The Transportation Security Administration officially unveiled revised cybersecurity guidelines for oil and gas pipelines on Thursday after significant backlash from industry, lawmakers and experts.
Rumors of the changes leaked last month and caused a stir, with many harsh criticisms of the original guidelines which were released in July 2021 following the ransomware attack which made headlines on Colonial Pipeline in May.
The first directive required owners and operators of critical pipelines to report cybersecurity incidents, appoint a cybersecurity coordinator, and perform vulnerability assessments. The re-issued security directive increased the time for reporting incidents from 12 to 24 hours.
In July 2021, the TSA said it had worked with the Cybersecurity and Infrastructure Security Agency (CISA) on a second directive with more “technical countermeasures” designed to prevent threats uncovered during their research of the pipeline industry.
Details have not been made public, but the TSA said last year that the directive required owners to “implement specific mitigations to protect against ransomware attacks and other known threats. against information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.
Critical infrastructure cybersecurity experts like SynSaber CTO Ron Fabela told The Record that the TSA’s second directive was “an alphabet soup of buzzwords (zero trust, MFA) and security requirements.” ‘kitchen sink that just didn’t apply to pipeline environments’.
On Thursday, the TSA said the new, revised guidance was developed “with broad input from industry stakeholders and federal partners” like CISA.
The new guidance extends cybersecurity requirements for an additional year and, according to the TSA, “focuses on performance-based — rather than prescriptive — measures to achieve critical cybersecurity outcomes.”
Operators and pipeline owners are required to develop network segmentation policies and controls to ensure that operating technology systems can continue to operate even if computer systems are compromised or vice versa.
Access control measures will need to be created to block access to critical systems and continuous monitoring and detection policies will need to be developed to “detect cybersecurity threats and remediate anomalies”.
There are also general guidelines in the directive ordering operators to apply security patches and updates for all “operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a methodology based on risks”.
The directive also states that pipeline operators must create a TSA-approved cybersecurity implementation plan outlining how the company plans to enact the measures in the revised rules.
Operators are also required to create an incident response plan and assessment program to “proactively test and regularly audit the effectiveness of cybersecurity measures and identify and address vulnerabilities within devices, networks, and systems.” systems”.
The TSA noted that the revised rules are in addition to regulations outlined in the first directive, which include the requirement to report significant cybersecurity incidents to CISA, establish a cybersecurity point of contact, and conduct an assessment. cybersecurity vulnerability report.
TSA Administrator David Pekoske said the TSA has worked extensively with the oil and gas pipeline industry on the guidelines and established a “new model that adapts to variations in systems and operations to meet our security requirements,” responding to one of the top complaints experts.
“We recognize that every business is different, and we have developed an approach that takes this fact into account, supported by ongoing monitoring and auditing to assess achievement of the necessary cybersecurity outcomes,” Pekoske said. “We will continue to work with our partners in the transportation sector to increase cybersecurity resilience across the system and recognize the important work done over the past year to protect this critical infrastructure.”
Pipeline threats have ‘evolved and intensified’
The TSA noted that since the attack on Colonial Pipeline, threats of cyberattacks against the oil and gas industry have “evolved and intensified,” making it a national security priority to increase “public and private collaboration.”
Duncan Greatwood, CEO of cybersecurity firm Xage, said that after seeing specific draft regulations in the directive, he noted that the TSA was doubling down on certain areas, such as access control and information management. identification for critical infrastructure systems, while relaxing certain rules. in other areas, such as incident notification deadlines.
“The TSA asserts that any piece of critical infrastructure that lacks strong failsafes (which often make up the majority of operational assets) will not need to be uprooted. Instead, these critical assets will need “compensating controls” to protect them – in other words, a way to protect vulnerable assets that compensates for their lack of built-in security capabilities.
Greatwood added that a few months ago the TSA approved a compensating screening for one of the largest oil and gas pipeline operators in North America. The operator has adopted access controls through a mesh overlay, allowing it to deploy a zero-trust solution to more than 750 sites without any impact to its more than 5,000 existing operational technology assets, he explained. .
For Greatwood, the approval of this strategy “demonstrated the TSA’s willingness to evaluate and approve compensating controls that achieve this ultimate goal of cyber-hardening oil and gas pipeline infrastructure.”
“We work with some of the largest pipeline operators in the United States, and overall they see this pending update as a cyber hardening accelerator, not an indication that they can sit back. and relax,” Greatwood explained.
NetRise CEO Thomas Pace said a key aspect of the measures emerging to him were measures around patching firmware vulnerabilities on critical cyber systems.
Many oil and gas operators lack visibility into the firmware actually running on their XIoT systems, let alone the vulnerabilities these devices harbor, Pace said.
“Unlike computer systems, XIoT devices often carry a variety of vulnerabilities unknown to both the operators who exploit them and the manufacturers who build them,” he said, adding that the TSA and CISA need to create more sharing information through the Required Software Bill of Materials (SBOM) “to make sure everyone’s eyes are wide open.”