“TSA is seeking to provide greater choice in the methods used to enhance cybersecurity; this could lead to faster compliance and stronger protection from threats,” said Duncan Greatwood, Xage CEO
PALO ALTO, Calif., July 22, 2022: Increased cyber threats have spurred continued action from the government, including multiple security directives from the Transportation Security Administration (TSA) for pipeline operators. The agency this week released the latest version of its Pipeline Security directive; another step towards a more secure energy infrastructure.
Despite speculation that the TSA is easing up on requirements, Duncan Greatwood, CEO of Xage, explains that their updates dig in on core zero trust principles:
- “The TSA is doubling down on some areas, such as access control and credential management for critical infrastructure systems, while relaxing some rules in other areas, such as lead times for incident reporting.”
- “What comes through most strongly is the TSA approval of performance-based, rather than prescriptive, measures for cyber-hardening. They’re providing greater choice in the methods operators can use to enhance cybersecurity, which could significantly accelerate implementation timelines.”
- “While this idea was already present in last year’s draft regulations, under the name of ‘alternative methods,’ this idea—now called ‘compensating controls’—has become central to access management requirements. The TSA is saying that any critical infrastructure element that lacks strong built-in security (as is the case with many operational assets) won’t need to be uprooted. Instead, these critical assets will need ‘compensating controls’ to protect them—in other words, a way to protect vulnerable assets that makes up for their lack of built-in security capabilities.”
These insights come from first hand experience implementing technologies and tactics to reach compliance without impacting existing operational technology assets. Xage works with some of the largest pipelines in the US, and Greatwood explained that “pipeline operators see this update as an accelerator of cyber-hardening, not an indication that they can sit back and relax. They wouldn’t want to anyway—the growing threat landscape is giving them even more of a wake up call than the TSA directives did in the first place.”
Xage is delivering comprehensive zero trust security and already deploying TSA-approved solutions for regulated energy companies across the country, including:
- Access and Credential Management: TSA continues to stress access control and credential management. Xage provides granular identity-based access and credential management for all assets, including legacy assets, powered by its patented Xage Fabric. The Xage Fabric seamlessly overlays an operation to impose granular control over all interactions, without any asset or network changes.
- Compensating Controls and Multi-layer MFA: For the many critical systems that lack their own strong security controls and/or security integrations, Xage’s Fabric provides zero trust-based access control, including multi-layer MFA, delivering the “compensating controls” required in the newest TSA regulations. In particular, Xage’s multi-layer MFA capability combines zero trust with a defense in-depth authentication strategy.
- Granular Zones, Conduits and Beyond: TSA also requires operational environments to be segmented into zones, interconnected with secure, controlled conduits, preventing contagion from zone-to-zone in the event of an initial breach. Xage’s Fabric acts as a mesh, providing session and protocol termination at each Xage node, guaranteeing the security of cross-zone conduits between the nodes, and ensuring that there is no unauthorized access to assets from outside or even from within each zone.
To learn more about how Xage is enabling critical infrastructure organizations to adopt zero trust without disruption, visit Xage.com/services.
Xage is the first and only zero trust real-world security company. The Xage Fabric accelerates and simplifies the way enterprises secure, manage and transform digital operations across OT, IT, and cloud. Xage solutions include Identity & Access Management (IAM), remote access and dynamic data security, all powered by the Xage Fabric.