Recent cybersecurity incidents have demonstrated that both U.S. public and private sectors are increasingly at risk of sophisticated, malicious cyber activity. To combat the increasing number of cyberattacks targeted at the Oil and Gas industry, the Department of Homeland Security’s Transportation Security Administration (TSA) issued four security directives in 2021-23. The TSA guidelines aim to increase the security posture of the owners and operators of US-based gas and liquid pipelines.
The Latest Developments: What You Should Know
The TSA directives are applicable to operational oil and natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied natural gas facility operators.
TSA issued the first and second Pipeline Security directives in May 2021 and July 2021. These directives are known as the TSA Pipeline Security Directive 2021-02 series and require the owners and operators of pipeline systems to take specific actions to enhance pipeline cybersecurity. TSA’s second directive 2021-02B expired on July 26, 2022 and the TSA reissued a third directive that went into effect on July 27, 2022.
Most recently, TSA’s directive Security Directive Pipeline-2021-02D was renewed as of July 26, 2023, superseding previous versions in a continuation of the series of Pipeline Security Directives first published in July 2021. The renewed security directive takes a performance-based approach to enhancing security, allowing operators to leverage new technologies and be adaptive to changing environments to achieve the ultimate objective of cyber hardening critical Operational Technology (OT) and IT systems. The July 2023 updates to the directive are focused on testing and auditing of the cybersecurity measures required in the initial versions of the directive. The updates require pipeline operators to:
- Annually submit an updated Cybersecurity Assessment Plan to TSA for review and approval.
- Annually report the results from previous year assessments, with a schedule for assessing and auditing specific cybersecurity measures for effectiveness. TSA requires 100% of an owner/ operator’s security measures be assessed every three years.
- According to the updated security directive, the five CIRP objectives identified by TSA for pipeline operators are containment, segregation, secure access to critical systems, integrity of backup data, and isolation of IT from OT systems. The directive requires that operators must test at least two of these Cybersecurity Incident Response Plan (CIRP) objectives, and report the findings to TSA each year.
This fourth Security Directive continues to emphasize the need to invest in security solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response. TSA pipeline security guidelines include requirements for access control, credential management, least privilege management, role-based access, multi-factor authentication (MFA), and the use of “compensating controls” to allow pipeline operators to embrace the latest innovations.