The Transportation Security Administration revised its security directive on cybersecurity for oil and natural gas pipelines Wednesday. The directive was issued and later renewed following the ransomware attack on Colonial Pipeline.
The updated security directive calls for operators to test previously mandated processes and implementation plans. Oil and natural gas pipeline owners must now:
- Submit an updated cybersecurity assessment plan to the TSA annually for review and approval.
- Report the results from prior year assessments every year and include a schedule for assessing and auditing specific cybersecurity measures to ensure they are effective. "TSA requires 100% of the owner/operator’s cybersecurity measures be tested every three years."
- At least two Cyber Incident Response Plan measures must be tested. Individuals serving in positions identified in the CIRP response plans need to be included in annual exercises.
The new directive seeks to strengthen the resilience of these pipelines and includes input from industry stakeholders and federal partner agencies, including the Cybersecurity and Infrastructure Security Agency and the Department of Transportation.
“TSA is committed to keeping the nation’s transportation system secure in this challenging cyber threat environment,” TSA Administrator David Pekoske said in the announcement. “The revised security directive sustains the strong cybersecurity measures already in place for the oil and natural gas pipeline industry.”
The updated guidelines come amid heightened risk to the oil and gas industry, including specific state-linked threats related to the Ukraine war. Just a month ago, Suncor Energy in Canada was targeted in a cyberattack that disrupted payment transactions to more than 1,500 of its Petro-Canada retail gas stations.
Jason Christopher, director of cyber risk at Dragos, praised the new directive, noting that it focuses on performance based objectives rather than prescriptive ones.
The updated directive also gives owner-operators the flexibility to leverage various industry standards they already incorporate, including the NIST Cybersecurity Framework and the ISA/IEC 62443 series.
“The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represents major improvements for all pipeline owners and operators,” Christopher said.