The United States government body, Transportation Security Administration (TSA) has announced that it is revising and reissuing its Security Directive on oil and natural gas pipeline cyber security.
This directive will continue the effort to build cybersecurity resilience for the pipelines, according to a statement.
The directive extends the cybersecurity requirements for another year (starting from last July) and focuses on non-binding performance-based measures so that there are critical cyber results.
“TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said TSA administrator David Pekoske.
“We recognise that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure,” he added.
It is important to note that May 2021 ransomware attack on a major pipeline had TSA to issue several security directives requiring that owners and operators of critical pipelines implement several urgently needed cybersecurity measures.
TSA intends to initiate the formal rulemaking process, which will provide an opportunity for public comments to be submitted and considered.
The security directive requires owners and operators of TSA-specified pipeline and LNG facilities to take action to achieve the following safety outcomes:
- Develop network segmentation policies and controls
- Establish access control measures to secure and prevent unauthorized access to critical cyber systems
- Build continuous monitoring and detection policies and procedures to identify cyber security threats and correct related anomalies
- Reduce the risk of exploiting unpatched systems by applying security patches and updates for operating systems, applications, drivers and firmware
Pipeline owners and operators must:
- Establish and execute a TSA-approved Cybersecurity Implementation Plan that outlines specific cybersecurity measures
- Develop and maintain a Cyber Security Incident Response Plan
- Create a Cybersecurity Assessment Program to review the effectiveness of cybersecurity measures and identify and resolve vulnerabilities in devices, networks and systems proactively and regularly
Added to these requirements is the previously established requirement to report significant cyber security incidents to CISA, establish a cyber security contact point and conduct an annual cyber vulnerability assessment.
