Blog

TSA Pipeline Security Directive Upgraded: Navigating Cyber Challenges with TXOne Networks

Nov 10, 2023

Blog-TSA Pipeline Security Directive Upgraded: Navigating Cyber Challenges with TXOne Networks

Background

In 2021, the United States faced unprecedented challenges to its critical energy infrastructure. A well-known pipeline company fell victim to a severe ransomware attack that targeted its information technology (IT) system. For safety reasons, the company decided to suspend its operational technology (OT) system as well. This not only led to several days of downtime for the company but also triggered fuel shortages and price hikes on the East Coast, resulting in long lines at gas stations and disruptions for airlines and logistics companies. This incident underscored the vulnerabilities of private enterprises and government systems when facing cyberattacks, with the destructive impact posing a genuine threat to national security.

In response, the U.S. Department of Homeland Security (DHS) collaborated with the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA) to develop a series of new cybersecurity directives aimed at bolstering the cyber defenses of pipeline systems. In May and July 2021, the TSA issued the first and second pipeline security directives, respectively, mandating pipeline system owners and operators to take specific actions to enhance their cybersecurity.

However, in July 2022, the TSA updated these requirements, allowing pipeline operators more flexibility in achieving set objectives. They could continue to adopt various industry standards already in place, such as the NIST cybersecurity framework and the ISA/IEC 62443 series standards. A year later, in July 2023, the TSA released another updated version, emphasizing performance-based measures, ongoing monitoring, drills, and the approval of supplementary control measures. These changes were significant improvements for all pipeline owners and operators.

Table 1: Timeline of the TSA Security Directive Pipeline

Timeline

Version

Description

May 2021

Security Directive Pipeline–2021–01 (SD-01)

SD-01's primary objective was to require essential pipeline operators (i.e., those operating pipelines designated by the TSA as critical for transporting hazardous liquids and natural gas) to appoint a cybersecurity coordinator, report cybersecurity incidents, and conduct vulnerability assessments.

July 2021

Security Directive Pipeline-2021-02B (SD-02B)

SD-02 directed key pipeline owners and operators to implement additional and immediately necessary cybersecurity measures to prevent continuous threats that could interrupt or downgrade their infrastructure. Firstly, this document was classified as Sensitive Security Information (SSI), meaning pipeline owners and operators could access a copy, but sharing this document with contractors and suppliers was tightly restricted. Secondly, the requirements in the directive were deemed prescriptive and often included aspects that were not easily achievable, like multi-factor authentication (MFA).

July 2022

Security Directive Pipeline-2021-02C (SD02C)

The TSA worked in conjunction with pipeline owners and operators to gain insights into how best to revise the security directives. These revisions aimed to meet TSA's goal of enhancing the overall cybersecurity resilience of organizations by constructing multiple feasible avenues through which these requirements could be met. Feedback from industry groups and other federal partners, as well as input obtained from assessing the submissions of pipeline owners and operators to Pipeline-2021-02, was duly incorporated into the new version of the directive.

July 2023

Security Directive Pipeline-2021-02D (SD02D)

This directive continues to mandate key pipeline and liquefied natural gas facility owners and operators to implement cybersecurity measures (e.g., reporting incidents, appointing cybersecurity coordinators, and reviewing current practices to enhance resilience). The newly revised directive introduced four significant changes, including applicability changes, cybersecurity measure alterations (including the introduction of a Cybersecurity Incident Response Plan (CIRP)), document record revisions, and new requirements for document submission.

 

Reviewing the Cybersecurity Requirements of TSA’s SD Pipeline-2021-02 Series

The TSA issued security directives for the pipeline sector to strengthen threat identification, prevention, and response. The initial directive, Pipeline-2021-01, released on May 27, 2021, provided a strong and achievable starting point. SD-01 required critical pipeline operators to:

  • Appoint a cybersecurity coordinator within 7 days.
  • Report significant cybersecurity incidents to CISA within 12 hours.
  • Assess their current cybersecurity posture, identify any gaps, formulate a remediation plan, and report these items to TSA and CISA within 30 days.

 

On July 20, 2021, TSA announced the second security directive, Pipeline-2021-02B, which went into effect on July 26, 2021. Pipeline owners and operators found this second directive more challenging to implement in their cybersecurity plans. SD-02B mandated pipeline operators to:

  • Implement critical mitigation measures to reduce the risk of damage from cyberattacks.
  • Develop a cybersecurity emergency/response plan to minimize operational interruptions when IT and OT systems are affected by cybersecurity events.
  • Verify the effectiveness of their cybersecurity practices through a Cybersecurity Architecture Design Review (ADR).

