Last spring, a ransomware attack forced Colonial Pipeline to shut down. The weeklong recovery disrupted retail gas delivery throughout the Southeastern US. The Colonial Pipeline composes only a fraction of the more than 230,000 miles of pipeline across the US carrying hazardous liquid and carbon dioxide. The incident spurred the Transportation Security Administration (TSA) to hastily impose new cybersecurity rules for the pipeline industry. Some rules were voluntary, but others were very specific and onerous such as the need to report cyber intrusions to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of a cybersecurity incident being identified. In addition to overly prescriptive requirements, TSA did not initially release the entire set of rules publicly. Instead, they were shared with just a select number of industry representatives. This lack of transparency further contributed to the backlash from oil and gas companies, industry experts, and associated trade groups who wanted more collaboration.
TSA has now relaxed those rules based on concerns from pipeline companies and industry experts. TSA revised their initial guidelines and reissued the security directive with more input from stakeholders. TSA wisely shifted their approach by describing specific outcomes that must be achieved such as preventing unauthorized access to critical systems but leaves the “how” up to individual pipeline owners and operators. Pipeline companies now have more flexibility to determine the optimal implementation to meet these new regulatory requirements.
The willingness of the TSA to adjust requirements based on industry feedback is welcome, but the days of non-existent or mostly voluntary cybersecurity regulations for critical infrastructure are ending. The US government is imposing more regulations to increase transparency of cyber incidents to protect the nation’s critical infrastructure. All critical infrastructure industries, not just pipelines, are being scrutinized with new and pending regulations such as:
Concerns over compliance burdens, penalties, and infrastructure compatibility are valid and must be juxtaposed against the increase in critical infrastructure attacks and the longer lead time needed to update or patch OT environments. Because the consequences are higher in critical infrastructure incidents, these industries should anticipate being held to higher regulatory standards.
Follow these 3 steps to build an operational technology (OT) strategy:
- Gain accurate asset visibility of your network. You cannot protect what you don’t know you have. Armed with this inventory, segment your network to protect vulnerable assets and develop a cybersecurity roadmap to strengthen operational activities like monitoring and patching. Leverage security solutions tailored to the unique characteristics of OT environments. Build attestation features into your program. You need to prove these cybersecurity controls are working properly to demonstrate compliance.
- Develop cyber incident response procedures and weave regular exercises into your existing safety programs. Practice, practice, practice. Become as proficient responding to cyber disruptions as you do to weather related outages. Hardening OT environments will take time so you must be prepared to react and recover from cyber-attacks. Obtaining an incident retainer with a trusted partner who specializes in responding to OT cyber incidents is a best practice regardless of your in-house capabilities. A crucial element of your incident response plan must include processes for timely reporting of cyber incidents as this requirement will surely be included in future regulations.
- Get involved or stay active in public / private partnerships. Collaborate with your colleagues and partners to bring a unified voice to the regulators. As the TSA demonstrated, they are willing to find equitable solutions, but they need your input to do so.
Don’t wait until regulations become final. Focus on getting the fundamentals right and don’t worry about the specifics of impending legislation. Consistency in cybersecurity requirements across government entities is unlikely given the fragmented nature of government agencies and the diversity of critical infrastructure industries. If you address the foundational elements of sound cybersecurity hygiene instead of chasing specific requirements, you will be positioned to handle new regulatory requirements and able to improve your cyber resiliency.
Where to Find More Information
You can find the complete text of the pipeline security directives here: