TSA Publishes Pipeline Cybersecurity Directive
Yesterday the Transportation Security Administration published “Security Directive Pipeline-2021-01” designed to enhance the cybersecurity of critical pipelines. This action was taken in response to the Colonial Pipeline ransomware attack earlier this month that shut down a major fuel supply pipeline for much of the East Coast.
Actions to be Taken
The new Security Directive requires owners and operators of identified critical pipelines to:
Report cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA).
Designate a Cybersecurity Coordinator who is required to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise.
Review their current activities against TSA's recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA.
All information submitted to the TSA and CISA in compliance with this Directive will be treated as sensitive security information (SSI) in accordance with 49 CFR 1520. Essentially this means that it is exempt from public disclosure requirements and it will be protected in government and contractor systems as sensitive but unclassified information.
Cybersecurity Coordinator
Each covered owner/operator will be required to provide TSA with the 24/7 contact information for a Cybersecurity Coordinator and at least one alternate. Those individuals will (page 2):
• Be US citizens who are eligible for a security clearance,
• Serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and CISA,
• Be accessible to TSA and CISA 24 hours a day, seven days a week,
• Coordinate cyber and related security practices and procedures internally, and
• Work with appropriate law enforcement and emergency response agencies.
This Cybersecurity Coordinator position is closely modeled on the Security Coordinator requirements of 49 CFR 1580.101. Those were originally established back in 2008 for freight and passenger rail operations, and recently expanded to include other public transportation agencies and high-risk over-the-road bus companies.
Cybersecurity Definitions
The Security Directive (pgs 5-6) provides definitions for several key terms used in the Directive. While some of the term may be used in day-to-day cybersecurity contexts, the definitions of five are sufficiently detailed that they require specific reading and understanding to be able to properly implement the requirements of this Directive.
Those five key terms are:
Cybersecurity incident,
Information technology system,
Operational disruption,
Operational technology, and
Unauthorized access of an information technology or operational technology system.
While the other four terms are specifically defined in the Definitions section, TSA provides a ‘general description’ for the term ‘operational technology’, saying that it is:
“… a general term that encompasses several types of control systems, including industrial control systems, supervisory control and data acquisition systems, distributed control systems, and other control system configurations, such as programmable logic controllers, fire control systems, and physical access control systems, often found in the industrial sector and critical infrastructure. Such systems consist of combinations of programmable electrical, mechanical, hydraulic, pneumatic devices or systems that interact with the physical environment or manage devices that interact with the physical environment.”
The other definitions are very expansive, with TSA obviously trying to craft a document that addresses a potentially very wide scope of incidents. For example, under the definition of the term ‘cybersecurity incident’, it specifically includes events that are:
Under investigation as a possible cybersecurity incident without successful determination of the event's root cause or nature (such as malicious, suspicious, benign), and
May affect the integrity, confidentiality, or availability of computers, information orcommunications systems or networks, physical or virtual infrastructure controlled bycomputers or information systems, or information resident on the system
Incident Reporting Requirements
Owner/operators of designated pipelines are required by the Security Directive to report (pgs 2-6):
Unauthorized access of an Information or Operational Technology system,
Discovery of malicious software on an Information or Operational Technology system,
Activity resulting in a denial of service to any Information or Operational Technology system, and
A physical attack against the Owner/Operator's network infrastructure, such as deliberate damage to communication lines.
Again, as a measure of the expansive nature of the Directive, they are also required to report:
“Any other cybersecurity incident that results in operational disruption to the Owner/Operator's Information or Operational Technology systems or other aspects of the Owner/Operator's pipeline systems or facilities, or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases including, but not limited to impacts to a large number of customers, critical infrastructure or core government functions, or impacts national security, economic security or public health and safety.”
Reports are required to be submitted via the CISA Reporting System Form within 12 hours of the incident being identified. Among the list of other reporting requirements, submitters are supposed to specifically note that the report is being made in compliance with Security Directive Pipeline 2021-01 so that CISA may prioritize the handling of the information and share it where required.
Vulnerability Assessment
The Directive requires owner/operators to conduct an immediate cybersecurity vulnerability assessment of their operations in accordance with Chapter 7 of the most recent TSA Pipeline Security Guidelines manual. They are required to identify any security gaps in their systems, identify remediation measures and establish a timeline for implementing those measures. They are required to report back to TSA and CISA on all of the above within 30 days.
The most recent version of the Guidelines was published just last month, but the cybersecurity provisions in Chapter 7 remain unchanged from the 2018 version of the manual.
Effective Date
The directive became effective today.