 

The TSA revised SD-02B into SD-02C on July 27, 2022, easing specific demands and allowing for a flexible, performance-based approach to cybersecurity. Pipeline operators now submit TSA-approved plans and benefit from the updated directive’s innovative strategies to enhance security and adapt to emerging challenges, focusing on preventing harm to infrastructure for key security outcomes:

  • Establish network segmentation policies and controls to ensure that if IT systems fail, OT systems can still operate and vice versa.
  • Implement access control measures to prevent unauthorized individuals or programs from accessing critical network systems.
  • Set up continuous monitoring and detection policies and procedures to continuously detect and address issues in critical network systems.
  • Regularly update and patch crucial network systems to prevent exploitation by malicious entities.

 

Pipeline owners and operators must:

  • Develop and execute a TSA-approved cybersecurity implementation plan, outlining specific cybersecurity measures employed by pipeline owners and operators to achieve the safety outcomes stipulated in the security directive.
  • Establish and maintain a cybersecurity incident response plan, detailing the actions to be taken by pipeline owners and operators when cybersecurity incidents lead to significant operational interruptions or severe business degradation.
  • Initiate a cybersecurity assessment plan, actively testing and routinely reviewing the effectiveness of cybersecurity measures in identifying and addressing vulnerabilities in equipment, networks, and systems.

 

New Requirements Unveiled in TSA’s Security Directive Pipeline-2021-02D

The SD Pipeline-2021-02D has been issued, replacing the SD Pipeline-2021-02C, in response to recent requirements aimed at rectifying previous shortcomings in efficiently monitoring the progress of pipeline operators’ Cybersecurity Implementation Plan (CIP) action plans. The updated security directive adopts a performance-based approach to enhance security, enabling operators to utilize new technologies and easily adapt to a constantly evolving environment with the ultimate goal of bolstering the cybersecurity of critical Operational Technology (OT) and IT systems. The focal point of the directive’s update in July 2023 revolves around testing and auditing the cybersecurity measures stipulated in its initial version. The SD Pipeline-2021-02D amendment encompasses:

  • Adjustments to Applicability, Compliance Deadlines, and Scope:
  1. If the owners or operators of critical network systems do not change their operational methods, they are required to conduct a reassessment to determine if it is still necessary to have these systems. If changes are made to these systems after the reassessment, and they are still considered necessary, the Transportation Security Administration (TSA) must be notified within 60 days to ensure that the systems align with the security requirements specified in the Security Directive (SD).
  2. A clarification of the process that pipeline owners/operators must adhere to when revising their CIP as per Pipeline-2021-02D.
  3. Attachments originally in SD Pipeline-2021-02C are now obsolete as TSA greenlights a more flexible cybersecurity implementation plan for pipeline owners/operators.

 

  • Revisions to Cybersecurity Measures:
  1. Scope of critical network systems: TSA might instruct pipeline owners/operators to include other key network systems in the CIP post consultation.
  2. New requirements for the Cyber Incident Response Plan (CIRP): Pipeline owners and operators are now mandated to annually test at least two CIRP objectives, which can include containment, segregation of the infected network (or devices), and integrity of backup data and IT/OT isolation. Furthermore, employees actively involved in CIRP activities, based on their roles, must be included in the assessment.
  3. Modifications to the Cybersecurity Assessment Plan (CAP): First, the term “cybersecurity assessment program” has been renamed as “cybersecurity assessment plan” for precision. In addition to submitting annual CAP updates for TSA review, approval from TSA is now necessary. The CAP should also contain a timeline, ensuring at least 30% of the policies, processes, measures, and capabilities in the TSA-approved CIP are assessed yearly, with a 100% assessment within three years. An annual CAP report, detailing assessment results and methodologies used to verify the effectiveness of policies, processes, and capabilities described in their CIP, must also be provided to TSA.

 

  • Revisions to Document Records for SD Compliance: It’s explicitly stated that all plans, assessments, tests, and other contents previously listed in the index made to fulfill Pipeline-2021-02D requirements, now need to be expressly included in the CIP and provided to TSA as needed. This amendment addresses the issues raised by TSA during their review of Pipeline CIPS.
  1. Evaluate the TSA-approved cybersecurity implementation plan.
  2. Conduct a cybersecurity architecture design review at least once every two years.
  3. Incorporate additional assessment capabilities, like penetration testing.
  4. Include assessment and audit timetables.
  5. Submit annual reports to TSA.

 

  • New Requirements for SD Document Submission: A new stipulation mandates that owners/operators must follow the methods specified by TSA when submitting documents. This amendment aims to offer greater flexibility for future functionalities.

