Background
In 2021, the United States faced unprecedented challenges to its critical energy infrastructure. A well-known pipeline company fell victim to a severe ransomware attack that targeted its information technology (IT) system. For safety reasons, the company decided to suspend its operational technology (OT) system as well. This not only led to several days of downtime for the company but also triggered fuel shortages and price hikes on the East Coast, resulting in long lines at gas stations and disruptions for airlines and logistics companies. This incident underscored the vulnerabilities of private enterprises and government systems when facing cyberattacks, with the destructive impact posing a genuine threat to national security.
In response, the U.S. Department of Homeland Security (DHS) collaborated with the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA) to develop a series of new cybersecurity directives aimed at bolstering the cyber defenses of pipeline systems. In May and July 2021, the TSA issued the first and second pipeline security directives, respectively, mandating pipeline system owners and operators to take specific actions to enhance their cybersecurity.
However, in July 2022, the TSA updated these requirements, allowing pipeline operators more flexibility in achieving set objectives. They could continue to adopt various industry standards already in place, such as the NIST cybersecurity framework and the ISA/IEC 62443 series standards. A year later, in July 2023, the TSA released another updated version, emphasizing performance-based measures, ongoing monitoring, drills, and the approval of supplementary control measures. These changes were significant improvements for all pipeline owners and operators.
Table 1: Timeline of the TSA Security Directive Pipeline | ||
Timeline | Version | Description |
May 2021 | Security Directive Pipeline–2021–01 (SD-01) | SD-01's primary objective was to require essential pipeline operators (i.e., those operating pipelines designated by the TSA as critical for transporting hazardous liquids and natural gas) to appoint a cybersecurity coordinator, report cybersecurity incidents, and conduct vulnerability assessments. |
July 2021 | Security Directive Pipeline-2021-02B (SD-02B) | SD-02 directed key pipeline owners and operators to implement additional and immediately necessary cybersecurity measures to prevent continuous threats that could interrupt or downgrade their infrastructure. Firstly, this document was classified as Sensitive Security Information (SSI), meaning pipeline owners and operators could access a copy, but sharing this document with contractors and suppliers was tightly restricted. Secondly, the requirements in the directive were deemed prescriptive and often included aspects that were not easily achievable, like multi-factor authentication (MFA). |
July 2022 | Security Directive Pipeline-2021-02C (SD02C) | The TSA worked in conjunction with pipeline owners and operators to gain insights into how best to revise the security directives. These revisions aimed to meet TSA's goal of enhancing the overall cybersecurity resilience of organizations by constructing multiple feasible avenues through which these requirements could be met. Feedback from industry groups and other federal partners, as well as input obtained from assessing the submissions of pipeline owners and operators to Pipeline-2021-02, was duly incorporated into the new version of the directive. |
July 2023 | Security Directive Pipeline-2021-02D (SD02D) | This directive continues to mandate key pipeline and liquefied natural gas facility owners and operators to implement cybersecurity measures (e.g., reporting incidents, appointing cybersecurity coordinators, and reviewing current practices to enhance resilience). The newly revised directive introduced four significant changes, including applicability changes, cybersecurity measure alterations (including the introduction of a Cybersecurity Incident Response Plan (CIRP)), document record revisions, and new requirements for document submission. |
Reviewing the Cybersecurity Requirements of TSA’s SD Pipeline-2021-02 Series
The TSA issued security directives for the pipeline sector to strengthen threat identification, prevention, and response. The initial directive, Pipeline-2021-01, released on May 27, 2021, provided a strong and achievable starting point. SD-01 required critical pipeline operators to:
- Appoint a cybersecurity coordinator within 7 days.
- Report significant cybersecurity incidents to CISA within 12 hours.
- Assess their current cybersecurity posture, identify any gaps, formulate a remediation plan, and report these items to TSA and CISA within 30 days.
On July 20, 2021, TSA announced the second security directive, Pipeline-2021-02B, which went into effect on July 26, 2021. Pipeline owners and operators found this second directive more challenging to implement in their cybersecurity plans. SD-02B mandated pipeline operators to:
- Implement critical mitigation measures to reduce the risk of damage from cyberattacks.
- Develop a cybersecurity emergency/response plan to minimize operational interruptions when IT and OT systems are affected by cybersecurity events.
- Verify the effectiveness of their cybersecurity practices through a Cybersecurity Architecture Design Review (ADR).
The TSA revised SD-02B into SD-02C on July 27, 2022, easing specific demands and allowing for a flexible, performance-based approach to cybersecurity. Pipeline operators now submit TSA-approved plans and benefit from the updated directive’s innovative strategies to enhance security and adapt to emerging challenges, focusing on preventing harm to infrastructure for key security outcomes:
- Establish network segmentation policies and controls to ensure that if IT systems fail, OT systems can still operate and vice versa.
- Implement access control measures to prevent unauthorized individuals or programs from accessing critical network systems.
- Set up continuous monitoring and detection policies and procedures to continuously detect and address issues in critical network systems.
- Regularly update and patch crucial network systems to prevent exploitation by malicious entities.
Pipeline owners and operators must:
- Develop and execute a TSA-approved cybersecurity implementation plan, outlining specific cybersecurity measures employed by pipeline owners and operators to achieve the safety outcomes stipulated in the security directive.
- Establish and maintain a cybersecurity incident response plan, detailing the actions to be taken by pipeline owners and operators when cybersecurity incidents lead to significant operational interruptions or severe business degradation.
- Initiate a cybersecurity assessment plan, actively testing and routinely reviewing the effectiveness of cybersecurity measures in identifying and addressing vulnerabilities in equipment, networks, and systems.
