On July 21, 2022, the US Transportation Security Administration (TSA) made a significant change to their security directive for owners and operators of hazardous liquid and natural gas pipeline and liquified natural gas facilities, with the goal “to reduce the risk that cybersecurity threats pose to critical pipeline systems and facilities by implementing layered cybersecurity measures that demonstrate a defense-in-depth approach against such threats.”
Security Directive Pipeline-2021-02C, which supersedes and replaces Pipeline-2021-02B and is effective on July 27, 2022, reflects lessons learned by TSA after working with industry stakeholders and other federal agencies for the last year.
TSA Pipeline Security Directive Timeline
Let’s take a quick look at the history around the development and release of TSA’s pipeline security directives.
May 2021: Security Directive Pipeline-2021-01
In May 2021, Colonial Pipeline became the victim of a ransomware attack. As a result of this attack, TSA announced their first security directive for pipeline owners and operators on May 27, 2021, Pipeline-2021-01. These initial guidelines were seen as a good first step without being overly burdensome.
July 2021: Security Directive Pipeline-2021-02
On July 20, 2021, TSA announced a second security directive, Pipeline-2021-02 effective on July 26, 2021. Pipeline owners and operators found the second directive to be more difficult to implement as part of their cybersecurity program. First, the document was categorized as Security Sensitive Information (SSI), which meant that pipeline owners and operators were able to obtain copies; however, there were restrictions regarding sharing the document with contractors and vendors. Second, the requirements within the directive were seen as overly prescriptive, and often included many aspects that could not easily be met with much of the embedded operational technology (OT) equipment.
July 2022: Security Directive Pipeline-2021-02C
Over this last year, TSA worked with pipeline owners and operators to understand how they could revise the security directive to better meet TSA’s goal to improve the overall cybersecurity resilience of organizations, while allowing them the flexibility to meet requirements in a variety of ways. TSA incorporated feedback from industry groups and other federal partners, as well as input gained by evaluating pipeline owner’s and operator’s submissions against Pipeline-2021-02 into the new version of the directive.
Understanding Security Directive Pipeline-2021-02C
The shift from a prescriptive, compliance-based standard to a functional, performance-based standard is a major improvement for Security Directive Pipeline-2021-02C. The requirements now describe what should be accomplished and why without specifying how to meet the requirement. This allows pipeline owners and operators the flexibility to determine the correct risk-based solutions to meet the cybersecurity requirements in the standard.
The latest iteration of the security directive also aligns very well with multiple other industry standards, such as the NIST Cybersecurity Framework (CSF), API 1164, and the ISA/IEC 62443 series. By bringing the security directive in line with other standards, owners and operators can pull from a broader set of guidance, experience, and solutions to meet the requirements.
The main elements of Security Directive Pipeline-2021-02C are:
- Cybersecurity Implementation Plan
- Critical Systems Identification
- Network Segmentation
- Access Control
- Continuous Monitoring and Detection
- Patch Management
- Cybersecurity Incident Response Plan
- Cybersecurity Assessment Plan
Another shift has to do with the timing for compliance with different parts of the directive. No longer are organizations required to meet certain technical requirements by a specific date. The first major item required in Security Directive Pipeline-2021-02C is a Cybersecurity Implementation Plan. While the draft for this implementation plan must be delivered to TSA within 90 days (October 25, 2022), that is only the start of the dialogue between TSA and the owner and/or operator. The two will then come to an agreement on the Cybersecurity Implementation Plan, including appropriate risk-based decisions, alternate measures, and accompanying documentation to support the timeline. Once the Cybersecurity Implementation Plan is approved by TSA, the owner and/or operator is also required to submit their draft Cybersecurity Assessment Plan within 60 days describing how they plan to proactively assess and audit their security measures.
Alignment With the 5 Critical Controls for OT Security
In addition to aligning with many industry standards, Security Directive Pipeline-2021-02C also aligns well with the five critical controls needed to build a world-class OT cybersecurity program.
1. OT-Specific Incident Response Plan
TSA is requiring organizations to establish an up-to-date Cybersecurity Incident Response Plan to reduce the risk of operational disruption or other significant impacts. This incident response plan must include aspects to:
- Segregate and/or isolate systems to respond to an incident,
- Preserve forensic evidence,
- Secure system backups,
- Conduct exercises to determine the effectiveness of the plan, and
- Identify roles and responsibilities for implementing the plan.
2. A Defensible Architecture
Multiple aspects of the security directive work together to form the basis for a defensible architecture. The first is understanding what exists in the systems as part of an asset inventory and identifying critical assets. Another major aspect to a defensible architecture is network segmentation. With modern OT networks, there are often interdependencies between information technology (IT) and OT. These need to be understood and limited where possible. TSA also requires owners and operators to limit communications between zones.
3. Visibility and Monitoring
Owners and operators are required to implement continuous monitoring and detection to prevent, detect, and respond to cybersecurity threats and anomalies. These could be to detect and respond to malicious activity and software in real-time, but they can also be the logging necessary to support an incident response investigation or the detections that are necessary for the defensible architecture to respond to an incident.
4. Multi-Factor Authentication
In order to utilize multi-factor authentication (MFA) properly, an owner and/or operator must have previously incorporated several access control policies and procedures, including things such as credential management, least privileges, and individual accounts. TSA understands that MFA is a difficult requirement to meet for many OT systems and expects compensating controls and/or alternate methods to meet the requirements around access controls.
5. Key Vulnerability Management
An important aspect of vulnerability management for OT systems is patch management. It is vital for owners and operators to understand when new vulnerabilities are detected, identify older vulnerabilities that have not been mitigated, determine how the vendor has responded to the vulnerability by developing appropriate patches, and evaluate the potential consequences to either applying or not applying the patch. The owner and/or operator needs to make these risk-based decisions, understanding that TSA requires them to, at a minimum, acknowledge and document their approach to prioritizing different patches.
How Can Dragos Help
If you’re interested in further guidance or support in implementing an OT cybersecurity strategy based on Security Directive Pipeline-2021-02C and how the Dragos Platform technology can help you effectively and efficiently reach compliance and security, connect with us at sales@dragos.com, reach out to your current account executive at Dragos, or use our contact us form.
Ready to put your insights into action?
Take the next steps and contact our team today.