US administration releases second security directive for critical pipeline owners and operators

The U.S. Department of Homeland Security’s Transportation Security Administration (TSA) division released on Tuesday its second security directive that requires TSA-designated critical pipeline owners and operators that transport hazardous liquids and natural gas to enforce a number of urgently needed protections against cyber intrusions. 

The security directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology (OT) systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review, according to a statement released by the TSA.

“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Secretary of Homeland Security, Alejandro N. Mayorkas said in the statement. “Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

The Department’s Cybersecurity and Infrastructure Security Agency (CISA) has advised the TSA on cybersecurity threats to the pipeline industry, as well as technical countermeasures to prevent those threats, during the development of this second security directive.

Like the initial security directive from the transport agency, the latest move comes in direct response to the ongoing cybersecurity threat to pipeline systems following the Colonial Pipeline ransomware attack, which forced the pipeline company that runs from Texas to New Jersey, to shut much of its network for several days in May, leaving thousands of gas stations across the U.S. Southeast without fuel. The closure of the 5,500-mile (8,900-km) system was considered one of “the most disruptive cyberattack on record, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast.”

As a result of the initial security directive, critical pipeline owners and operators were required to report confirmed and potential cybersecurity incidents to CISA, designate a cybersecurity coordinator to be available 24 hours a day, seven days a week, review current practices, in addition to detecting any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

“Today’s second directive outlined cybersecurity imperatives for pipeline systems, and this is the first time the federal government has specifically noted the protection of operational technology (OT) from ransomware, which extends beyond IT environments,” Duncan Greatwood, Xage CEO, said in an emailed statement. “It’s also the first time they’ve emphasized the need to invest in security solutions that can truly protect assets, showing a heightened focus on prevention as opposed to just detection and response.” 

“While the specific requirements weren’t shared publicly, given the recent interest in a zero-trust approach, including in President Biden’s May 12 Executive Order, we anticipate that these additional DHS directives will continue to push, and ideally incentivize, pipeline operations to adopt a zero-trust security architecture. There is growing consensus across the industry that zero trust is the best way to protect crucial systems and block cyber attacks,” Greatwood added. 

“My general belief is that operators are not able to deal with modern threats as per the Colonial shutdown because A) they didn’t know what to do or how far it went, and B) they needed time to actually recover the files once they paid (the biggest part of the delay),”  Ron Brash, director of cybersecurity insights at Verve Industrial, said in an emailed statement. 

“Most operators do not have enough visibility into these environments, much less tooling to deal with a threat – especially in highly distributed, but flat networks – it would be tough, and given the age of most pipelines… even tougher than most would like to admit,” Brash added.

“The TSA Pipeline Security Guideline update and the TSA Security Directive are just the tip of the cybersecurity iceberg. With a set of recurring activities that must occur and a keen eye on oil and natural gas operations, cybersecurity can no longer be isolated from the corporation and other enterprise-wide risks,” Jason D. Christopher, a Dragos executive, wrote in a company blog post, ahead of the release of the second security directive by the TSA.

“We can no longer rely on ‘airgaps’ based on how our industry must do business. Instead, understanding and managing these interconnected systems have to be baked into the DNA of our operations, and this is just the start,” Christopher added. “Cybersecurity is a journey, not a destination. Even with a significant push, like the one pipeline owners and operators and owners just experienced, this is just one step on that larger journey.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.