TSA Releases Revised Cybersecurity Requirements For Oil And Gas Pipelines

The Transportation Security Administration on Thursday issued revised cybersecurity directives for oil and gas providers more focused on performance-based measures. This following extensive input from federal regulators and private industry stakeholders in the wake of the May 2021 ransomware attack on Colonial Pipeline.

Chris Clymer, Director & CISO, Inversion6 had this comment:

When a cyberattack took the Colonial Pipeline offline and caused gas shortages all up and down the east coast of the US, an inevitable question was “How can this happen?”  Even more perplexing for cybersecurity professionals was learning that rather than following under the well-established NERC-CIP security framework which covers most of the energy sector, the pipelines had actually been related to the authority of the TSA.  This is far from TSA’s area of expertise, but to their credit they had put some guidelines out before the incident…unfortunately, these were simply guidelines, not required.

It is extremely welcome news to see that the US’s most competent cybersecurity agency, CISA, has dove into the fray and helped TSA to establish new requirements…and that they have been made just that:  requirements.  As we’ve seen over and over unfortunately, cybersecurity investments are neglected in virtually every vertical without outside pressure.  Pipelines should be in better shape because of this attack.  The question now:  what other important infrastructure is sitting out there, falling into the political cracks and being neglected as a result?

Companies beyond the oil and gas sector should look at this guidance as it will provide a roadmap as to how they can protect themselves from attacks of all sorts. Because everyone these days is a target of cybercrime and cyberattacks.

Leave a Reply

%d bloggers like this: