October 2022, Vol. 249, No. 10
Features
Cybersecurity Update: Aligning Industry Standard’s Best Practices
By Maggie O’Connell, Director of Security, Reliability and Resilience, INGAA
(P&GJ) — Cybersecurity, both interpersonally and geopolitically, has been protested over the past few years, sparked by stories of basement hackers breaking into government agency websites, nation-states warring on the dark web and hacktivists acting in the name of civil disobedience for political and social change. This new theater of conflict has dramatically shifted how critical infrastructure companies, both large and small, approach their security programs.
Still, until recently, very few industries, energy included, had mandatory cybersecurity requirements in place to protect some of the nation’s most critical assets. Historically, that included the pipeline industry, which was – until this past year – encouraged, but not mandated, to follow voluntary guidelines and mitigation measures developed by the Transportation Security Administration (TSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).
After a more-than-year-long process, on July 21, TSA issued the Security Directive Pipeline-2021-02-C (SD02C), colloquially referred to as Charlie, which represents an outcome-based approach to security that affords owner/operators more flexibility in implementing security measures that best align with their company’s risk assessment and profile.
Charlie, effective July 27, 2022, is the fifth iteration of the Security Directives process that was launched in the immediate aftermath of the Colonial Pipeline incident and in response to what TSA termed “other emerging threat information.”
On May 26, 2021, TSA issued its first round of requirements for reporting cyber-incidents. Security Directive Pipeline-2021-01 (SD01) requires TSA-identified “critical” pipeline systems to report a cyber-incident, confirmed or under investigation, on both the information technology (IT) and operational technology (OT) networks, to CISA within 12 hours. To better align with Security Directives issued for other surface modes, TSA has since extended the reporting time line to 24 hours.
Then, on July 19, 2021, TSA issued a second Security Directive Pipeline–2021-02 (SD02), requiring critical pipeline operators to implement a string of prescriptive mitigation actions over a series of set timelines, develop and exercise contingency planning, and conduct annual Cybersecurity Architecture Design Reviews.
Shortly after, in December of the same year, TSA issued Security Directive Pipeline–2021-02A (SD02A), inserting a new requirement to install IT system patches listed on CISA’s Known Exploited Vulnerabilities Catalog that have a severity score of “Critical,” overriding it a few days later through Security Directive Pipeline–2021 SD02B (SD02B), which cancels and supersedes the prior two SD02 versions with clarifying compliance dates.
While INGAA and other pipeline industry trade associations provided feedback on the draft versions of SD01 and SD02, neither final Security Directive reflected much of that input. Of particular concern were issues INGAA raised in SD02 around the impact of some mitigation measures on operational reliability and safety, and in some cases, the lack of market solutions to meet the requirements. In response to industry’s attention to these issues, TSA agreed to receive and review alternative security measures that “meet or exceed” the level of security required by SD02.
However, given the complexity of SD02 and the rapid inundation of alternative measures due to the inability to meet the prescriptive requirements, TSA and industry quickly learned that additional engagement would be necessary to clarify key issues to support compliance. This deepened engagement became particularly critical in light of TSA’s announcement that it intends to issue formal cybersecurity regulations to replace Security Directives while owner/operators continue complying with SD02 and with reporting potential and confirmed incidents to CISA.
This challenging regulatory environment led to increased industry pressure and the development of a series of Pipeline Security Directives Technical Roundtables, beginning in April 2022, where TSA and operators spoke candidly on major concerns within SD02 and offered potential solutions. These discussions helped TSA, CISA and other government stakeholders better understand pipeline operations, and afforded TSA the opportunity to ask questions that would support improvements to the Security Directives and potentially inform upcoming rulemaking.
The result of this consultative process is Charlie, a continuation of the SD02 series, which supersedes and replaces SD02B and applies to owner/operators of the nation’s most critical pipeline systems, as identified by TSA. Charlie includes requirements for covered owner/operators to:
establish and implement a Cybersecurity Implementation Plan (CIP)
develop and maintain the Cybersecurity Incident Response Plan to reduce the risk of operational disruption
establish a Cybersecurity Assessment Program and submit to TSA an annual plan that describes how the owner/operator will assess the effectiveness of their cybersecurity measures
Importantly, until TSA approves the CIP, owner/operators must continue implementing the specific measures in SD02, or those in any TSA-approved alternative measures and action plans.
There are four primary changes that Charlie makes to SD02. First, the scope of SD02 applied to all IT and OT systems that are connected to critical pipeline systems. Charlie applies only to those “critical cyber-systems” as identified by the owner/operator. Second, Charlie asks owner/operators to submit a CIP to TSA for approval, discussing how they are meeting the specific cybersecurity outcomes; while SD02 required those owner/operators not meeting the specific mitigation measure required to submit alternative measures indicating how they are meeting or exceeding the intent of the security measure.
Third, rather than scheduling third-party Cybersecurity Architecture Design Reviews as mandated in SD02, Charlie requires owner/operators to develop a program to assess and audit their cybersecurity measures, including an annual audit plan with a biennial architecture design review. Lastly, Charlie is not designated as Sensitive Security Information (SSI) unlike SD02, which originally held the SSI designation until it was removed earlier this year.
Charlie represents a significant shift in TSA’s approach from the requirements in SD02. This framework allows owner/operators to better prioritize resources while still meeting the intended objectives of TSA’s requirements. This is not only more appropriate from a security perspective, since a one-size-fits-all approach would effectively give bad actors the keys to the castle but is also takes into consideration the unique operating environment of the pipeline. No two pipeline systems are alike, and companies take a risk-based approach to cybersecurity that supports their corporate security goals, objectives and particular threat exposure.
This shift also harmonizes with other regulatory programs applicable to many pipeline companies, such as the North American Electric Reliability Corporation (NERC) CIP standards, CISA’s Chemical Facility Antiterrorism Standards (CFATS) Risk-Based Performance Standards (RBPS) and the U.S. Coast Guard’s cybersecurity requirements for Maritime Transportation Security Act (MTSA) sites.
Aligning with industry-recognized standards, frameworks and best practices helps ensure consistency and operational reliability within the constantly evolving cybersecurity threat landscape.
Still, there are requirements in Charlie that give operators pause, including those on software updates, multifactor authentication, patching, and how companies accept and document the risks of not patching where it is not feasible to do so.
Also new to this framework is the decentralized approach that TSA will take to review CIPs. While CIPs will receive final approval from TSA headquarters, the TSA Regional Directors will be the first to review operators’ plans and begin the remediation process should a plan be headed for denial.
Although helpful for TSA headquarters surface operations and policy staff, this process might inadvertently create a patchwork of compliance decisions, with some regions perhaps favoring a more detailed approach to an operator’s CIP than others. Similar issues have been seen in other regulatory programs, like the Coast Guard’s default to local Captains of the Port (COTP) for jurisdiction over MTSA Facility Security Plans, resulting in compliance uncertainty and regional inconsistencies. In part, because of this decentralized approach, and to ensure adequate protection of information, operators might consider drafting their CIPs with a minimal level of detail with the understanding that TSA will be on-site during the inspection and audit process and can validate additional specifics as needed.
This regulatory program is still new for TSA and for pipelines, so it would come as no surprise if a challenging learning curve, similar to the early days of SD02, were felt while TSA reviews and adjudicates CIPs. Nonetheless, it is incredibly difficult to find balance when creating regulations, and TSA has created a solid foundation for prospective rulemaking with this new set of security measures.
Moving forward, TSA expects to begin the process for formal rulemaking to replace the Security Directives with an Advanced Notice of Proposed Rulemaking (ANPRM) in the Fall of 2022. Owner/operators and the public will have the opportunity to share information with TSA in response to questions posed in the ANPRM and at a public hearing. The agency has indicated that Charlie will help guide and inform the future cybersecurity regulations, with the final rule being substantially similar to Charlie.
At the same time, the 100-day sprint for natural gas pipelines recently wrapped up, where pipeline operators were encouraged to use technologies to increase visibility and the sharing of OT threats in critical natural gas transmission pipelines. Additionally, CISA released a draft of the baseline Cross-Sector Cybersecurity Performance Goals and Objectives, as required by the July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems and launched the Joint Cyber Defense Collaborative (JCDC) Pipeline Initiative.
The White House further announced it was developing the Biden Administration’s National Cybersecurity Strategy, with plans and objectives that will likely build off of the 100-day sprint efforts. Congress also enacted broader incident reporting legislation that would apply to a yet-to-be-determined set of covered entities.
All of these initiatives required or will require ongoing industry consultation, spreading cybersecurity practitioners thin in an already trim space. As if that weren’t enough, the Russian invasion of Ukraine in February triggered a “Shields Up” campaign where the U.S. energy sector is targeted for spillover and retaliatory conflict. And, there is always China, the advanced persistent nation-state actor with a unique interest in U.S. energy infrastructure.
This confluence of activity ensures that pipeline cybersecurity will remain a key focus for lawmakers, regulators, and operators for a significant period to come. As our federal partners build out cybersecurity programs, and INGAA and its members proactively engage and respond, lessons learned from highly prescriptive regulations should underscore how important risk-based and standards-based approaches are to public and private sector collaboration, and to enhancing our nation’s collective defense.
Comments