TSA reissues cybersecurity directives to develop tailored plans for pipeline systems

The Transportation Security Administration (TSA) released updated directives that addressed the need to fight cybersecurity breaches that continue to haunt the oil and natural gas pipeline. The TSA issued a revised Security Directive with inputs from industry stakeholders, federal partners, and the Department’s Cybersecurity and Infrastructure Agency (CISA). The revised directive follows the directive announced in July 2021 and extends cybersecurity requirements. This directive updates the previous directive of 2021-02B, which was issued in the wake of the cyberattack on one of the nation’s largest interstate oil pipelines.

The directive incorporates a new model that is performance-based and accommodates variance in the system to meet security requirements. The TSA Administrator David Pekoske told The National Law Review, “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes”. The directive was revised to achieve critical cybersecurity outcomes. Several security directive mandates were implemented on a significant pipeline following the May 2021 ransomware attack. This helped pipeline owners and operators to implement critically required cybersecurity measures.

The formal rulemaking process to accept public comments will begin soon. The directive urges the TSA-specified owners and operators of pipeline and liquefied natural gas facilities to take responsible actions to avoid disruption and degradation of their infrastructure. They are instructed to develop network segmentation policies and access control measures, build continuous monitoring policies and reduce risk with the help of security patches.

Updates for operating systems, drivers, applications, and firmware on critical cyber security systems need to be implemented. Pipeline owners need to maintain a Cybersecurity Incident Response Plan to include the measures they will take in case of cybersecurity incidents. They will also be able to evaluate and audit the effectiveness of the measures taken to curb and resolve vulnerabilities within devices, networks, and systems.

What caused the revision?

The revision can be traced back to the ransomware attack on Colonial Pipeline in May 2021. The attack, which was carried out through a compromised billing system, led to the temporary halt of pipeline operations. The company decided to close the pipeline as a precaution to prevent unauthorized individuals from accessing vital information.

In the attack, malicious actors were able to steal about a hundred gigabytes of data. They then threatened to release the data online if a ransom was not paid. Following the incident, various states reported shortages of gasoline. Some of these included Alabama, Florida, Georgia, South Carolina, and North Carolina.

According to reports, around 70% of the gas stations in these areas ran out of fuel. Due to the situation, American Airlines temporarily changed the flight schedules of some of its customers. After the state of emergency was declared in response to the fuel shortages, the restrictions on the transportation of fuel were lifted.

Following the incident, several members of Congress criticized the government’s response to the issue. They also questioned the country’s strategy to protect its industries from cybercrime.