A closer look at the new TSA oil and gas pipeline regulations

The TSA has announced updates to its Security Directive (SD) to strengthen the operational resilience of oil and natural gas pipeline owners and operators against cyber-attacks.

In this Help Net Security video, Chris Warner, OT Senior Security Consultant at GuidePoint Security, discusses how these newly introduced provisions mandate pipeline owners and operators to proactively enhance their systems’ security and protect against potential cybersecurity threats in the oil and natural gas sector.

Despite the resource challenges, pipeline owners and operators understand the critical importance of strengthening their cybersecurity measures. While the implementation may be demanding, it is essential to safeguard their systems against potential cyber threats in the oil and natural gas sector. This calls for strategic planning and resource allocation to effectively address the new TSA SD requirements and enhance the overall security posture of these vital infrastructure systems.

At a high level, the updated SD includes the following provisions:

1. Annual Updated Cybersecurity Assessment Plan (CAP) submission for TSA review and approval.

2. Reporting of the previous year’s assessment results and providing an annual schedule for auditing cybersecurity measures, with 100% assessment of security measures required every three years.

3. Annual testing of at least two objectives of the Cybersecurity Incident Response Plan (CIRP), involving relevant individuals identified in the plan.

4. Maintaining existing requirements, such as reporting significant cybersecurity incidents to CISA, designating a cybersecurity point of contact, and conducting a cybersecurity vulnerability assessment (SD Pipeline 2021-01C).

The updated SD introduces several changes:

• Section II.A.3 now requires Owner/Operators to reassess their systems if they change their method of pipeline operations, notifying TSA of a schedule for compliance with the SD’s requirements.
• A new Section II.B.3 clarifies whether an Owner/Operator needs to amend their TSA-approved Cybersecurity Implementation Plan (CIP) based on the updated SD.
• Section II.B.4 has been removed, and Section III.A allows TSA to identify additional Critical Cyber Systems not previously identified during review.
• Section III.F.1.e updates requirements for CIRP exercises, mandating Owner/Operators to test at least two CIRP objectives, such as network segmentation and OT and IT system isolation, at least twice a year. They must also identify two employee positions that participated in the exercises. An annual CAP Report must include the assessment results, methods used, and the effectiveness of policies, procedures, and capabilities.
• Section III.G changes the acronym CAP to Cybersecurity Assessment Plan, requiring its annual submission and TSA approval. The CAP schedule must assess 30% or more of policies, procedures, measures, and capabilities annually to achieve 100% completion of the TSA-approved CIP within three years.
• Section IV.A now requires referencing previously developed plans, assessments, tests, and evaluations in the CIP and making them available to TSA upon request.
• Finally, Section V.C is a new requirement addressing how documents are written and submitted to the TSA to provide flexibility for future capabilities in enhancing operational resilience.