The Transportation Security Administration (TSA) late last week announced revisions to its cybersecurity requirements for oil and natural gas pipeline owners and operators to be more flexible to each company’s operations while still aiming to achieve certain critical infrastructure cybersecurity outcomes.
The agency took input from various industry stakeholders and federal partners like the the Department’s Cybersecurity and Infrastructure Security Agency (CISA) to revise their original security directive from July 2021 to make it more “performance-based – rather than prescriptive,” in meeting cybersecurity goals, TSA said in a press release.
“The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said TSA Administrator David Pekoske.
“We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”
Despite cyberattacks being a common problem in the past decade, it is only the series of massive attacks last two years on the computer systems of the federal government, the Colonial Pipeline, and the meat producer JBS that have brought mainstream awareness to the need for increased cybersecurity within the government and the private sector.
TSA’s revised and reissued cybersecurity directive is meant to allow the gas pipeline industry to leverage new technologies and be more adaptive to changing circumstances while following four key security outcomes: develop network segmentation policies, create access control measure to prevent unauthorized access to critical cyber systems, build monitoring and detection policies for cyber threats, and reduce risk of exploitation through security patches and updates for software operating systems.
Pipeline owners and operators will be required to take steps to accomplish the following security requirements: establish and execute a TSA-approved Cybersecurity Implementation Plan based on the security directive, develop and maintain a Cybersecurity Incident Response Plan in case of an incident or emergency, and establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures.
These cybersecurity requirements will be implemented alongside the previously established requirements to report significant cybersecurity incidents to CISA, establish a company cybersecurity point of contact and conduct an annual cybersecurity vulnerability assessment.