On July 20, 2021, the Transportation Security Administration (TSA) issued the first of two security directives aimed at the pipeline industry. The first directive required critical infrastructure pipeline operators to (1) report confirmed and potential cybersecurity incidents to CISA; (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

“The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats. Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security. Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.” – Alejandro N. Mayorka, Secretary of Homeland Security

This initial security directive was significant only from the stance that the pipeline industry has never had regulatory requirements related to cybersecurity. Granted “directives” are not regulation; however, this is the first step in the direction of regulation for the whole industry. In the wake of the Colonial Pipeline incident, it became obvious that the industry was behind. Operations Technology often operates on old equipment that does not have modern security capabilities inherently built in. This creates a large attack surface that could cripple our pipeline infrastructure if accessed by a nation state attacker.

Shortly after the first directive on July 20, a second directive officially titled “Security Directive Pipeline-2021-02: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing” was released. Though this directive is restricted from public view, the following elements have been reported as being required by the critical infrastructure owner/operators:

1.    Implement specific mitigation measures to protect against ransomware attacks and other known
threats to information technology (IT) and operational technology systems (OT)

2.    Develop and implement a cybersecurity contingency and response plan

3.    Undergo an annual cybersecurity architecture design review

We know through working with our many midstream oil and gas clients that this is a very challenging ask and the “measures” which must be put in place are a daunting task. The National Institute for Standards and Technology (NIST) Special Publication 800 – 82 Guide to Industrial Control Systems (ICS) Security is the benchmark guide for implementation of the controls.

Of the 80 to 100 pipeline operators that were considered critical infrastructure, each of them will be required to have an annual audit of their OT cybersecurity architecture. Companies must select their audit firm by January 22, 2022, and have the audit completed by July 26, 2022.

Stinnett has performed cybersecurity audits of OT infrastructure for a number of years. We employee highly skilled cybersecurity experts, certified industrial controls cybersecurity specialists, as well as mechanical engineers trained in the oil and gas industry. Stinnett’s cybersecurity teams have performed MTSA NVIC20-01 Facilities Security Assessments (FSA), business impact analysis of OT cybersecurity events, and much more. We are uniquely positioned to provide the audit capabilities required by the TSA and help our clients mature through process improvements that work.

If you would like to speak with an expert in our Data Privacy & Cybersecurity group, please call 888-808-1795 or email cyber@stinnett-associates.com.

 By Jeremy Price, CISA, CDPSE, MCSE, CMMC-RP, ABCP