I am late to the party on this one. But that’s the side effect of being on vacation.
Last week, the TSA put out new cybersecurity requirements for pipeline owners. No doubt to prevent another Colonial Pipeline situation:
“TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said TSA Administrator David Pekoske. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”
I have some commentary on this topic.
Chris Warner, OT Senior Security Consultant at GuidePoint Security:
The TSA has announced updates to its Security Directive (SD) aimed at strengthening the operational resilience of oil and natural gas pipeline owners and operators against cyber-attacks. These updates, effective from July 27th, 2023, introduce certain requirements that may demand additional resources from organizations to comply. At a high level, the updated SD includes the following provisions:
- Annual submission of an Updated Cybersecurity Assessment Plan (CAP) for TSA review and approval.
- Reporting of the previous year’s assessment results and providing an annual schedule for auditing cybersecurity measures, with 100% assessment of security measures required every three years.
- Annual testing of at least two objectives of the Cybersecurity Incident Response Plan (CIRP), involving relevant individuals identified in the plan.
- Maintaining existing requirements, such as reporting significant cybersecurity incidents to CISA, designating a cybersecurity point of contact, and conducting a cybersecurity vulnerability assessment (SD Pipeline 2021-01C).
The updated SD introduces several changes:
- Section II.A.3 now requires Owner/Operators to reassess their systems if they change their method of pipeline operations, notifying TSA of a schedule for compliance with the SD’s requirements.
- A new Section II.B.3 clarifies whether an Owner/Operator needs to amend their TSA-approved Cybersecurity Implementation Plan (CIP) based on the updated SD.
- Section II.B.4 has been removed, and Section III.A allows TSA to identify additional Critical Cyber Systems not previously identified during review.
- Section III.F.1.e updates requirements for CIRP exercises, mandating Owner/Operators to test at least two CIRP objectives, such as network segmentation and OT and IT system isolation, at least twice a year. They must also identify two employee positions that participated in the exercises. Additionally, an annual CAP Report must include the assessment results, methods used, and the effectiveness of policies, procedures, and capabilities.
- Section III.G changes the acronym CAP to Cybersecurity Assessment Plan, requiring not only its annual submission but TSA approval. The CAP schedule must assess 30% or more of policies, procedures, measures, and capabilities annually to achieve 100% completion of the TSA-approved CIP within three years.
- Section IV.A now requires referencing previously developed plans, assessments, tests, and evaluations in the CIP and making them available to TSA upon request.
- Finally, Section V.C is a new requirement addressing how documents are written and submitted to the TSA to provide flexibility for future capabilities in enhancing operational resilience.
Overall, these newly introduced provisions mandate pipeline owners and operators take proactive steps to enhance their systems’ security and protect against potential cybersecurity threats in the oil and natural gas sector. Despite the resource challenges, pipeline owners and operators understand the critical importance of strengthening their cybersecurity measures. While the implementation may be demanding, it is essential to safeguard their systems against potential cyber threats in the oil and natural gas sector. This calls for strategic planning and resource allocation to effectively address the new TSA SD requirements and enhance the overall security posture of these vital infrastructure systems.
Ron Fabela, Field CTO at XONA Systems:
Some minor but interesting updates have been made to TSA SD Pipeline-2021-02D. Interesting bits by section:
Section II – TSA seems to be making some clarifications, additions, and removals of sections based on feedback from the pipeline community or as a result of successes (or lack thereof) with certain requirements. For instance, those owner/operators that have identified no “critical cyber systems” will have to reevaluate when operations change, or now TSA may add “critical cyber systems” that were not previously included before. This may be an indication in owner/operator requirement avoidance by simply stating they have no systems applicable to new regulation. NERC had similar challenges early in CIP regulation days when asset owners were allowed to self identify if they had any “Critical Cyber Assets”. Of course the answer at the time was “none here, regulation not applicable”
Section III changes incident response plans testing and introduces a new term “Cybersecurity Assessment Plan”. Changes to exercising the cybersecurity incident response plan are interesting in that they now only require that half of the requirements (at least 2 out of the 4 objectives) be tested annually instead of all. These requirements are not especially rigorous, so one wonders what prompted the change.
Similarly, while Cybersecurity Assessment Plans must now be reviewed and approved by TSA a section was added only requiring 30% coverage of requirements to be assessed each year, with 100% assessed over any three-year period. Ignoring the obvious math error (3×30%=90%, not 100%) assessing only one third of your security measures a year is a bold outlier to an effective security program.
Section IV changes make an interesting clarification. Use of previous plans, assessments, tests, and evaluations as evidence to meet the SD security directives must now explicitly incorporate these by reference into the CIP and made available to TSA upon request. With TSA having to make these specific changes, I speculate that owner/operators may have said that they have requirements met by other artifacts but then failed to produce said evidence.
