Complying with TSA Pipeline Security Directives

Recent cybersecurity incidents have demonstrated that both U.S. public and private sectors are increasingly at risk of sophisticated, malicious cyber activity. To combat the increasing number of cyberattacks targeted at the Oil and Gas industry, the Department of Homeland Security’s Transportation Security Administration (TSA) issued three security directives in 2021-22. The TSA guidelines aim to increase the security posture of the owners and operators of US-based gas and liquid pipelines. 

The Latest Developments: What You Should Know

The TSA directives are applicable to operational oil and natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied natural gas facility operators.

TSA issued the first and second Pipeline Security directives in May 2021 and July 2021. These directives are known as the TSA Pipeline Security Directive 2021-02 series and require the owners and operators of pipeline systems to take specific actions to enhance pipeline cybersecurity. TSA’s second directive 2021-02B expired on July 26, 2022 and the TSA reissued a third directive that went into effect on July 27, 2022. 

TSA states that the third directive (Security Directive Pipeline-2021-02C, also referred to as “SD02C”) is a continuation of the “SD-02 series”. SD02C supersedes TSA’s second Pipeline Security Directive published in July 2021. This latest security directive requires the owners and operators of the pipelines to: 

• Establish and implement a TSA-approved Cybersecurity Implementation Plan that outlines specific cybersecurity measures
• Develop and maintain a Cybersecurity Incident Response Plan to reduce the risk of operational disruption
• Establish a Cybersecurity Assessment Program with an annual plan with details on the assessed effectiveness of these cybersecurity measures 

Different from prior versions, the reissued pipeline security directive takes a performance-based approach to enhancing security. This approach allows operators to leverage new technologies and be more adaptive to changing environments. SD02C incorporates knowledge gained from the TSA’s experience processing and the consideration of alternative cybersecurity measure requests submitted by pipeline owner/operators in response to the original Security Directive Pipeline-2021-02 series. With these revisions, TSA is providing more flexibility to implement measures to meet requirements and achieve the ultimate objective of cyber-hardening critical Operational Technology (OT) and IT systems. 

This third Security Directive continues to emphasize the need to invest in security solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response. TSA pipeline security guidelines include requirements for access control, credential management, least privilege management, role-based access, multi-factor authentication (MFA), and the use of “compensating controls” to allow pipeline operators to embrace the latest innovations. 

The Path Forward

Xage offers owners and operators of pipelines a holistic approach to meet TSA requirements without having to rely on multiple point solutions. The Xage Fabric cybersecurity mesh approach eliminates the need to “rip and replace” any existing Operational Technology (OT) to rapidly comply with TSA pipeline security directives. Xage is being deployed now by the owners/operators of U.S. pipelines to comply with TSA requirements, improve security posture, and defend against escalating cyberattacks targeting critical infrastructure. 

Xage Fabric provides Zero Trust Access (ZTA) capabilities to secure all the interactions in, out, and across operational, enterprise, and cloud environments. The Xage Fabric creates policies that set an identity-based perimeter around each user, app, device, machine, and data stream. That policy is then enforced anywhere without having to change existing assets or networks. 

Xage Fabric provides the required technical controls for protection, monitoring, and response across the entire operation to comply with the TSA security directives. Specifically, Xage provides the following capabilities to meet the key requirements specified in the TSA security directives:

• Access and Credential Management: TSA continues to stress the criticality of access control and credential management. Xage enables granular identity-based access and credential management for all assets– including legacy assets – powered by its patented Xage Fabric. The Xage Fabric seamlessly overlays an operation to impose granular control over all interactions, without any disruptive changes to your assets or operational network. 
• Compensating Controls and Multi-layer MFA: For the many critical systems that lack their own strong security controls and/or security integrations, the Xage Fabric provides zero trust-based access control with support for multi-layer MFA to deliver the “compensating controls” required in the newest TSA directive. Xage’s multi-layer MFA capability combines zero trust with a defense-in-depth authentication strategy. 
• Secure Zones, Multi-hop Conduits and Asset-centric Segmentation: TSA requires operational environments to be segmented into zones, interconnected with secure, controlled conduits, to prevent contagion from zone-to-zone in the event of breach. The Xage Fabric acts as a mesh, enabling session and protocol termination at each Xage node. The mesh approach guarantees the security of cross-zone conduits between the nodes and ensures that there is no unauthorized access to assets from outside or within each zone.