Tightening the Cybersecurity Net: TSA Fortifies Pipeline Requirements

Government TSA Updates Pipeline Cybersecurity Requirements

July 27, 2023

The Transportation Security Administration (TSA) has announced updated cybersecurity requirements for oil and natural gas pipeline owners and operators, following the disruptive cyberattack that hit Colonial Pipeline in 2021. The new security directive aims to enhance the defenses against cyberattacks and requires pipeline organizations to implement measures to improve their cybersecurity.

Testing Assessment and Incident Response Plans

The updated requirements now require owners and operators to annually submit an updated cybersecurity assessment plan to the TSA for review and approval. This plan will outline the measures that will be taken to secure the pipelines and prevent cyberattacks. Additionally, organizations will need to provide a schedule for assessing and auditing specific cybersecurity measures and submit an annual report with the results of the previous year’s assessment.

One of the significant changes is the requirement for pipeline companies to test at least two objectives of their incident response plans on an annual basis. This additional testing will help ensure the readiness and effectiveness of response plans in the event of a cyber incident.

Incorporating Existing Industry Standards

The TSA‘s updated security directive takes a performance-based approach rather than prescribing specific measures, allowing pipeline companies to incorporate industry standards they already use, such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series. This approach demonstrates the TSA‘s support for the distinct needs of the sector and offers flexibility to accommodate differences in systems and operations.

Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos, remarked on the updated requirements, saying, “The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represent major improvements for all pipeline owners and operators.”

Concerns and Recommendations

While the updated cybersecurity requirements demonstrate progress in the TSA‘s support for the pipeline sector, there are concerns about the increased audit language and reporting requirements. Industry experts are urging the TSA to align these requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators subject to multiple regulatory authorities.

Moreover, the engagement between the TSA and the private sector and industry experts should continue as the security directives are updated and revised moving forward. This collaboration will ensure that the requirements are effective in enhancing cybersecurity measures and mitigating potential threats.

Conclusion

The TSA‘s updated cybersecurity requirements for pipeline owners and operators are a significant step towards fortifying critical infrastructure against cyberattacks. By testing assessment and incident response plans and allowing the incorporation of existing industry standards, the TSA aims to improve the sector’s cybersecurity resilience. However, concerns remain about the increased audit and reporting requirements, calling for alignment with other regulatory frameworks to ease the burden on infrastructure owners and operators. Ongoing collaboration between the TSA, private sector, and industry experts will be crucial in ensuring the effectiveness of these requirements in the rapidly evolving cybersecurity landscape.