely impacting operations; prohibit ingress and egress communications with known or suspected malicious Internet Protocol (IP) addresses; control the impact of known or suspected malicious web domains or web applications; block and prevent unauthorized code, including macro scripts, from executing; and monitor and/or block connections from known or suspected malicious command and control servers. 

It also prescribed procedures to audit unauthorized access to internet domains and addresses; document and audit any communications between the OT system and an external system that deviates from the owner/operator’s identified baseline of communications; identify and respond to execution of unauthorized code, including macro scripts; and implementation of capabilities (such as Security, Orchestration, Automation, and Response) to define, prioritize, and drive standardized incident response activities.

TSA also laid down logging policies that require continuous collection and analysis of data for potential intrusions and anomalous behavior; and ensure data is maintained for sufficient periods to allow for effective investigation of cybersecurity incidents. Additionally, mitigation measures or manual controls to ensure industrial control systems (ICS) can be isolated when a cybersecurity incident in the IT system creates a risk to the safety and reliability of the OT system.

The agency proposed to reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems consistent with the owner’s/operator’s risk-based methodology. 

These measures must include a patch management strategy that ensures all critical security patches and updates on critical cyber systems are current. It also drew attention to the risk methodology for categorizing and determining the criticality of patches and updates, an implementation timeline based on categorization and criticality; and prioritization of all security patches and updates on CISA’s Known Exploited Vulnerabilities Catalog.

Additionally, the TSA outlined that if the owner/operator cannot apply patches and updates on specific OT systems without causing severe degradation of operational capability to meet necessary capacity, the patch management strategy must include a description and timeline of additional mitigations that address the risk created by not installing the patch or update.

The agency also outlined owners/operators must have an up-to-date cybersecurity incident response plan for the critical cyber systems that include measures to reduce the risk of operational disruption or the risk of other significant impacts on necessary capacity, should their pipeline or facility experience a cybersecurity incident. 

The Cybersecurity Incident Response Plan must provide specific measures sufficient to ensure prompt containment of the infected server or device; segregation of the infected network (or devices) to ensure malicious code does not spread by, as necessary; segregating (removing from the network) the infected device(s); preserving volatile memory by collecting a forensic memory image of affected device(s) before powering off or moving; and isolating and securing all infected and potentially infected devices, making sure to clearly label any equipment that has been affected by malicious code.

The agency also stipulated the security and integrity of backed-up data, including measures to secure backups, store backup data separate from the system, and procedures to ensure that the backup data is free of known malicious code when the backup is made and when tested for restoral. Established capability and governance for isolating the IT and OT systems in the event of a cybersecurity incident that results in or could result in operational disruption.

TSA also laid down that the Cybersecurity Incident Response Plan must identify who (by position) is responsible for implementing the specific measures in the Incident Response Plan and any necessary resources needed to implement the measures.

The security directive also said that the owner/operator must develop a Cybersecurity Assessment Plan for proactively assessing critical cyber systems to ascertain the effectiveness of cybersecurity measures and to identify and resolve device, network, and/or system vulnerabilities.

The Cybersecurity Assessment Plan must assess the effectiveness of the Owner/Operator’s TSA-approved Cybersecurity Implementation Plan; and include a cybersecurity architecture design review at least once every two years that includes verification and validation of network traffic and system log review and analysis to identify cybersecurity vulnerabilities related to network design, configuration, and inter-connectivity to internal and external systems. It must also incorporate other assessment capabilities, such as penetration testing of IT systems and the use of ‘red’ and ‘purple’ team (adversarial perspective) testing.

The security directive also includes a schedule for assessing and auditing specific cybersecurity measures and/or actions. The schedule must ensure at least 30 percent of the policies, procedures, measures, and capabilities in the TSA-approved Cybersecurity Implementation Plan are assessed each year, with 100 percent assessed over any three-year period. It also advises ensuring a Cybersecurity Assessment Plan annual report of the results of assessments conducted in accordance with the Cybersecurity Assessment Plan is submitted to TSA. 

The required report must indicate which assessment method(s) were used to determine whether the policies, procedures, and capabilities described by the owner/operator in its Cybersecurity Implementation Plan are effective; and the results of the individual assessments conducted. 

Furthermore, the owner/operator must review and update their Cybersecurity Assessment Plan on an annual basis and submit it to TSA for approval no later than 12 months from the date of the previous Cybersecurity Assessment Plan submission or TSA’s approval of the previous plan. The Cybersecurity Assessment Plan report must be submitted on an annual basis to TSA no later than 12 months from the date of the previous Cybersecurity Assessment Plan submission or TSA’s approval of the previous plan. The annual report covers assessments conducted in the previous 12 months.

In May of this year, on the second anniversary of the Colonial Pipeline ransomware attack, the CISA referred to the event as a ‘watershed moment’ in the relatively short but turbulent history of cybersecurity. The incident brought attention to the vulnerability of critical infrastructure systems in the U.S. It also raised concerns about the escalating threat of ransomware attacks, especially targeting critical systems. This emphasizes the importance of implementing enhanced cybersecurity measures to safeguard against such attacks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights