BLOG HOME

  • Gas Pipeline

February 14, 2024

In May 2021, a ransomware attack led to a shutdown of Colonial Pipeline, which transports almost half the fuel used on the East Coast. For days, anxious crowds swarmed gas stations in long lines and airline flights were disrupted, with panic-buying causing shortages and spikes in gas prices.

The root cause of the attack: Colonial Pipeline IT systems were hijacked with a compromised password exposed in a separate data breach and likely reused.

As a result of the Colonial attack, the Transportation Security Administration (TSA) established two mandatory Pipeline Security Directives. The first was Security Directive Pipeline-2021-01: Enhancing Pipeline Security, which identified immediate critical actions for pipeline owners and operators. This directive requires entities to perform a vulnerability assessment based on the Pipeline Security Guidelines created as one of the initial objectives of the TSA in the aftermath of 9/11.

The second is Security Directive Pipeline 2021-02: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing. This directive includes a range of requirements focused on preventing cyberattacks and improving the resilience of the country’s critical infrastructure overall.

Below we discuss what’s in the requirements, including three separate plans required under the second directive and how automated compliance management software can help reduce cybersecurity risks.

Download a free brochure on how the AssurX Patch Management solution helps energy and utilities improve IT/OT system security

An Outcomes-Based Approach to Pipeline Security

The second TSA Pipeline Security Directive uses a performance-based approach to protecting security of pipelines, so that industry can adapt to evolving threats and utilize emerging technologies. To that end, actions taken to protect this critical infrastructure must achieve the following outcomes:

  1. Create network segmentation policies and controls so that operational technology (OT) systems are not affected if an information technology (IT) system is breached, and vice versa
  2. Establish access controls to prevent unauthorized access to critical cyber systems
  3. Develop continuous monitoring and threat detection processes to identify risks and correct anomalies that could impact critical cyber systems
  4. Mitigate exploitation risk with timely security patches and updates for operating systems, applications, drivers and firmware, utilizing a risk-based patch management strategy

Pipeline Owner and Operator Requirements

The original directive requires pipeline owners and operators to:

  • Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) promptly
  • Establish cybersecurity coordinator who is available to TSA and CISA 24/7
  • Perform a cybersecurity vulnerability assessment annually

In addition, to achieve the above outcomes, the second directive requires pipeline owners and operators to develop and execute three specific plans:

  • TSA-approved Cybersecurity Implementation Plan
  • Cybersecurity Incident Response Plan
  • Cybersecurity Assessment Program

Below we discuss each of the above plans in more detail, including what they should cover and how an automated compliance management system can help.

TSA-Approved Cybersecurity Implementation Plan

Pipeline owners and operators are required to implement a TSA-approved Cybersecurity Implementation Plan describing the specific cybersecurity measures used and the schedule for achieving the performance outcomes above.

This plan must identify all critical cyber systems, defined as any IT or OT system or data that would cause operational disruption if breached. It must also show how you will meet each of the four outcomes outlined above, though it does not prescribe how.

The directive allows for a flexible approach, and the plan should set forth the security processes and controls which TSA will inspect for compliance. Once the plan is approved, the organization is expected to maintain those processes and controls, including any schedule defined in the plan.

Cybersecurity Incident Response Plan

The TSA directive requires pipeline owners and operators to create and maintain an updated Cybersecurity Incident Response Plan to prevent operational disruption in the event of an incident impacting IT or OT systems.

The Cybersecurity Incident Response Plan must document specific measures you will take to ensure:

  • Prompt containment of any infected servers or devices
  • Segregation of the infected network or device to prevent the spread of malicious code
  • Security and integrity of backup data, including how you will secure and separate backup data
  • You have the ability to isolate IT and OT systems should a cybersecurity incident occur
  • Annual testing of at least two of the objectives of the plan

Cybersecurity Assessment Plan

Pipeline owners and operators must create a Cybersecurity Assessment Plan showing how the organization will evaluate the effectiveness of their cybersecurity measures. It must also show how you plan to identify and correct vulnerabilities in devices, networks and systems.

This plan must:

  • Evaluate the effectiveness of the Cybersecurity Implementation Plan
  • Incorporate a bi-annual cybersecurity architecture design review
  • Include assessments such as penetration testing and adversarial perspective testing
  • Establish a schedule for auditing the effectiveness of the above measures, covering 30% of the policies and processes each year to cover 100% over a three-year period

In addition, organizations must submit an annual update of this plan for approval that includes results from the prior year’s Cybersecurity Assessment Plan.

Meeting TSA Requirements and Outcomes with Automated Compliance Management Software

Meeting the requirements of the TSA Pipeline Security Directives requires collecting, monitoring and acting upon a vast array of data related to OT and IT systems.

An automated compliance management system streamlines this process, enhancing cybersecurity by enabling entities to:

  • Create and maintain schedules for security patch evaluation and cybersecurity assessments, automatically escalating tasks when deadlines approach
  • Collect evidence related to patch management and cybersecurity assessment, such as evaluation date, mitigation plans, approvals, and digital signatures
  • Track the timely completion of security training requirements
  • Validate compliance of technical controls with organizational policies and plans
  • Generate reports on critical cyber systems and all assets covered by the pipeline directives

In addition, companies can more easily document and track supporting evidence for cybersecurity plans such as asset inventories, policy documents, and log files. In the event of an inspection, the ability to pull this information up readily from a single location is a clear advantage over manual tracking processes.

Conclusion

In 2021, the Colonial Pipeline ransomware attack only ended when pipeline officials paid 75 Bitcoin, then worth $4.4 million, to cyberattackers. The TSA pipeline security guidance and directives aim to prevent similar future events by requiring a range of plans, policies, and controls. An automated compliance system is vital to maintaining compliance with the requirements, so that organizations can ensure their plans are working and well-documented.

Download a free best practices guide to Selecting & Implementing Automated NERC Compliance Management Software

About the Author

Kathryn Wagner is Vice President, Industry Solutions, Energy & Utilities at AssurX. Kathryn brings more than 25 years of experience in manufacturing systems integration and compliance while being responsible for the development and evolution of product offerings for NERC compliance and related systems that focus on reliability and resilience.