The Transportation Security Administration (TSA) in the US has revised and reissued its oil and natural gas pipeline cybersecurity directive for pipeline owners and operators.
Its original directive was issued in July 2021 in the wake of the ransomware attack on the Colonial Pipeline, which carries 45% of the fuel needs of the east coast of the US, on 7 May 2021, shutting it down. The pipeline returned to normal service on 15 May 2021 after widespread fuel shortages. The US Department of Justice later retrieved some of the ransom paid. The new requirements have been developed in collaboration with industry stakeholders and federal partners including the Department’s Cybersecurity and Infrastructure Security Agency (CISA).
The revised requirements are performance-based, rather than prescriptive, allowing companies to use new technologies and adapt to circumstances. To avoid disruption and degradation to their infrastructure, pipeline owners and operators must develop network segmentation policies, create access control measures to prevent unauthorised access to critical cyber systems, build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies, and ensure security patches and updates are regularly installed.
In addition, owners and operators must establish a cybersecurity implementation plan approved by TSA, develop and maintain an cybersecurity incident response plan, and establish a cybersecurity assessment programme to ‘proactively’ test systems and resolve weaknesses.
The new requirements are in addition to the existing obligation to report significant cybersecurity incidents to CISA, establish a cybersecurity point of contact and conduct an annual cybersecurity vulnerability assessment. TSA says that the new security directive will help to mitigate evolving cybersecurity threats. It will begin a formal rulemaking process to allow the public to make comments.
‘TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,’ says TSA administrator David Pekoske. ‘We recognise that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.’
The American Petroleum Institute (API) also publishes a pipeline cybersecurity standard, the most recent edition coming out in August 2021.