 

 

Meeting TSA’s New Cybersecurity Mandates with TXOne Networks

As stalwarts in the realm of Operational Technology (OT) digital safety and cybersecurity, our engineering team has identified how TXOne Networks’ suite of hardware and software solutions can enhance the oil and gas sector’s compliance with the TSA pipeline safety directives. In terms of sustained cybersecurity processes that work in sync with the right resources, vendors, and internal stakeholders, our offerings stand out as potent enablers to meet these specific TSA mandates:

Table 2: Meeting TSA Cybersecurity Directives with TXOne Technology

TSA Requirements

Cybersecurity Measures

TXOne Networks Assistance

Critical Systems Identification

  • Identify the Owner/Operator's Critical Cyber Systems as defined in Section VII of this Security Directive.

  • Identify the Owner/Operator's Critical Cyber Systems as defined in Section VII of this Security Directive.

  • Portable Inspector and ElementOne offer a comprehensive overview of an organization’s assets and associated risks. It displays asset type, OS, top 10 missing patches, total asset number, and critical vulnerabilities.

Implement Policies to Segment and Control OT and IT Networks

  • Implement Policies to Segment and Control OT and IT Networks

  • External connections to the OT system.

  • Logical zone definitions for IT and OT based on criticality, consequence, and need.

  • Security controls to block unauthorized inter-zone communications.

  • Rules that prevent unencrypted OT system data from passing through the IT system.

  • Rules that prevent unencrypted OT system data from passing through the IT system.

  • EdgeIPS & EdgeFire can handily manage the group policies of networking and endpoint security assets, integrating common IT and ICS protocols with security rules to optimize protection for your OT network ensuring operational integrity across distant sites. It allows administrators to modify OT protocol allowlists for asset interoperability and to conduct deep L2-L7 network analysis.

Implement Access Control Measures, for Local and Remote Access

  • Implement access management policies based on least privilege and role separation. If these can't be technically applied, detail alternative measures the Owner/Operator should employ.

  • By configuring the policies and profiles, EdgeIPS controls the access of different departments, user groups, and IT/OT network communication.

  • Stellar supports the principle of least privilege and Role-Based Access Control (RBAC), allowing different segmented endpoints to be used for different applications and services, such as operator workstations and engineer workstations.By configuring the policies and profiles, EdgeIPS controls the access of different departments, user groups, and IT/OT network communication.

Implement Continuous Monitoring and Detection Policies and Procedures for Critical Cyber Systems

  • Prevent malicious email, such as spam and phishing emails, from adversely impacting operations.

  • Prevent malicious email, such as spam and phishing emails, from adversely impacting operations.

  • Restrict access to limit exposure to malicious web domains or applications.

  • Prevent unauthorized code, like macro scripts, from running.

  • Oversee and restrict connections from dubious command servers, including Tor exit nodes.

  • EdgeIPS Pro provides the streaming-based antivirus profiles that serves as an extra layer of protection and scanning, optimizing memory utilization for large archive files by decompressing the files on the fly and scanning the PE and ELF format for malware files.

  • Stellar offers OT native protection with its next-gen antivirus, application lockdown, and anomaly detection via a lightweight agent. It also includes an industrial application repository for operational baselines, anomaly detection, and real-time malware scanning to ensure operational integrity.

  • Check unauthorized internet domain access.

  • Log and review OT system communications that deviate from the set baseline.

  • EdgeIPS utilizes AI engines to create security baselines and corresponding security rules to dramatically reduce configuration hassles.•    EdgeIPS Pro provides the streaming-based antivirus profiles that serves as an extra layer of protection and scanning, optimizing memory utilization for large archive files by decompressing the files on the fly and scanning the PE and ELF format for malware files.

  • The device stores system and event logs, which it can also ship to a Syslog server for quicker analysis.

  • Detect and respond to unauthorized code execution, including macro scripts.

  • Use tools like Security Orchestration, Automation, and Response to streamline incident responses.

  • Unexpected changes pose potential threats to the operation. By analyzing the fingerprint at the device-agent level, Stellar prevents any unexpected changes to the device, such as malware, unauthorized access, accidental configuration changes, and malicious process modifications.

Logging policies that:

  • Mandate ongoing data collection and analysis for potential security breaches and unusual activity.

  • Retain data long enough to facilitate thorough cybersecurity incident investigations.

  • EdgeOne can centrally manage the network defense provided by the Edge series nodes, and give you comprehensive logs of activities including cybersecurity, policy enforcement, protocol filtering, system logs, audits, and asset detection at each EdgeIPS Family and EdgeFire Family node.

  • Stellar can run on modern and legacy assets, and allows management from a single platform through StellarOne, strengthening both management of modern assets and defense of legacy equipment.

  • ElementOne creates an inventory of OT asset information during routine scans, allowing verification of vulnerability status, OS (Operating System) updates, installed applications, and asset specifications.

  • Implement protective measures to isolate ICS when an IT security incident threatens the safety and dependability of the OT system.

