TSA Issues New Cybersecurity Directive for Oil PipelinesDirective Emphasizes Continuous Monitoring and Assessments
U.S. federal regulators say they're aiming for a less rigid approach to oil pipeline cybersecurity through new guidelines that went into effect slightly more than a year after a ransomware attack caused gasoline shortages across America's South and east coast.
Among the changes approved by the Transportation Security Administration is a longer incident reporting period - now doubled to 24 hours - and a "flexible, performance-based approach." The new directive is a precursor to formal pipeline cybersecurity regulations the agency says will be forthcoming.
The agency, best known for its role in airport security, has been the pipeline cybersecurity regulator for two decades. Until last year, it relied on voluntary measures. The agency scrambled to update its approach with mandatory directives after a May 2021 ransomware incident that resulted in a six-day shutdown of 5,500 miles of infrastructure operated by Colonial Pipeline. Two economists calculate the incident on average boosted consumer gas prices upward by 4 cents per gallon.
This updated directive comes after what the TSA says was "extensive" inputs from industry.
"The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements," said TSA Administrator David Pekoske.
It calls for continuous monitoring that can intercept phishing emails, block malicious macros from executing and audit any communication between an operational technology system and an external system that appears out of the ordinary. Operators also have to keep logs.
Among the areas where pipeline operators will have more leeway is implementing multifactor authentication. Colonial's chief executive blamed the event on a single stolen password linked to an old user profile, leading many to ask why the company didn't impose layers of logon security by requiring users to supply not just a password but to present additional evidence of legitimacy (see: House Probes Specifics of Colonial Ransomware Attack).
The new directive tells operators they can skip multifactor authentication for access to industrial control workstations in control rooms if they document compensating controls.
Patch management also gets an update with pipeline operators now told to install updates consistent with their own risk-based methodology, so long as critical security patches are kept current.
In addition, the new directive calls for an assessment program to test and audit the effectiveness of cybersecurity measures.
Pipeline cybersecurity has been a concern for at least a decade now, with federal authorities identifying a Chinese state-sponsored campaign against 23 American natural gas pipeline operator that started in 2011 and lasted two years.