Following months of pushback from private industry, the Transportation Security Administration (TSA) reissued a revised version of its cybersecurity directive for oil and natural gas pipeline owners and operators. The directive follows the May 2021 ransomware attack on Colonial Pipeline. That attack impacted fuel transformation and caused widespread disruption to fuel availability. The attack brought critical infrastructure security to the forefront of national attention.
Within weeks of the Colonial Pipeline attack, the TSA issued a number of security directives that mandated critical pipeline owners and operators implement specific cybersecurity measures. Because the TSA determined that the security measures were sensitive, they were not released to the public. However, industry complaints quickly surfaced that the regulations were difficult, even unfeasible to implement.
Politico quoted Robert M. Lee, CEO at cybersecurity services provider Dragos, as saying “In every sense, TSA has screwed this up. It is a giant cluster and in many ways is a perfect example of what not to do with a regulatory process.”
The TSA is now trying again with an updated security directive. In its announcement late last week, the TSA said it has significantly revised the July 2021 security directive to provide owners and operators more flexibility to adequately improve their security and meet the desired security levels necessary for national security. “Cybersecurity experts from TSA and the Cybersecurity and Infrastructure Security Agency (CISA) contributed to the development of the measures in this Security Directive series to ensure the efficacy of the requirements in mitigating system vulnerabilities,” the TSA’s memorandum states.
The updated directive also includes feedback from the pipeline industry as well as Congress on how to move to a more performance-based, security outcomes-focused program. “In addition, the directive incorporates knowledge gained from TSA’s processing and consideration of alternative measure requests submitted by pipeline Owner/Operators, the TSA states.
The new directive requires pipeline owners and operators to provide a cybersecurity implementation plan that must be approved by the TSA. Once approved, the plan will be the requirement the TSA measures against for compliance.
The new directive requires pipeline owners and operators to:
- Establish and execute a TSA-approved cybersecurity implementation plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth in the security directive.
- Develop and maintain a cybersecurity incident response plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident.
- Establish a cybersecurity assessment program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.
The administration has taken note of the TSA’s earlier misstep. Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger said last week that the White House will meet with the rail industry before issuing a new set of cybersecurity rules for that critical infrastructure industry. The hope is to avoid the confusion that occurred after the Colonial Pipeline attack.