To combat the increasing number of cyberattacks targeted at critical infrastructure, the Department of Homeland Security’s Transportation Security Administration (TSA) issued three directives in 2021-22. The TSA guidelines aim to increase the security posture of the owners and operators of US-based gas and liquid pipelines. The guidelines are applicable to operational oil, natural gas, and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied natural gas facility operators.
The TSA’s third directive (Security Directive Pipeline-2021-02C) is effective as of July 27, 2022 and supersedes the TSA’s second Pipeline Security Directive published in July 2021. The reissued security directive takes a performance-based approach to enhancing security, allowing operators to leverage new technologies and adapt to changing environments to achieve the ultimate objective of cyber hardening critical Operational Technology (OT) and IT systems.
Top 10 Checklist to comply with the TSA Cybersecurity Measures
The following is a top 10 checklist on how to comply with the cybersecurity measures specified in the third TSA directive (Security Directive Pipeline-2021-02C).
Step 1: Identity the Critical Cyber Systems
TSA states that “Critical Cyber System means any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.”
Step 2: Implement Access Control Measures
Implement access control measures, including for local and remote access, to secure and prevent unauthorized access to critical cyber systems:
- Policies and procedures are required to manage access rights based on the principles of least privilege and separation of duties.
- A schedule for required static password resets, or mitigation measures for critical cyber systems that will not have passwords reset periodically.
- Limit access to shared accounts and ensure individuals who no longer need access do not have knowledge of the password necessary to access the shared account.
Step 3: Implement Multi-factor authentication
Multi-factor authentication or compensating controls that supplement password authentication to provide risk mitigation and protect critical cyber systems.
Step 4: Implement Network Segmentation Policies and Controls
Implement network segmentation policies and controls designed to prevent operational disruption to the OT system if the IT system is compromised, or vice versa.
Step 5: Secure and Defend Zone Boundaries
Secure and defend zone boundaries, use secure conduits between zones, prevent unauthorized communications between zones, and prohibit OT system services from traversing the IT system, unless the content from the OT system is encrypted while in transit.
Step 6: Review existing Domain Trust Relationships
Schedule for review of existing domain trust relationships to ensure their necessity and policies to manage domain trusts.
Step 7: Implement Threat Monitoring Capabilities
- Prevent malicious email, known or suspected malicious web domains or web applications, unauthorized code, as well as connections from known or suspected malicious command and control servers.
- Prohibit ingress and egress communications with known or suspected malicious Internet Protocol addresses.
Step 8: Develop a Patch Management Strategy including Mitigation Controls for Unpatched Systems
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates on critical cyber systems consistent with the owner/operator’s risk-based methodology.
- If the operator cannot apply patches/updates to specific OT systems (e.g. legacy OT systems) then it needs to disclose the plan & timeline to implement additional mitigations that address risk due to unpatched systems.
Step 9: Develop and maintain a Cybersecurity Incident Response Plan
Owner/Operator must have an up-to-date cybersecurity incident response plan for critical cyber systems that include measures to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, should their pipeline or facility experience a cybersecurity incident.
Step 10: Develop a Cybersecurity Assessment Program
Develop a Cybersecurity Assessment Program for proactively assessing and auditing cybersecurity measures. This includes an architectural design review once every two years, as well as incorporating other assessment capabilities (e.g., penetration testing).
How can Xage help you comply with the TSA Security Directives?
Xage is currently in deployment by the owners and operators of pipelines to comply with TSA requirements, improve security posture, and defend against escalating cyber attacks. The Xage Fabric has a number of key capabilities that meet or exceed TSA cybersecurity requirements. This includes identity & access management for local and remote access policy enforcement, multi-factor authentication (MFA) for OT assets, network segmentation controls, secure tamperproof and encrypted conduits between zones, and OT asset discovery & visibility.
The Xage Fabric is implemented via a cybersecurity mesh approach to ensure high availability for operations. Further, it does not require “ripping and replacing” of existing operational technology to comply with TSA directives. For example, Xage provides compensating controls to comply with TSA’s access control measures when OT assets do not have the native capabilities to implement MFA, password resets, or enforcement of access rights based on the principles of least privilege.
You can learn more by reading our latest whitepaper. Our whitepaper offers more details on how Xage can help pipeline owners and operators meet the TSA security directives.
Read our whitepaper to find out more details on how we can help pipeline owners and operators meet the TSA security directives.