The Path to Achieving TSA Pipeline Cybersecurity Directive Compliance

October 11, 2022

Colonial Pipeline CEO Joseph Blount had to make two difficult decisions on May 7, 2021, after a ransom note was discovered by an employee in a control-room computer. First, he acknowledged that the pipeline system that provides close to 45% of the fuel for the East Coast had to be shut down. Second, he authorized the $4.4 million ransom payment.

The core reason behind agreeing to send such a considerable amount of money to adversaries was the uncertainty surrounding the scope of the cyberattack. Which industrial sites were affected? How many systems were compromised? How many mission-critical computers were at risk of being compromised in the following hours?

Every organization knows now that a cybersecurity breach is inevitable. The lesson learned from the Colonial Pipeline incident is that becoming resilient to cyberattacks requires a high level of confidence in our capabilities to isolate, contain, and recover from cyber-attacks. This confidence is directly linked to gaining comprehensive visibility of network infrastructure and understanding of which devices can connect to which services.

TSA Pipeline Cybersecurity Directives

For two decades, TSA advocated for voluntary pipeline cybersecurity standards under the rationale that it enabled greater flexibility to protect against rapidly evolving cyber threats. In light of Colonial Pipeline incident, TSA administrators changed course by issuing Security Directive Pipeline-2021-01 on May 28, 2021, quickly followed by Security Directive Pipeline-2021-02 on July 26, 2021.

The first directive placed three mandatory requirements on pipeline owners and operators: 1) Report all cybersecurity incidents to CISA within 12 hours, 2) Designate a primary and alternative Cybersecurity Coordinator, at the corporate level, who is accessible 24/7 to TSA and CISA, and 3) Conduct a cybersecurity vulnerability assessment and provide a report of this assessment to TSA and CISA within 30 days.

The second directive added three mandatory requirements: 1) Implement immediate mitigation measures to protect against cyberattacks, 2) Develop a cybersecurity contingency and recovery plan, and 3) Conduct a cybersecurity architecture design review.

The industry reacted with concerns that the requirements issued in 2021 were not readily attainable for most pipeline owners and operators, which could incur severe financial penalties since failure to comply can lead up to fines as high as $11,904 per day, per violation.

Latest Security Directive and Upcoming Deadline

As a result, TSA engaged with cybersecurity experts and industry stakeholders during the 12 months that followed the initial two directives and decided to offer more flexibility to meet the intended security outcomes by transitioning to a performance-based approach.

The new requirements have been issued through Security Directive Pipeline-2021-02C on July 27, 2022. The new approach supersede previous directives and includes the following three core requirements:

  1. Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures employed and the schedule for achieving the outcomes described in Section III.A. through III.E of the directive.
  2. Develop and maintain an up-to-date Cybersecurity Incident Response Plan to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, as defined in the directive, should the Information and/or Operational Technology systems of a gas or liquid pipeline be affected by a cybersecurity incident (Section III.F. of the directive).
  3. Establish a Cybersecurity Assessment Program and submit an annual plan that describes how the Owner/Operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities (Section III.G. of the directive).

Pipeline owners and operators in scope of the latest security directive have 90 days to develop and submit their Cybersecurity Implementation Plan for review and approval. This means that by October 25, 2022, they have to create or adapt a detailed plan that covers critical cyber system identification, network segmentation and access control measures, continuous monitoring, and patch management.

How to Best Comply with the Directives

The new Security Directive details the following list of documentation to establish compliance:

  • Hardware/software asset inventory that includes the SCADA environment
  • Firewall rulesets and filtering policies
  • Network diagram including switch and router configurations
  • Documents that informed the development and implementation of the Cybersecurity Implementation Plan, the Cybersecurity Incident Response Plan, and the Cybersecurity Assessment Program
  • Snapshot activity data including log files and up to 24 hours of network traffic capture

It’s recommended that pipeline security and compliance teams leverage this list as a starting point and walk backward to assess the gap between the information they currently have available and the expected deliverables from TSA. The fastest way to produce accurate network diagrams and comprehensive firewall rulesets and filtering policies under such a tight deadline is to use network modeling technology.

Network modeling – or dynamic network representation – means proactively understanding which assets can connect to which services by building a model of the network using the configurations of OT firewall and router devices. It provides accurate, instant visibility of the network architecture and enables risk assessment without having to deploy any sensor nor agent in the environment.

The Importance of OT Network Security

The increasing complexity of industrial control systems and the growing size of the network infrastructure that support critical operations mean that OT cybersecurity for the pipeline industry is now more important than ever, not only to pipeline operators, but to all citizens.

As shown by high-profile cyber incidents, the level of sophistication of attack techniques indicate that it is not realistic to build perfect protection. Instead, organizations have to invest in developing cyber resiliency by implementing the building blocks to keep operating despite being under threat. A foundational building block is to gain and maintain comprehensive visibility over network and critical assets.

Source: Pipeline & Gas Journal, Author: CEO & Co-Founder of Network Perception, Robin Berthier