Summary: A May 2021 oil pipeline attack prompted the TSA to take a fresh look at industry security standards. Like many other critical national infrastructure sectors, legacy-related challenges prevent pipeline companies flush with cash from defending against cyber threats at the top level. The recent regulatory changes represent a shift in outlook in how organizations view future security implementations and offer pipelines much more autonomy in the process.
In the wake of a national pipeline security incident back in May 2021, the TSA (Transportation Security Administration) mandated some urgently needed security reforms across the industry. In the year and a half since the attack, cyber threats to the oil and gas sector have only intensified, and yet the sector – despite its powerful access to resources – continues to fall short in response and prevention. That’s why TSA decided to take a good, hard look at industry security requirements and why they’re falling short. The result was a more customizable, performance-based, streamlined set of standards that aligns better with federal pipeline safety regulations. “More” isn’t always better – in this case, it’s “different.”
The Need for New Regulations
As National Championship-winning Ohio State football coach Urban Myer said in his book Above the Line, “If you don’t identify and expose the issue, you are never going to solve it.” So that’s what they did. In the words of several key pipeline leaders, here are some of the main challenges observable from the ground floor that prompted the need for increased cybersecurity effectiveness in the O&G industry.
- Companies felt stymied by compliance-based past approaches. That’s why now, “The reissued security directive takes an innovative, performance-based approach to enhancing security, allowing industry to leverage new technologies and be more adaptive to changing environments,” as the TSA website explains. Industrial Cyber calls it “a paradigm shift from a prescriptive, compliance-based standard to a functional, performance-based standard.” After all, even within the same industry, companies can be faced with different security challenges.
- One size does not fit all. Sizes of oil and gas companies vary – from municipal plants to billion-dollar corporations – and the “one size fits all” approach of past methods proved – well, disastrous in some cases. TSA Administrator David Pekoske states, “This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry…We recognize that every company is different, and we have developed an approach that accommodates that fact.”
- Too many directives can be confusing. This edition tries harder to align with already determined federal guidelines that O&G companies are already under, such as the NIST Cybersecurity Framework (CSF), API 1164, and the ISA/IEC 62443 series. These weak points highlight the challenges addressed by the second: to “Reduce risks to, and strengthen the resilience of, America’s critical infrastructure.”
Threats to the Oil and Gas Sector
Considering all that the O&G sector is up against, it becomes obvious why the industry would need to completely re-tool a less-than-effective approach.
- Larger and smaller organizations are not on the same page. When looking at the top 10 oil and natural gas pipeline owners, average sales for the past year ranged anywhere from $6B+ to $54B in sales. However, that’s not the problem. Don Ward, senior vice president for global services at Mission Secure, pointed it out: “At a 35,000-foot view, it looks ok. However, these larger companies have been built over the years by acquiring smaller regional O&G companies and integrating them into the larger corporate entity. These integrations take years, and many are stitched together with existing disparate tech stacks and resources without a company-wide fully enforced standard.” Too many individual strategies and technologies – not enough top-down consistency.
- The cyber skills gap handicaps OT security. While the lack of qualified cybersecurity professionals is impacting industries across the board, it is a particular challenge for O&G organizations (and critical infrastructure sectors as a whole) that rely on operational technology due to the nature of their work. “OT networks is like a wild wild west at the moment,” noted Alex Matrosov, CEO and co-founder at Binarly. That’s why he believes “it is extremely important to protect the operating system activity, but real security begins from the hardware and firmware.”
- IT and OT need to mix safely. The skills gap exacerbates an already prevailing problem – as all industries move towards increased digitization, old OT is mixed with new IT technologies at a rate that security can’t sustain. Says Padraic O’Reilly, chief product officer and co-founder at CyberSaint, “OT cyber is historically tricky with respect to patch cycles, and there is a great deal of variance across the industry. So a one size fits all approach that erred on the side of IT cyber—well, that stuck the practitioners as the wrong approach.”
New Outcomes, New Requirements
In response to the above threats and looking through the lens of a more customizable, streamlined approach, the TSA came up with the following regulatory changes for the safety of the oil and gas sector:
New outcomes O&G companies will need to achieve:
- Create network segmentations contingencies so that OT can continue to run if IT is compromised
- Prevent unauthorized access to critical systems by creating access control measures
- Implement continuous monitoring, detection, threat detection, and response for critical systems
- Patch and update operating systems regularly for all applications, drivers, and firmware on critical cyber systems
New requirements for pipeline owners and operators:
- A TSA-approved Cybersecurity Implementation Plan outlining specifically how they will accomplish the new outcomes outlined above.
- A Cybersecurity Incident Response Plan that delineates the actions O&G operators will take in the event of a cyberattack.
- A Cybersecurity Assessment Program that audits security measures and resolves vulnerabilities on a regular basis.
What This Means for Pipelines
Overall, the TSA regulatory changes align with sound leadership principles: deliver clear, consistent goals and trust your players to accomplish them in the way they see best. They mandate the same outcomes across the board and allow pipelines more autonomy over how they get those done – accounting for the fact that each pipeline is different and leveraging the hard work they’ve already done to stay current with federal guidelines.
In summarizing the long-term effect these changes will have on O&G organizations, Ward notes, “This is an arduous ongoing journey, and the TSA’s performance-centric objectives realize that it has to be a lifecycle management process, identified, documented, prioritized, tracked, improved upon, and audited continually over time.” This lifecycle management process – instead of a blind chase of compliance requirements that may or may not be applicable to all – is where pipeline companies need to start and where they need to end up. Dynamic solutions – from cyber and physical security convergence to incident response and recovery – respond to industry-specific challenges, and managed security service options help companies get on the right track and get stuff done.
ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.
Contact Us: https://itegriti.com/contact/
ITEGRITI Services: https://itegriti.com
Never miss an insight. Click here to follow ITEGRITI on LinkedIn and our insights will appear in your LinkedIn feed upon publication.