A comprehensive cybersecurity self-assessment that was sent in late May to pipeline operators by the Transportation Security Administration (TSA) is a clear signal that the federal homeland security apparatus is fully engaged in getting ahead of future attacks. This security directive (SD) was sent in consultation with the Cybersecurity and Infrastructure Security Agency (CISA), with required responses to be returned by June 28, 2021.
Though designed as an assessment of what security measures have been put in place in response to TSA cybersecurity guidelines released in 2018, operators should view this as a first step toward mandatory compliance with definitive standards.
The SD went out shortly after the Colonial Pipelines ransomware attack that shut down that pipeline system for five days and raised alarm throughout the country. Though much of the ransom has since been recovered, it is widely expected that attacks on pipelines and other critical infrastructure systems will continue as more and more industries demonstrate vulnerability to cyberattacks.
As of mid-2021, we’re primarily in the guidelines and voluntary compliance phase. The SD only stipulates that the assessment be returned by June 28, while also mandating new requirements for staffing and incident reporting. For instance, if a cyberattack is detected in any form, no matter how successful, it must be reported to TSA and CISA within 12 hours. The directive also requires pipeline operators to create a cybersecurity coordinator position. Though this can be an existing position, it must be filled by a U.S. citizen who is eligible to receive a security clearance. The coordinator also must be the primary contact for TSA and CISA and must be available 24/7.
The assessment section of the SD requires pipeline owner/operators to review current cybersecurity procedures against 18 specific sections covered in the earlier 2018 security guidelines. The assessment is a checklist with yes/no fields to respond to queries covering the full scope of the guidelines. The goal is to assess current risks, identify gaps and describe any current remediation measures underway.
For example, the sections query steps taken to protect operational technology (OT) or supervisory control and data acquisition (SCADA) systems needed to operate pipelines, compressor stations, booster stations and any other portion of critical pipeline infrastructure.
This Isn’t Punitive (Yet)
Even if an operator responds with a number of “no” answers, it is not in trouble. This should be viewed as a true self-assessment and truthful answers will be viewed favorably by the TSA and CISA.
This should be viewed as a good faith effort on the part of the Department of Homeland Security to work in partnership and assist pipelines and private industry in general. However, companies that provide inaccurate or untruthful responses or simply do not comply should expect a firm response. TSA has statutory authority to see that companies comply and can levy fines and other penalties to enforce directives.
Of course, companies that affirm relatively low levels of preparedness should expect follow-up by the federal agencies to request clarification on any shortcomings. The federal agencies can conduct audits to identify gaps and weaknesses, but it should be noted that these would come at taxpayer expense and could take considerable time.
Companies that confirm deficiencies on the TSA assessment may be well advised to begin consulting arrangements with third-party cybersecurity firms for vulnerability and risk assessments. 1898 & Co. is one such firm providing operational and risk assessments, vulnerability assessments, threat monitoring and threat detection.
Where Is This Going?
Realistically, oil and gas pipeline owners and operators should expect more prescriptive regulatory requirements in the future.
There is no question the pipeline industry has been leery of cybersecurity regulations similar to the NERC CIP cybersecurity protocols in place for the utility industry. These all-encompassing critical infrastructure protection (CIP) rules issued by the North American Electric Reliability Corp. (NERC) establish definitive security and control requirements for all elements of electric grid operations.
The electric utility industry has had the advantage of several years’ effort in implementing defense-in-depth strategies to protect the grid from attacks. Many lessons learned in that industry can now be applied elsewhere as other industries enhance their defense postures.
Pipelines have had some flexibility in implementing cybersecurity strategies, but there is a viewpoint now that it is time to reel some of that back in. The oil and gas industry definitely is taking cybersecurity seriously, but recent events demonstrate things can always be done better. In the Colonial Pipeline incident, the company had performed penetration testing but still didn’t detect a vulnerable point in an obsolete virtual private network (VPN).
It is not an easy task to catch everything. Attackers only need to be lucky once, while we need to be on our game 100% of the time. We as an industry and nation must create and maintain a robust security design that gives us greater visibility into our critical systems.
Digital innovations allow organizations to make better decisions, but also elevate exposure to cyberthreats.