- The Transportation Security Administration on Thursday issued revised cybersecurity directives for oil and gas providers more focused on performance-based measures, following extensive input from federal regulators and private industry stakeholders in the wake of the May 2021 ransomware attack on Colonial Pipeline.
- The agency will require pipeline owners and operators to establish a cybersecurity implementation plan; develop an incident response plan to respond to attacks; and establish a longer-term assessment program to proactively test and audit cybersecurity measures.
- “The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” TSA Administrator David Pekoske said in the announcement. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”
The industry previously pushed back on requirements issued during the immediate aftermath of the Colonial attack, which forced one of the nation’s largest oil pipelines to cease operations for almost a week.
Industry officials complained those regulations demanded too much of a one-size-fits-all approach and failed to offer the flexibility required by individual pipeline operators to maintain a secure operational technology environment.
“Since there are a multitude of ways a pipeline operator can set up its cybersecurity and pipeline system, any new security directive should allow the experts in the pipeline system — the operators — to determine the specific method of security to meet TSA’s objective,” the American Gas Association said last month.
The requirements are intended to ensure TSA-specified owners and operators of pipelines and liquefied natural gas take measures to prevent their systems from being degraded and disrupted in the event of a security incident. TSA wants these organizations to:
- Establish network segmentation policies and controls to make sure OT can continue to safely operate if an information technology system is compromised.
- Develop access control measures to prevent unauthorized access to critical cyber systems.
- Build continuous monitoring and detection procedures to detect threats and fix anomalies that can impact critical cyber operations.
- Apply security patches and updates to lower the risk of exploitation in operating systems, firmware, drivers and applications.