TSA Cybersecurity Regulations for Pipeline Owners & Operators

The Problem

In 2021, the oil and gas pipeline industry was the target of a large-scale cybersecurity attack. It was so big that people were flooding to the gas stations in a panic, afraid that they might not be able to get any for some time. This is one of the first times that this sort of issue was known nation-wide, and many people were made aware of the importance of cybersecurity. A singular attack can cause an entire country of people to question if their way of life will be impacted.

Colonial Pipeline is the biggest oil pipeline in America. It was hit with a ransomware attack that caused it to shut down for nearly a week. The hackers demanded a large amount of money in order to release the systems. After the ransom had been paid, it still took a few days to get everything running again. Because of the panic buying of gas, the president issued a state of emergency to keep supply lines of other pipelines open.

The Response

Because of this huge cybersecurity attack, lawmakers and legislators of the Transportation Security Administration (TSA) began work on new cybersecurity rules that pipeline owners and operators needed to follow. This new legislation, the Security Directive Pipeline-2021-02C or SD02C, was developed and put into place in July 2022. The government gave pipeline operators time to adjust to these new compliance terms, but they’re becoming increasingly strict on them at this point.

The cybersecurity portion of the directive is an important one. While there are other areas of regulation in it, there are specific cybersecurity requirements that the directive points out. Here are a few of the important ones:

• Identify the owner/operator’s Critical Cyber Systems, which simply means that all computer and information technology points are known. These are things that, if compromised, could result in operational disruption.
• Implement policies and controls for network segments that prevent disruption to these cyber systems. These include a list and description of IT and OT system interdependencies, all external access points to the systems, and the zone details therein. This point also requires identification of measures taken to defend these zones.
• Implement access control measures for local and remote access. These will prevent unauthorized access to these IT and OT systems. These include passwords and reset schedules, multi-factor authentication, policies and procedures for access, enforcement of standards, and a schedule for reviewing existing domain trust relationships.
• Implement continuous monitoring and detection policies and procedures. These are designed to detect, prevent, and respond to cybersecurity threats and attacks. They include the capabilities of preventing malicious emails and various unauthorized website activities. It also includes procedures that audit unauthorized access, documentation and audit of communication, and definitions of incident responses.
• Reduce risk of exploitation of unpatched systems through implementation of security patches and updates for operating systems, applications, drivers, and firmware. If patches are not implemented yet, there must be a timeline for eventual implementation.
• Develop and maintain a Cybersecurity Incident Response Plan. This is a document of measures that would be taken in the event of a cybersecurity attack or natural disaster.
• Develop and maintain a Cybersecurity Assessment Program. This will proactively assess and audit cybersecurity measures. This will assess the effectiveness of the Implementation Plan, an architectural design review, and incorporate other capabilities like penetration testing. Additionally, owners and operators must submit their annual plan to the TSA.

It might seem like a lot, but all of these points can be accomplished through a few services from a third-party cybersecurity firm. The government is becoming increasingly aware of the growing cyber threats across the world. The Colonial Pipeline was only one of the attacks that happened, but more and more are happening every day. While it might seem like an inconvenience, cybersecurity is a crucial part of keeping a business running.

The Solution

New compliance regulation can be a lot for anyone. Financial institutions like banks and credit unions have been doing these things for years, and the government is steadily rolling out more legislation for other industries as well, considering many of them are a concern of national security. Fortunately, there are experienced people who can assist through these new terms. As mentioned, plenty of cybersecurity firms offer a few services that cover all of these points.

IT/OT Audit

This is probably the biggest portion of the cybersecurity directive. The purpose of an IT/OT security audit is to formally verify the security of the controls in a system. Usually, security analysts work with the institution to collect evidence that proves if there is, or isn’t, a measure in place. There is also management software that helps with these things, which covers most of the requirements given in the directive.

Penetration Testing

A penetration test is an important factor in any cybersecurity defense. This is a manual exploitation of vulnerabilities that may be in a system or application. They come in a few different forms, including internal, external, and wireless networks. The requirements mention “red” and “purple” team tests, which are varied methods by which the third party can simulate attacks.

Tabletop Testing

Not only can some cybersecurity firms help a business create a Cybersecurity Incident Response Plan, but they can help you test that plan as well, bolstering the effectiveness of it. After the creation of the plan, security analysts will work with you to simulate a disaster or attack and go through each step of the plan to see what works and what doesn’t; also known as a tabletop exercise.

Social Engineering

A simulated attack will always show the flaws in a system, or lack thereof, and social engineering helps with that. The biggest loss can come from human error, so third-party cybersecurity firms can simulate phishing, vishing, and smishing scenarios. Not only can these test filters already in place, but it will also show the lapse in employee security. There are also plenty of scenarios where things can happen onsite, so it’s always a good idea to keep in mind.

Other Assessments

While the Transportation Security Administration has a large scope of things to be done, there are a few other things that can be done to make systems more secure. These include vulnerability assessments, security education and awareness training, and various policy and procedure management. When it comes to cybersecurity, one can’t be too careful with the growing threats in the world.

Conclusion

The Colonial Pipeline hack of 2021 was the biggest cyberattack on any oil and gas pipeline. A ransomware attack shut down the largest pipeline in America, causing a mass panic among the nation. People were afraid that the country would run out of gas, leaving them stranded with no way to continue their daily lives. While gasoline was not in danger of running out, the damage was done. The cyber criminals were able to disrupt an entire industry to get money.

In response, lawmakers and legislators drafted up heavy cybersecurity requirements for pipeline owners and operators. These regulations came into effect in July 2022 and the government has given everyone a year to adjust to them. Now that it has been a year, there will be an increase in examiners looking for these things. However, there are cybersecurity firms like TraceSecurity that can assist with all of the new requirements, making it easy to become compliant.