New Requirements Unveiled in TSA’s Security Directive Pipeline-2021-02D
The SD Pipeline-2021-02D has been issued, replacing the SD Pipeline-2021-02C, in response to recent requirements aimed at rectifying previous shortcomings in efficiently monitoring the progress of pipeline operators’ Cybersecurity Implementation Plan (CIP) action plans. The updated security directive adopts a performance-based approach to enhance security, enabling operators to utilize new technologies and easily adapt to a constantly evolving environment with the ultimate goal of bolstering the cybersecurity of critical Operational Technology (OT) and IT systems. The focal point of the directive’s update in July 2023 revolves around testing and auditing the cybersecurity measures stipulated in its initial version. The SD Pipeline-2021-02D amendment encompasses:
- Adjustments to Applicability, Compliance Deadlines, and Scope:
- If the owners or operators of critical network systems do not change their operational methods, they are required to conduct a reassessment to determine if it is still necessary to have these systems. If changes are made to these systems after the reassessment, and they are still considered necessary, the Transportation Security Administration (TSA) must be notified within 60 days to ensure that the systems align with the security requirements specified in the Security Directive (SD).
- A clarification of the process that pipeline owners/operators must adhere to when revising their CIP as per Pipeline-2021-02D.
- Attachments originally in SD Pipeline-2021-02C are now obsolete as TSA greenlights a more flexible cybersecurity implementation plan for pipeline owners/operators.
- Revisions to Cybersecurity Measures:
- Scope of critical network systems: TSA might instruct pipeline owners/operators to include other key network systems in the CIP post consultation.
- New requirements for the Cyber Incident Response Plan (CIRP): Pipeline owners and operators are now mandated to annually test at least two CIRP objectives, which can include containment, segregation of the infected network (or devices), and integrity of backup data and IT/OT isolation. Furthermore, employees actively involved in CIRP activities, based on their roles, must be included in the assessment.
- Modifications to the Cybersecurity Assessment Plan (CAP): First, the term “cybersecurity assessment program” has been renamed as “cybersecurity assessment plan” for precision. In addition to submitting annual CAP updates for TSA review, approval from TSA is now necessary. The CAP should also contain a timeline, ensuring at least 30% of the policies, processes, measures, and capabilities in the TSA-approved CIP are assessed yearly, with a 100% assessment within three years. An annual CAP report, detailing assessment results and methodologies used to verify the effectiveness of policies, processes, and capabilities described in their CIP, must also be provided to TSA.
- Revisions to Document Records for SD Compliance: It’s explicitly stated that all plans, assessments, tests, and other contents previously listed in the index made to fulfill Pipeline-2021-02D requirements, now need to be expressly included in the CIP and provided to TSA as needed. This amendment addresses the issues raised by TSA during their review of Pipeline CIPS.
- Evaluate the TSA-approved cybersecurity implementation plan.
- Conduct a cybersecurity architecture design review at least once every two years.
- Incorporate additional assessment capabilities, like penetration testing.
- Include assessment and audit timetables.
- Submit annual reports to TSA.
- New Requirements for SD Document Submission: A new stipulation mandates that owners/operators must follow the methods specified by TSA when submitting documents. This amendment aims to offer greater flexibility for future functionalities.
Meeting TSA’s New Cybersecurity Mandates with TXOne Networks
As stalwarts in the realm of Operational Technology (OT) digital safety and cybersecurity, our engineering team has identified how TXOne Networks’ suite of hardware and software solutions can enhance the oil and gas sector’s compliance with the TSA pipeline safety directives. In terms of sustained cybersecurity processes that work in sync with the right resources, vendors, and internal stakeholders, our offerings stand out as potent enablers to meet these specific TSA mandates:
Table 2: Meeting TSA Cybersecurity Directives with TXOne Technology | ||
TSA Requirements | Cybersecurity Measures | TXOne Networks Assistance |
Critical Systems Identification |
|
|
Implement Policies to Segment and Control OT and IT Networks |
|
|
Implement Access Control Measures, for Local and Remote Access |
|
|
Implement Continuous Monitoring and Detection Policies and Procedures for Critical Cyber Systems |
|
|
|
| |
|
| |
Logging policies that:
|
| |
|
| |
Minimize the Vulnerability of Un-updated Systems by Applying Security Patches and Updates to Critical Cyber Systems |
|
|
|
| |
Develop and Maintain a Cybersecurity Incident Response Plan |
|
|
Develop a Cybersecurity Assessment Plan for Proactively Assessing and Auditing Cybersecurity Measures |
|
|
Conclusion
Facing the ever-evolving demands of cybersecurity might appear daunting, but pipeline operators in the oil and gas domain, alongside their cybersecurity squads, needn’t shoulder this complex challenge alone. TXOne Networks stands ready to provide these operators with the guidance required to align with the TSA’s enhanced mandates for information and system safeguarding.
TXOne Networks’ OT Zero Trust defense approach presents a distinct edge, offering fortified protection across endpoints and networks that can extend to every machine, personnel, dataset, and workflow to amplify network resilience. Armed with a security-first ethos rooted in zero trust and minimal privilege, our automated solutions are poised to assist pipeline operators in adeptly meeting TSA’s criteria. Operators can conveniently manage access permissions — who gets to tap into which devices, what data, and through which pathways — all while empowering administrators with unparalleled visibility, preemptive action, and swift responsiveness across the entire infrastructure.
Are you experiencing information overload? We’re here to help!
The challenges of securing oil and gas pipelines and production are constantly evolving. This is a great deal of information, and our team is ready and happy to help you and your vendors find the OT cyber defenses that are best for you. Contact us to learn how TXOne solutions can keep your system safe, compliant, and operational.