To combat the increasing number of cyber attacks targeted at critical infrastructure, the Department of Homeland Security’s Transportation Security Administration (TSA) has issued a series of security directives that have been regularly updated from 2021-23 to increase security posture of owners and operators of gas and liquid pipelines in the USA. The TSA guidelines are applicable to operational oil and natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied natural gas facility operators.
Most recently, TSA’s directive Security Directive Pipeline-2021-02D was renewed as of July 26, 2023, superseding previous versions in a continuation of the series of Pipeline Security Directives first published in July 2021. The renewed security directive takes a performance-based approach to enhancing security, allowing operators to leverage new technologies and be adaptive to changing environments to achieve the ultimate objective of cyber hardening critical Operational Technology (OT) and IT systems. The July 2023 updates to the directive are focused on testing and auditing of the cybersecurity measures required in the initial versions of the directive. The updates require pipeline operators to:
- Annually submit an updated Cybersecurity Assessment Plan to TSA for review and approval.
- Annually report the results from previous year assessments, with a schedule for assessing and auditing specific cybersecurity measures for effectiveness. TSA requires 100% of an owner/ operator’s security measures be assessed every three years.
- According to the updated security directive, the five CIRP objectives identified by TSA for pipeline operators are containment, segregation, secure access to critical systems, integrity of backup data, and isolation of IT from OT systems. The directive requires that operators must test at least two of these Cybersecurity Incident Response Plan (CIRP) objectives, and report the findings to TSA each year.
Top 10 Checklist to Comply with the TSA Pipeline Cybersecurity Measures
Here is the top-10 checklist to comply with the cybersecurity measures specified in the July 2023 update of the directive (Security Directive Pipeline-2021-02D):
Step 1: Identity the Critical Cyber Systems
TSA states that “Critical Cyber System means any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.”
Step 2: Implement Access Control Measures
Implement access control measures, including for local and remote access, to secure and prevent unauthorized access to critical cyber systems:
- Policies and procedures are required to manage access rights based on the principles of least privilege and separation of duties.
- A schedule for required static password resets, or mitigation measures for critical cyber systems that will not have passwords reset periodically.
- Limit access to shared accounts and ensure individuals who no longer need access do not have knowledge of the password necessary to access the shared account.
Step 3: Implement Multi-factor authentication
Multi-factor authentication or compensating controls that supplement password authentication to provide risk mitigation and protect critical cyber systems.
Step 4: Implement Network Segmentation Policies and Controls
Implement network segmentation policies and controls designed to prevent operational disruption to the OT system if the IT system is compromised, or vice versa.
Step 5: Secure and Defend Zone Boundaries
Secure and defend zone boundaries, use secure conduits between zones, prevent unauthorized communications between zones, and prohibit OT system services from traversing the IT system, unless the content from the OT system is encrypted while in transit.
- Assure the Integrity of Backup Data. Assure that any systems that must be restored from backup due to compromise or potential unauthorized access can be confidently restored from integrity-verified backup data.
Step 6: Review existing Domain Trust Relationships
Schedule for review of existing domain trust relationships to ensure their necessity and policies to manage domain trusts.
Step 7: Implement Threat Monitoring Capabilities
- Prevent malicious email, known or suspected malicious web domains or web applications, unauthorized code, as well as connections from known or suspected malicious command and control servers.
- Prohibit ingress and egress communications with known or suspected malicious Internet Protocol addresses.
Step 8: Develop a Patch Management Strategy including Mitigation Controls for Unpatched Systems
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates on critical cyber systems consistent with the owner/operator’s risk-based methodology.
- If the operator cannot apply patches/updates to specific OT systems (e.g. legacy OT systems) then it needs to disclose the plan & timeline to implement additional mitigations that address risk due to unpatched systems.
Step 9: Develop and maintain a Cybersecurity Incident Response Plan
Owner/Operator must have an up-to-date cybersecurity incident response plan for critical cyber systems that include measures to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, should their pipeline or facility experience a cybersecurity incident.
Step 10: Develop a Cybersecurity Assessment Plan
Develop a Cybersecurity Assessment Plan (formerly referred to as a Cybersecurity Assessment Program in earlier versions of the directive) for proactively assessing and auditing cybersecurity measures. This includes architectural design review once every two years as well as incorporating other assessment capabilities (e.g. penetration testing).
How can Xage help you comply with the TSA Pipeline Security Directives?
Xage is currently in deployment by the owners and operators of pipelines to comply with TSA requirements, improve security posture, and defend against escalating cyber attacks. The Xage Fabric has a number of key capabilities that meet or exceed TSA cybersecurity requirements. This includes identity & access management for local and remote access policy enforcement, multi-factor authentication (MFA) for OT assets, network segmentation controls, secure tamperproof and encrypted conduits between zones, and OT asset discovery & visibility.
The Xage Fabric is implemented via a cybersecurity mesh approach to ensure high availability for operations. Further, it does not require “ripping and replacing” of existing operational technology to comply with TSA directives. For example, Xage provides compensating controls to comply with TSA’s access control measures when OT assets do not have the native capabilities to implement MFA, password resets, or enforcement of access rights based on the principles of least privilege.
You can learn more by reading our latest whitepaper. Our whitepaper offers more details on how Xage can help pipeline owners and operators meet the TSA security directives.
Read our whitepaper to find out more details on how we can help pipeline owners and operators meet the TSA security directives.