As of May 28,2021, pipeline operators doing business in the USA are under a new security directive on pipeline cybersecurity from the TSA (Transportation Security Administration). For owner/operators who have a strong security practice the adjustments will be straight forward, but I expect there is significant work to do for many who apply security practices in a less structured way.
This directive has 3 requirements:
- Reporting: As of June 28, owner/operators are required to report security incidents to the TSA and CISA within 12 hours of the incident
- Coordinator role: Additionally, owner/operators are required to have identified a “corporate level” security coordinator that must be available to the TSA and CISA 24/7.
- Vulnerability assessment: Perform a vulnerability assessment to identify any gaps, then develop and implement appropriate remediation measures.
Let’s take a closer look at how this works. The third requirement points to a supporting document of pipeline security guidelines from the TSA that has been out for a few years. These guidelines have been recommendations until now, but with this directive, they become requirements for compliance. Each company is required to compare their current activities with these security guidelines and then “… review their current activities against TSA’s recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA.” [TSA Security Directive Pipeline-2021-01]
This mandated activity will likely become a periodic event (e.g. annual) that could be enforced with audits and other governance mechanisms. This process of assessing security risks and then building a plan to remediate gaps is not a new one but until now it hasn’t been mandated by anyone. This is where the urgency comes in.
The requirement to report incidents and the potential for regularly scheduled assessments will likely accelerate cybersecurity deployments within line of business operations.
If you are one of the owner/operators that the TSA has sent this directive to, I’d like to offer some help. At Cisco, we have security practitioners and partners that do security assessments, mitigation planning, infrastructure deployment and incident response work, and they’re passionate about it.
Please reach out to your Cisco account team for more information, or feel free to message me directly: Roland Plett on LinkedIn