TSA issues second cybersecurity directive for pipeline companies

Experts applaud the agency's new, detailed security requirements for US pipeline operators but question how they will be enforced or monitored.

data pipeline primary
Thinkstock

The Department of Homeland Security's (DHS) Transportation Safety Administration (TSA) yesterday announced a second security directive that requires owners and operators of TSA-designated critical pipelines to implement cybersecurity measures that help protect against malicious digital incidents. This directive is a more expansive follow-up to an initial pipeline security directive issued on May 27, roughly two weeks after the highly disruptive ransomware attack against Colonial Pipeline.

The initial directive required pipeline companies to report cybersecurity incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA). It also required pipeline owners and operators to designate a cybersecurity coordinator available around the clock to coordinate cybersecurity practices and any cybersecurity incidents with TSA and CISA. Finally, that directive required companies to examine their cybersecurity practices and assess risks, identify gaps, develop remediation measures, and report the results to TSA and CISA.

New security measures pipeline owners must meet

This second directive addresses in detail the security requirements that pipeline owners must have in place. TSA says the new directive requires owners and operators "to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review."

The directive reportedly contains mandates regarding password updates, disabling Microsoft macros, and programmable logic controllers (PLCs). Sources close to the pipeline asset owner community who have seen the directive tell CSO they are surprised at the speed with which TSA issued the second, particularly given that TSA had said as late as last week that the directive wouldn't be available for many weeks.

The directive contains additional measures addressing a wide range of topics, such as antivirus protection, malware protection, detection technologies, ingress and egress communications, system segmentation, multi-factor authentication (MFA), zero trust, and any workarounds that might be needed. One requirement asks pipeline companies to change all passwords.

The directive says that pipeline owners and operators can suggest alternatives to the above security measures for TSA's review on a per asset owner, per pipeline segment basis, sources say. The due dates for the various requirements range from 60 days to 365 days.

Penalties for failing to meet security measures are unclear

A crucial component missing from the directive is any discussion of an enforcement mechanism that comes into play if companies fail to abide by the provisions. A media representative for TSA tells CSO that the directive would "be enforced by TSA under appropriate statutory and regulatory authorities.  Failure to comply with the [directive], including the requirement to report cybersecurity incidents and conduct an assessment, could result in civil penalties levied against an owner/operator."

When pressed on the specific statutory and regulatory authorities behind the directive, TSA did not respond. TSA has a published Enforcement Sanction Guidance Policy, which outlines financial penalties for aircraft operators and carriers, airports, cargo transporters, freight rail carriers, shippers, bus owners and operators, and even individual travelers. However, absent from TSA's enforcement provision is any mention of pipeline companies.

Patrick Miller, founder of the EnergySec consortium and now CEO of Ampere Industrial Security, tells CSO that he's uncertain how TSA can enforce the directive. "With other regulations, such as NERC-CIP, there's an enforcement structure in place," Miller says. "In addition to which there is a penalty structure. You know what your fines could be based on certain risk levels and severity levels. You don't have any of that with [the TSA directive]. So, I don't know if the TSA has the authority to impose penalties. They may have the authority to impose sanctions."

Miller says he's also unclear who would be calling the shots when implementing and enforcing the directive, given that multiple agencies, including TSA, CISA, and the FBI, have a role to play. "My concern is that in the event they've got something like another Colonial, are we going to be having some kind of turf battle over who is taking the lead? I would love to see some clarity here on how are we going to be able to handle an incident going forward from a federal standpoint that keeps it simple and nimbler for a company to solve a problem."

Directive should improve pipeline security

Aside from these concerns, Miller think's TSA's directive is a positive development. "I think it's a good thing. We're trying to mandate and mobilize and equalize more of the basics," he says.

The burden of the directive will fall mainly on companies that don't already have adequate cybersecurity. "Had they already been doing all of these things per [earlier, voluntary] TSA pipeline guidelines, this would probably not be a heavy lift," Miller says. "The better security posture you already have, the less this is going to impact you."

Marco Ayala, ICS cybersecurity and sector lead, 1898 & Co. (part of construction engineering firm Burns & McDonnell) and sector chief of the FBI's Maritime Domain InfraGard group, also thinks the TSA's second directive is a step in the right direction. "It's been a long time coming," he tells CSO. "There are some really good things to come out of this. There will be more robust security. It's going to require senior-level management to make sure that security is taken seriously, all the way down to the field assets."

Meeting the mandates requires financial investment

Because of the complexity of industrial cybersecurity, the cost of meeting TSA's mandates will likely be high. "I would like to see companies that are under the security directive have the ability to request grants from the federal government to help deploy some of the things that are in the directive," Ayala says.

Lesley Carhart, principal industrial incident responder at the industrial cybersecurity company Dragos, agrees that cost is a big factor in meeting cybersecurity objectives. "Mandatory compliance can be an important aspect of cybersecurity, but it is also critical to provide organizations the human and technical resources necessary to succeed at cybersecurity," she tells CSO. "Organizations will need to dedicate appropriate human and financial resources to combating increasing threats against critical infrastructure."

TSA may lack the necessary talent to monitor compliance

Ayala thinks TSA will likely struggle to find cybersecurity talent capable of monitoring and assessing pipeline companies' compliance with the directive. "Who is going to actually inspect this?" he asks. "If TSA is going to inspect this, how are they going to be able to staff that? Some of the requirements are highly sophisticated. You're not going to get any inspector to say, 'Oh, I know what I'm looking at. It's a firewall.' TSA is not going to have the savvy to do these assessments."

Hiring more cybersecurity experts to work at TSA does not appear to be a solution due to the government's steep competition from the private sector. "The Coast Guard is still trying to hire cybersecurity professionals, but they can't get anybody to take a $30,000 to $40,000 pay cut," Ayala says. "You love your country, but you've got to pay the mortgage."

TSA's only options, then, will be third-party consulting firms, which should be American firms, Ayala says. "It's US critical infrastructure, and none of this should leave the continental US. You've got large consulting companies overseas such as Accenture, Deloitte and KPMG. They're all European. They're allies today, but who's to say they won't be enemies tomorrow. So, you need to make sure that third-party assessors are US-based, US-formed companies assessing US infrastructure.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline