TSA Pipeline Security Directive Change

On June 29, 2022, the TSA announced its changes to a cybersecurity directive for U.S. pipelines after receiving harsh criticism from operators, cybersecurity experts, and trade groups. In late May 2021, in the wake of the Colonial Pipeline ransomware attack, the TSA issued the first of two directives. This first Directive set arduous breach reporting obligations on operators affected by ransomware, malware, or cyber-attack. In the second directive issued Mid-July 2021, the TSA worked with CISA and prescribed more “technical countermeasures”. 

The details of the directives were not released publicly but the TSA said last year that they required owners to:

“Implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct cybersecurity architecture design review.”

In this newly announced change to the directive, a spokesperson for the TSA stated that it is planning to reissue the second set of security guidelines next month but with changes that “afford greater flexibility to industry in achieving critical cybersecurity outcomes.”

This change of the more technical directive comes after considerable reprisal and backlash from operators and industry experts. Some say the prescribed technical controls are counterintuitive to securing OT and consequently weaken the security posture. It seems through word of mouth the directive was littered with IT-centric technologies and techniques like Zero Trust Architecture (ZTA) and Multifactor Authentication. While these are all tried and true methods for Information Technology, given the nature of the equipment and functions of Operational Technology, it is often impossible to apply these types of security controls. OT systems are open “by design” and allow commands to flow freely to maintain the efficiency and reliability of processes. These systems lack the capacity or the structure to make use of IT-centric security topologies and technologies. On top of this, in many cases, these entities are made up of systems that are a culmination of merger and acquisition and amassed from many differing yet interconnected control systems. Due to the nature of OT and the inevitable heterogeneity, an attempt to prescribe technical controls across the breadth of the pipeline, or any other any Critical Infrastructure Key Resource (CIKR) industry, becomes virtually impossible to implement.

It is said the new directive will extend the reporting obligation of a breach from the original 12 hours to 24 hours. While this seems to give teams more time to figure out what just happened, it also lends itself to many unanswered questions like:

(1) What constitutes a “breach”?

(2) What trigger starts the obligatory reporting clock?

a. Time of the incident?

b. Time of discovery there was an incident?

c. Time of the impact of an incident?

d. Time that the impact was determined it was truly a cyber incident?

Cyber events in OT, in many cases, manifest as system failures. Subtle changes to the configuration of OT assets need to be examined to see if the changes were legitimate operational requirements or if they were injected by malware or a bad actor. This is no trivial feat for operators to stitch together the evidence of a cyber-attack and, in many cases, distinguish the indications of attack (IoA) in OT from normal system operations or routine system failure. To support operators with this massive challenge, Hexagon offers PAS Cyber Integrity® to help address risks, vulnerabilities, and speed the response and recovery process better than any competing network-based asset management system. 

CISA does have a lot of resources to leverage ahead of an incident that is noteworthy and available here Cyber Resource Hub | CISA. Unfortunately, however, having technical controls that are a mismatch to the Operational Technology Architecture, doesn’t afford operators the likelihood of successful defense. Likewise, having the clock ticking overhead negates the team’s ability to take time to fully investigate an event. The larger question we all must ask is, “what value comes from simply ‘reporting’ a breach?” Focusing on infrastructure Cybersecurity resiliency, continuity of operations, and contingency plans are far more beneficial than compliance-driven reporting unless the TSA or Government at large has some plans and the capacity to jump in at “crisis time” to assist.