After the Colonial Pipeline ransomware attack shut down the entire pipeline system for over a week, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued a directive requiring all pipeline companies to take immediate actions to mitigate cyber risks. The first cybersecurity directive was issued on May 27 and the follow-up directive was issued on July 20.
DHS cybersecurity directives: Timeline of events
May 27, 2021: The first announcement from the DHS from May 27 states: “The Department of Homeland Security’s Transportation Security Administration (TSA) announced a security directive that will enable DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector. The security directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to CISA and to designate a Cybersecurity Coordinator to be available 24/.”
July 20, 2021: The second announcement from the DHS from July 20 states: “In response to the ongoing cybersecurity threat to pipeline systems, DHS’s Transportation Security Administration (TSA) announced the issuance of a second Security Directive that requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.”
Key takeaways from the May 27 security directive
This first directive required three key actions for owners and operators of TSA-designated critical pipelines:
- Report all confirmed and potential cybersecurity incidents to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). Detailed formatting and reporting requirements are specified in the security directive, including:
- Unauthorized access of an Information Technology (IT) or Operational Technology (OT) system
- Discovery of malicious software on an IT or OT system
- Activity resulting in Denial of Service (DoS) attacks to any IT or OT system
- Physical attacks against network infrastructure
- Any other cybersecurity incident that disrupts systems or facilities, “or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases including, but not limited to impacts to a large number of customers, critical infrastructure or core government functions, or impacts national security, economic security or public health and safety” or has the potential to disrupt system or facility operations.
- Designate and notify TSA of a cybersecurity coordinator to be available 24/7. The security directive requires additional qualifications and details for the coordinator role.
- Perform vulnerability assessment, per section 7 of the TSA pipeline security guidelines that were published in March 2018 and updated in April 2021, including:
- Identify gaps of current IT and OT security practices, using the specific details included in the TSA Security Guidelines.
- Identify remediation measures to close identified gaps and the timeline for implementing those remediations.
- Report the results of the assessment and remediation plans to TSA and CISA within 30 days (June 27, 2021)
Key takeaways from the July 20 security directive
While the contents of the May 27 security directive have been made public, the TSA marked the detailed July 20 security directive as sensitive information. As a result, the details are only shared on a need-to-know basis and not publically available. What was shared under the announcement for the second directive issued on July 20, 2021 is that DHS is requiring owners and operators of TSA-designated critical pipelines to implement specific measures, including:
- Implementing specific mitigation measures to protect against ransomware attacks as well as other known threats to IT and OT systems.
- Developing and implementing a cybersecurity contingency and recovery plan.
- Performing a cybersecurity architecture design review.
These measures do not seem to represent significant changes from existing industry guidance and better practices (including but not limited to the TSA pipeline security guidelines), but rather enforces the guidance for critical pipelines that was previously optional.
How will the TSA enforce the new security directive?
The new pipeline security directive has been issued by CISA, which is managing the Pipeline Cybersecurity Initiative (PCI) through the National Risk Management Center (NRMC).
The security directive could be enforced through the Enforcement Sanction Guidance Policy, which was updated on February 8, 2021. This policy allows the TSA to impose civil monetary penalties However, the pipeline security directive has not been specifically included in the enforcement policy yet.
How RSM can help you manage the these new cybersecurity requirements
RSM recognizes the challenges the new TSA security directives are causing for pipeline companies. Clear understanding and interpretation of the requirements is critical to overcome these cybersecurity challenges. While the directive and specific requirements may be new, however, the fundamental security guidelines that it references are aligned with industry practices that RSM has been advising its clients on for many years.
Our dedicated team of experts has a deep knowledge domain in cybersecurity and OT (also referred to as industrial control systems [ICS] or supervisory control and data acquisition [SCADA] systems), specifically within the energy sector – including drilling, pipeline, refining, and power distribution control systems. We have designed and successfully delivered multiple ICS cybersecurity assessments and have provided design engineering and support services within pipeline sector.
We can help you with an on-site, remote, or hybrid assessment of your pipeline’s ICS cybersecurity posture that considers people, process, technology and data. RSM will work with you to identify your risks, protect against threats, detect tactical and strategic issues, create a response plan, and develop effective strategies to recover from an attack. Contact us for a cyber assessment and advisory on the new pipeline security directives.
Dharminder Dargan (Dharminder.Dargan@rsmus.com)