What's New with the TSA’s Oil and Gas Security Directives?

In recent years, the security of the United States' critical infrastructure has become a pressing concern, particularly in the oil and gas sector, due to its pivotal role in the nation's economy and energy supply. Recognizing this, the Transportation Security Administration (TSA) implements several new directives in July each year aimed at enhancing the security and resilience of vital energy infrastructure against various threats, including cyber-attacks and physical disruptions.

The TSA was founded in 2001 following 9/11, and initially focused on aviation security. However, it later broadened its mandate to include the security of surface transportation and critical infrastructure sectors like oil and gas.

Several attacks against this critical sector in the last few years have influenced these directives. For instance, an attack on the Colonial Pipeline in May 2021 caused a shutdown that impacted consumers and airlines along the East Coast. President Biden declared a state of emergency due to the national security threat posed by the event, as the pipeline is crucial for transporting oil from refineries to industry markets.

Also, at the end of January this year, FBI Director Christopher Wray testified before Congress that Chinese government-backed attackers are honing in on US infrastructure and preparing to "wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike." Wray's testimony shone the spotlight on the potential consequences that attacks on US critical infrastructure could bring about and highlighted the importance of protecting them at all costs.

What the New Directives Require

The most recent updates to this directive impose specific obligations on oil and natural gas pipeline owners and operators to strengthen their cybersecurity defenses.

• Owners and operators must submit an updated Cybersecurity Assessment Plan to the TSA annually for review and approval. This plan outlines measures to address cyber threats within their operational framework.
• Additionally, they must provide detailed reports on the outcomes of previous assessments and a schedule for evaluating and auditing specific cybersecurity measures. The TSA mandates a comprehensive evaluation of 100% of security measures every three years to ensure effectiveness.
• Furthermore, owners and operators are required to test at least two Cybersecurity Incident Response Plan (CIRP) objectives annually. This includes involving key personnel identified in the CIRP in annual exercises to enhance preparedness and coordinate responses to potential cyber incidents.

Moreover, the TSA has the authority to request and inspect various documents to assess an entity's compliance status. These may include:

• Inventory of hardware and software assets, including supervisory control and data acquisition systems
• Firewall rules
• Network diagrams, switch and router configurations, architecture diagrams, publicly routable internet protocol addresses, and virtual local area networks
• Policy, procedural, and other related documents
• Data reflecting activity within and between informational and operational technology systems, such as log files

The Impact on the Industry

The implementation of these directives is a major shift for the oil and gas industry, which has traditionally operated with less regulatory oversight when it comes to cybersecurity. The increased focus on security has several implications:

Higher Costs: Compliance with the new directives requires investment in monitoring, evaluation, and IR testing. While this may strain budgets in the short term, the long-term benefits of enhanced security and reduced risk of disruptive incidents justify the expense.

Operational Changes: The need for continuous monitoring and rapid incident reporting will fuel changes in operational procedures. These entities must integrate new technologies and develop a culture of security awareness among employees.

Collaborative Efforts: The directives will drive greater collaboration between the oil and gas sector and government agencies such as the Cybersecurity and Infrastructure Security Agency (CISA). This partnership is crucial for sharing threat intelligence and coordinating incident responses.

Compliance: In addition, pipeline operators will be subject to hefty penalties should they fail to comply with the TSA. Not only could they lose their business licenses, but penalties for non-compliance begin at $7,000 per day.

Challenges and Opportunities

While the new TSA directives present several challenges, they also offer opportunities for the oil and gas industry:

Implementing the required measures can be technically complex and resource-intensive, and smaller operators, in particular, may struggle with the financial and logistical demands of compliance. Additionally, the evolving nature of cyber threats means that companies must continuously update their security practices to stay ahead of malicious actors.

On the plus side, the directives drive innovation in security technologies and practices. Organizations that invest in robust security frameworks can gain a competitive edge by demonstrating their commitment to safety and reliability. Also, enhanced security can protect against not only cyber threats but also operational disruptions, thereby improving overall business resilience.

How Fortra's Tripwire Can Help

Fortra's Tripwire enables pipeline operators to automate the enforcement of security controls and monitor changes, supported by audit-ready reporting. It does this in several ways:

Identify critical cyber systems: Fortra VM efficiently discovers all critical cyber systems through their IP addresses and seamlessly integrates with other solutions designed to identify cyber asset systems within operational technology (OT) environments.

Network segmentation and controls: Tripwire Enterprise provides continuous monitoring of the configuration settings of network devices, ensuring the integrity of network segmentation.

Access control measures: It also monitors changes to Active Directory and group policy object (GPO) changes.

Continuous monitoring and detection: Tripwire Enterprise excels in continuous monitoring and detection, integrating file integrity monitoring (FIM) and security configuration management (SCM) to identify suspicious changes and enforce cybersecurity policies, such as those mandated by the TSA.

Security patches and updates: Fortra VM identifies vulnerabilities and pinpoints where patches are required, while Tripwire Enterprise Dynamic Software Reconciliation validates the integrity of patches, ensuring that only authorized changes are made.

Cybersecurity incident response plan: As part of an incident response plan, Tripwire can detect system drift to identify potential malware installations and maintain system integrity.

Cybersecurity assessment plan: Tripwire conducts industrial cybersecurity assessments and evaluates an entity's security posture by monitoring configuration states and identifying vulnerabilities, assigning severity scores accordingly.

Securing Energy Infrastructure

The TSA's new oil and gas security directives mark a critical step towards safeguarding the nation's energy infrastructure. By mandating comprehensive cybersecurity and physical security measures, the directives aim to protect against the increasing threats facing this vital sector.

While the path to compliance may be challenging, the long-term benefits of enhanced security and resilience make it a necessary investment. As the oil and gas industry adapts to these new requirements, it will not only bolster its defenses against threats but also pave the way for a more secure and stable energy future.