In the wake of the Colonial Pipeline attack, there was much speculation about the extent to which critical infrastructure cybersecurity might be regulated. Since then, the question has been resoundingly answered by a series of security directives from TSA requiring everything from in-depth vulnerability assessments, incident response plans, and reporting breaches to CISA. And while the debate continues about whether it’s feasible for operators to implement the mandated changes, any organization subject to the directives now must comply with them.

Who’s Affected?

A number of directives have been released and subsequently updated since 2021, each applying to different industries and organizations. First came a series of regulations for oil pipelines, followed by more for rail and aviation sectors. 

The TSA is the designated Security and Risk Management Agency (SRMA) covering these and other critical infrastructure sectors. Each of the 16 critical infrastructure sectors identified by CISA has a federal agency assigned as its SRMA. Currently, the TSA has made broader strides than any other SRMA in creating cybersecurity guidelines and requirements for the industries it covers.

What It Means for OT

Operational technology (OT), Industrial Control Systems (ICS), and Cyberphysical Systems (CPS) all have a heavy presence in critical infrastructure industries. These technologies are an important part of the cybersecurity landscape in critical infrastructure.

Defending operational technology involves unique challenges. OT systems are distributed, spread across tens or hundreds of locations or subsystems, sometimes with intermittent outside network connectivity. Industrial systems and networks are designed using the Purdue reference model, isolating different layers in the system’s architecture for cyber defense. But as businesses and their operations evolve, they have spread across enterprise systems, cloud services, and ecosystem partners, often bypassing the careful layers of the Purdue model.

OT operations now consist of thousands of communication points over a large number of protocols. Interactions occur both machine-to- machine and human-to-machine, including access from many personas that are not part of the core organization, such as vendor technicians, contractors, and more.

The combination of legacy technologies, unique connection patterns, and increasing cyberattacks against critical infrastructure, make OT security an urgent topic. The U.S. Government has tracked what are believed to be nation-state adversaries, dubbed Volt Typhoon, stealthily living off the land in U.S. Critical Infrastructure assets. As these vulnerable environments are increasingly targeted both for profit and geopolitical leverage, the stakes for protecting critical infrastructure are going up. 

As an additional resource for critical infrastructure organizations hoping to shore up their security, CISA has published the Cross Sector Cybersecurity Performance Goals (CPGs), highlighting the security controls these sectors should pursue to protect themselves against advanced threats. Here’s our Top 10 CISA CPG checklist for a quick view of what the guidelines contain, and how to achieve them.

What Changes Are Required by The TSA?

The four core Requirements of the directives:

1. Network segmentation, especially in the context of keeping OT separate and secure even if IT systems are compromised.
2. Controlled access to prevent unauthorized access
3. Monitoring and detection
4. Vulnerability management to prevent unpatched vulnerabilities from enabling bad actors.

How Xage Can Help

Xage lets you meet TSA requirements without having to rely on multiple point solutions. The Xage Fabric approach eliminates the need to rip and replace any existing OT to rapidly comply with TSA directives. Xage can be deployed quickly and easily to comply with TSA requirements, improve security posture, and defend against escalating cyberattacks targeting critical infrastructure.

Xage provides Zero Trust Access (ZTA) to secure all the interactions in, out, and across operational, enterprise, and cloud environments. Xage creates policies that set an identity based perimeter around each user, app, device, machine, and data stream. That policy is then enforced anywhere without having to change existing assets or networks.

Xage provides the required technical controls for protection, monitoring, and response across the entire operation to comply with the TSA security directives. Specifically, Xage provides the following capabilities to meet the key requirements specified in the TSA security directives:

Access and Credential Management: TSA continues to stress the criticality of access control and credential management. Xage enables granular identity-based access and credential management for all assets—including legacy assets. Xage seamlessly overlays an operation to impose granular control over all interactions, without any disruptive changes to your assets or operational network.

Compensating Controls and Multi-layer MFA: For the many critical systems that lack their own strong security controls and/or security integrations, Xage provides zero trust access control with support for multi-layer MFA to deliver the compensating controls required in the TSA directives. Xage’s multi-layer MFA capability combines zero trust with a defense-in-depth authentication strategy.

Create Security Zones/Segmentation: TSA requires operational environments to be segmented into zones, interconnected with secure, controlled conduits, to prevent lateral movement from zone to zone in the event of breach. Xage acts as a mesh, enabling session and protocol termination at each Xage node. The mesh approach guarantees the security of cross-zone conduits between the nodes and ensures that there is no unauthorized access to assets from outside or within each zone.

Achieve compliance with Xage TSA Directive Compliance Services