Overall it’s great to see updates being made by TSA to clarify the requirements and in some cases, remove any loopholes as a result of practical application of these Security Directives in the field. I would expect more revisions as assessments and technical evaluation of control effectiveness are conducted in the years to come.
Josh Thorngren, Senior DevSecOps Engineer at ForAllSecure:
The encouraging piece here is that it treats cyber strategy as something that needs to evolve. Most of the changes related to ensuring cybersecurity strategy and implementation are reviewed at least annually seem apparent, but it is a pretty impactful task. It’s easy to think about cybersecurity as ‘maintaining walls’ – a legacy of the era where we just cared about the perimeter is an acceptance and encouragement to play active defense instead. To continually update and reevaluate. It’s too early to tell the impact, but it’s incredibly encouraging to treat cyber as an evolving posture vs a fixed one.
At least there were lessons learned from the Colonial Pipeline episode that are resulting in change. And change is good as it will help to make us all safer.
Related
This entry was posted on July 27, 2023 at 8:51 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New TSA Pipeline Regulations Announced
I am late to the party on this one. But that’s the side effect of being on vacation.
Last week, the TSA put out new cybersecurity requirements for pipeline owners. No doubt to prevent another Colonial Pipeline situation:
“TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said TSA Administrator David Pekoske. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”
I have some commentary on this topic.
Chris Warner, OT Senior Security Consultant at GuidePoint Security:
The TSA has announced updates to its Security Directive (SD) aimed at strengthening the operational resilience of oil and natural gas pipeline owners and operators against cyber-attacks. These updates, effective from July 27th, 2023, introduce certain requirements that may demand additional resources from organizations to comply. At a high level, the updated SD includes the following provisions:
The updated SD introduces several changes:
Overall, these newly introduced provisions mandate pipeline owners and operators take proactive steps to enhance their systems’ security and protect against potential cybersecurity threats in the oil and natural gas sector. Despite the resource challenges, pipeline owners and operators understand the critical importance of strengthening their cybersecurity measures. While the implementation may be demanding, it is essential to safeguard their systems against potential cyber threats in the oil and natural gas sector. This calls for strategic planning and resource allocation to effectively address the new TSA SD requirements and enhance the overall security posture of these vital infrastructure systems.
Ron Fabela, Field CTO at XONA Systems:
Some minor but interesting updates have been made to TSA SD Pipeline-2021-02D. Interesting bits by section:
Section II – TSA seems to be making some clarifications, additions, and removals of sections based on feedback from the pipeline community or as a result of successes (or lack thereof) with certain requirements. For instance, those owner/operators that have identified no “critical cyber systems” will have to reevaluate when operations change, or now TSA may add “critical cyber systems” that were not previously included before. This may be an indication in owner/operator requirement avoidance by simply stating they have no systems applicable to new regulation. NERC had similar challenges early in CIP regulation days when asset owners were allowed to self identify if they had any “Critical Cyber Assets”. Of course the answer at the time was “none here, regulation not applicable”
Section III changes incident response plans testing and introduces a new term “Cybersecurity Assessment Plan”. Changes to exercising the cybersecurity incident response plan are interesting in that they now only require that half of the requirements (at least 2 out of the 4 objectives) be tested annually instead of all. These requirements are not especially rigorous, so one wonders what prompted the change.
Similarly, while Cybersecurity Assessment Plans must now be reviewed and approved by TSA a section was added only requiring 30% coverage of requirements to be assessed each year, with 100% assessed over any three-year period. Ignoring the obvious math error (3×30%=90%, not 100%) assessing only one third of your security measures a year is a bold outlier to an effective security program.
Section IV changes make an interesting clarification. Use of previous plans, assessments, tests, and evaluations as evidence to meet the SD security directives must now explicitly incorporate these by reference into the CIP and made available to TSA upon request. With TSA having to make these specific changes, I speculate that owner/operators may have said that they have requirements met by other artifacts but then failed to produce said evidence.
Overall it’s great to see updates being made by TSA to clarify the requirements and in some cases, remove any loopholes as a result of practical application of these Security Directives in the field. I would expect more revisions as assessments and technical evaluation of control effectiveness are conducted in the years to come.
Josh Thorngren, Senior DevSecOps Engineer at ForAllSecure:
The encouraging piece here is that it treats cyber strategy as something that needs to evolve. Most of the changes related to ensuring cybersecurity strategy and implementation are reviewed at least annually seem apparent, but it is a pretty impactful task. It’s easy to think about cybersecurity as ‘maintaining walls’ – a legacy of the era where we just cared about the perimeter is an acceptance and encouragement to play active defense instead. To continually update and reevaluate. It’s too early to tell the impact, but it’s incredibly encouraging to treat cyber as an evolving posture vs a fixed one.
At least there were lessons learned from the Colonial Pipeline episode that are resulting in change. And change is good as it will help to make us all safer.
Share this:
Like this:
Related
This entry was posted on July 27, 2023 at 8:51 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.