Understanding Cyber Directives from TSA and Other Agencies

Recent cybersecurity incidents have demonstrated that both U.S. public and private sectors are increasingly at risk of sophisticated, malicious cyber activity. After a slew of high-profile attacks during 2021, the U.S. government is taking concrete measures to improve cybersecurity standards. From the issuing of an update to NATO cyber policy for the first time in seven years and increased funding and investment, to notable private/public partnerships and new directives, we’re entering an era of government mandates and requirements around cybersecurity for the private sector. 

Thus far, some of the most impactful initiatives have been guidelines from the Biden administration’s Executive Orders and memos, as well as from the Department of Homeland Security (DHS), Transportation Security Administration (TSA), and Cybersecurity and Infrastructure Security Agency (CISA). These guidelines that first started with outlining standards for reporting and monitoring have since evolved to set specific protections across industries, including federal agencies, utilities, oil and gas distributors, transportation providers, and manufacturing companies. These directives are now being placed on U.S. Fortune 100 oil and natural gas pipeline companies and will likely be expanded to more organizations and industries.  

In turn, it’s key for critical infrastructure and the private sector to keep abreast of evolving regulations and initiatives, understand requirements and how to implement them, and look ahead to potential shifts down the road. 

The Latest Developments: What You Should Know

Following recent incidents the Biden administration issued an Executive Order in May 2021 to modernize U.S. defenses and improve the federal government’s cybersecurity. The intent of the executive order was to: 

  • Remove barriers to threat information sharing between government and the private sector;
  • Modernize and implement stronger cybersecurity standards across the federal government;
  • Establish a cybersecurity safety review board;
  • Create a standard playbook for responding to cyber incidents. 

This Executive Order set a timeline with deadlines, including a 100-day initiative to improve cybersecurity across the electric/utilities sector (with obvious intention to expand). Since then, that initiative has already resulted in an upgrade in cyber posture for more than 150 utilities. 

The President’s Executive Order required action from the DHS, TSA (a division of DHS), CISA, particularly that, within a certain amount of time from the order, these agencies needed to create a playbook to guide vulnerability analysis and incident reporting. Further, each set out to provide relevant guidance to individual sectors in order to meet objectives within the order. 

In May 2021, TSA issued a Security Directive requiring certain pipeline owners and/or operators to take specific actions to enhance pipeline cybersecurity. In this directive, TSA requires: 

  • Certain pipeline owner/operators to report cybersecurity incidents to DHS; 
  • Pipeline owner/operators to designate a cybersecurity coordinator and review current activities against TSA’s recommendations for pipelines. 

In July 2021, TSA issued a second Security Directive, which establishes requirements for certain pipeline owners and/or operators to:

  • Implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology systems; 
  • Develop and implement a cybersecurity contingency and response plan;
  • Undergo an annual cybersecurity architecture design review.

This second Security Directive emphasized the need to invest in security solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response. It was developed by TSA in coordination with CISA and incorporates the mitigation strategies based on learnings from recent attacks. 

Additionally in July 2021, the National Security Memorandum was released and established the Industrial Control Systems Cybersecurity Initiative. This initiative was specifically directed towards upgrading U.S. critical infrastructure to meet cybersecurity standards by encouraging deployment of technologies that provide threat visibility, indications, detection, and warnings. This also includes technologies that facilitate response capabilities for cybersecurity in essential control systems and operational technology (OT) networks to protect critical operations. 

Specific Guidelines and Requirements

The Industrial Control Systems Cybersecurity Initiative required pipeline companies to compile and submit a report addressing specific mitigation measures within 120 to 180 days. 

TSA also published and recently revised a set of guidelines for securing industrial operations. These guidelines include requirements for both access management and data protection for all critical operational (OT) cyber assets including those assets that do not have built-in technical controls to meet these requirements. In such instances, compensating cybersecurity controls must be implemented. 

Additionally, CISA recently released a set of guidelines for mitigating cyber attacks to OT for critical asset owners, including: 

  • Updating software, including operating systems, applications, and firmware, on IT network assets, in a timely manner;
  • Implementing asset (application, device, machine) access management;
  • Ensuring user and process accounts are limited through account use policies, user account control, and privileged account management; 
  • Requiring multi-factor authentication for access to OT and IT networks; 
  • Implementing and ensuring robust network segmentation between IT and OT networks; 
  • And implementing a continuous and vigilant system monitoring program. 

The Path Forward

Effectively mitigating malware and ransomware attacks requires a comprehensive cybersecurity architecture that delivers technical controls throughout the operational environments and allows for protection, monitoring, and response. The federal government is increasingly interested in implementing a zero trust approach, most recently emphasized by the Biden administration’s call for reactions to its draft zero trust strategy for federal systems. The draft includes potential requirements for agencies by the end of fiscal 2024, including the use of single sign-on, encryption, reducing the use of VPNs, and more. Given this trajectory, we anticipate that further DHS directives will continue to push, and ideally incentivize, pipeline operations to adopt a zero trust security architecture. 

There is growing consensus across the industry that zero trust is the best way to protect crucial systems and block cyber attacks. Xage Fabric provides Zero Trust Access (ZTA) capabilities to secure all the interactions in, out, and across operational, enterprise, and cloud environments. The Xage Fabric creates policies that set an identity based perimeter around each user, app, device, machine, and data stream. 

That policy is then enforced anywhere without having to change existing assets or networks. Xage Fabric provides the required technical controls for protection, monitoring, and response across the entire operation. 

Zero Trust Access and Data Security controls throughout the operations are needed to prevent attacks, control the spread, and respond immediately, which keeps operations running even in the event of an attack. Adopting zero trust allows for control over all interactions. Each user, application and system is authenticated and authorized, and the technology never assumes trust. 

Specifically, zero trust: 

  • Authenticates, authorizes, and enforces granular access control for every interaction based on identity of user and asset, role, location and time frame per security policy;
  • Keeps remote users and apps outside of networks and never exposes vulnerable protocols; 
  • Ensures files and data are malware-free before reaching operations; 
  • Changes credentials on every asset frequently, especially after attacks;
  • Ensures data authenticity, integrity, and confidentiality end-to-end for every interaction

Even though rapid developments from the federal government on specific cybersecurity standards for critical infrastructure can be difficult to keep track of, we anticipate further standards to focus on a zero trust approach. Adopting a zero trust architecture creates a foundation needed to effectively adapt to current directives and prepare for future regulations. The Xage Fabric delivers this foundation for all industries and allows them to stay on the cutting-edge of security. 

Request Demo
White Paper

Download the
Xage Whitepapers

A revolution known as the Industrial Internet of Things (IIoT) or Industry 4.0 is underway. Industrial companies are deploying intelligent systems composed of devices and software applications that cooperate with each other and with humans in real-time. These systems can contain new devices with robust security controls as well as currently installed devices, e.g., PLCs, RTUs, HMIs, meters, and sensors, that provide limited and varied security capabilities. Furthermore, as operations and enterprises are embracing data-driven automation, data and interactions need to be protected edge-to-edge, to cloud, and across the ecosystem.

Fill out this form to download the Xage whitepapers.