Top-10 Checklist for Oil & Gas Pipeline owners and operators to comply with the TSA’s Security Directives

By May 4, 2022 No Comments

LogoTo combat the increasing number of cyber attacks targeted at critical infrastructure, the Department of Homeland Security’s Transportation Security Administration (TSA) issued two security directives in 2021 to increase security posture of owners and operators of gas and liquid pipelines in the USA. The TSA guidelines are applicable to operational oil and natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied natural gas facility operators.  

TSA’s second Security Directive in July 2021 provided expanded requirements from its first directive in May 2021 and detailed the following compliance requirements for pipeline owners and operators:  

  • Implement specific mitigation measures detailed its July 2021 security directive to protect against ransomware attacks and other known threats to information technology (IT) and operational technology systems; 
  • Develop and implement a cybersecurity contingency and response plan;
  • Undergo an annual cybersecurity architecture design review.

This second Security Directive emphasized the need to invest in security solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response. It was developed by TSA in coordination with CISA and incorporates mitigation strategies based on learnings from recent attacks. 

Here is the top-10 checklist for pipeline owners and operators to ensure you have met those mitigation measures specified in the TSA Security Directive for your OT and IT environments: 

  1. Implement multi-factor authentication (MFA) for all non-service accounts compliant with NIST 800-63B standards.
  2. Organize access rights based on principles of least privilege and separation of duties, also known as “zero trust”. Ensure compliance with NIST 800-53 directive.
  3. Establish and enforce Group account policies.  E.g. Change the shared password when a user of the group leaves the organization.
  4. Remove all trust relationships, such as Identify stores between IT and OT systems. Separate and dedicated identity providers must be implemented for IT and OT systems.
  5. Deploy segmentation to ensure OT systems can operate in the event IT system(s) are compromised.
  6. Control communication between OT systems and external systems.
  7. Block communications to known external malicious IP addresses as well as employ filters to protect all users from malicious email traffic & websites.
  8. Implement a cybersecurity contingency and response plan to be able to isolate infected systems and separate IT and OT systems in the event of a security incident.
  9. Review and update log retention policies to ensure consistency with NIST standards for log management, securing log management infrastructure, and log data retention period.
  10. Stay up to date with all software patches and updates required for OT systems. Update anti-virus/anti-malware security software periodically.

Xage’s solution provides key capabilities such as MFA and identity-based access management policies to enable a layered defense approach as recommended in the TSA security directives. Xage is being deployed now by the owners and operators of U.S. pipelines to help meet TSA compliance requirements, improve security posture, and defend against escalating cyber attacks. 

Xage protects OT systems and OT-IT interconnections using identity-based access control for users, machines, apps, and sensitive data without interruption, downtime, or changes to existing OT infrastructure. Xage enforces Zero Trust Access (ZTA) to secure operations and data from the edge-to-core-to-cloud, overlaying and hardening existing Purdue-model-based security architectures.

Read our whitepaper to find out more details on how we can help pipeline owners and operators meet the TSA security directives.

White Paper

the whitepaper

The current model of enterprise security is incapable of protecting Industry 4.0 with its intermittently connected, heterogeneous devices and applications, distributed across organizations and geographies. Today’s centralized IT security paradigm needs to be replaced by cybersecurity that is distributed, flexible and adaptive.