  • Deploy EdgeIPS & EdgeFire to segment the network based on deep understanding of regulations, data sensitivity requirements, and work group productivity – this prevents attackers from moving within your network or accessing any sensitive devices.

Minimize the Vulnerability of Un-updated Systems by Applying Security Patches and Updates to Critical Cyber Systems

  • Implement a patch management strategy for Critical Cyber Systems to ensure up to date security patches.

  • ElementOne's malware-free report offers businesses a detailed look at their asset security. This helps them spot issues and enhance their system's safety. The report covers scan outcomes, system details, scanner settings, installed apps, Windows Updates, vulnerabilities, and missing patches.

  • EdgeIPS offers cutting-edge protection against unidentified threats by leveraging its comprehensive and up to date threat intelligence. Utilizing the Zero Day Initiative (ZDI) vulnerability rewards program, EdgeIPS provides exclusive protection for your systems against undisclosed and zero-day threats.

  • If patching certain OT systems runs the risk of operational degradation, the strategy must outline alternative solutions and a timeline to mitigate risks from the uninstalled patches or updates.

  • The Edge series uses top virtual patching technology to shield older devices and systems with unpatched weaknesses. Systems that can't get security updates can still be defended and run smoothly by using virtual patching.

  • Stellar can watch over vulnerable processes and spot unusual actions. It can also fend off new, unexpected attacks by only running essential applications. This lets owners update their systems without immediate pressure.

Develop and Maintain a Cybersecurity Incident Response Plan

  • Owner/Operators must maintain a current Cybersecurity Incident Response Plan for Critical Cyber Systems. This plan should contain measures to minimize operational disruptions or other major impacts on required capacity in case of a cybersecurity incident in their pipeline or facility.

  • Ensure a structured framework and ability to separate the Information and Operational Technology systems during a cybersecurity incident that poses or might lead to operational disruptions.

  • EdgeIPS & EdgeFire can support network segmentation technology and use pre-defined suspicious objects to identify malicious network behavior. Asset owners or service providers can maintain normal operation of production lines and avoid interference by tailoring their own OT/ICS security rules using a variety of user defined conditions.

Develop a Cybersecurity Assessment Plan for Proactively Assessing and Auditing

Cybersecurity Measures

  • The Owner/Operator must draft a Cybersecurity Assessment Plan for Critical Cyber Systems, focusing on evaluating security measures and identifying potential vulnerabilities.

  • This plan should be reviewed, updated, and submitted to TSA for approval annually, following the previous submission or its endorsement.

  • An annual report, as per regulations, detailing the past year's assessments, must be submitted to TSA within a year of the last plan's submission or approval.

  • ElementOne's malware-free report gives businesses a clear view of their asset security, helping them tackle issues and boost system safety. The report outlines scan results, system details, scanner settings, installed apps, Windows Updates, vulnerabilities, and missing patches.

  • EdgeOne ensures wide security for IT and OT systems, managing policies across its devices. With excellent OT threat knowledge and proactive tools, it safeguards your network. It offers threat notifications, cybersecurity insights, a simple dashboard, group controls, and straightforward setup for a secure, easy-to-manage network. A key feature of the updated EdgeOne is its detailed network map, efficiently enhancing the visibility of your manufacturing assets.

  • StellarOne allows management from a single pane of glass with support for Syslog forwarding, indicators of compromise (IoC) integration, and centralized monitoring.

 

 

Conclusion

Facing the ever-evolving demands of cybersecurity might appear daunting, but pipeline operators in the oil and gas domain, alongside their cybersecurity squads, needn’t shoulder this complex challenge alone. TXOne Networks stands ready to provide these operators with the guidance required to align with the TSA’s enhanced mandates for information and system safeguarding.

TXOne Networks’ OT Zero Trust defense approach presents a distinct edge, offering fortified protection across endpoints and networks that can extend to every machine, personnel, dataset, and workflow to amplify network resilience. Armed with a security-first ethos rooted in zero trust and minimal privilege, our automated solutions are poised to assist pipeline operators in adeptly meeting TSA’s criteria. Operators can conveniently manage access permissions — who gets to tap into which devices, what data, and through which pathways — all while empowering administrators with unparalleled visibility, preemptive action, and swift responsiveness across the entire infrastructure.

 

 

 

Are you experiencing information overload? We’re here to help!

The challenges of securing oil and gas pipelines and production are constantly evolving. This is a great deal of information, and our team is ready and happy to help you and your vendors find the OT cyber defenses that are best for you. Contact us to learn how TXOne solutions can keep your system safe, compliant, and operational.

TXOne image
TXOne Networks

Need assistance?

TXOne’s global teams are here to help!

or
Find support