[BreachExchange] TSA issues second cybersecurity directive for pipeline companies

[Sophia Kingsbury]

https://www.csoonline.com/article/3625681/tsa-issues-second-cybersecurity-directive-for-pipeline-companies.html#tk.rss_news

The Department of Homeland Security's (DHS) Transportation Safety
Administration (TSA) yesterday announced a second security directive that
requires owners and operators of TSA-designated critical pipelines to
implement cybersecurity measures that help protect against malicious
digital incidents. This directive is a more expansive follow-up to an
initial pipeline security directive issued on May 27, roughly two weeks
after the highly disruptive ransomware attack against Colonial Pipeline.

The initial directive required pipeline companies to report cybersecurity
incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA).
It also required pipeline owners and operators to designate a cybersecurity
coordinator available around the clock to coordinate cybersecurity
practices and any cybersecurity incidents with TSA and CISA. Finally, that
directive required companies to examine their cybersecurity practices and
assess risks, identify gaps, develop remediation measures, and report the
results to TSA and CISA.

New security measures pipeline owners must meet

This second directive addresses in detail the security requirements that
pipeline owners must have in place. TSA says the new directive requires
owners and operators "to implement specific mitigation measures to protect
against ransomware attacks and other known threats to information
technology and operational technology systems, develop and implement a
cybersecurity contingency and recovery plan, and conduct a cybersecurity
architecture design review."

The directive reportedly contains mandates regarding password updates,
disabling Microsoft macros, and programmable logic controllers (PLCs).
Sources close to the pipeline asset owner community who have seen the
directive tell CSO they are surprised at the speed with which TSA issued
the second, particularly given that TSA had said as late as last week that
the directive wouldn't be available for many weeks.

The directive contains additional measures addressing a wide range of
topics, such as antivirus protection, malware protection, detection
technologies, ingress and egress communications, system segmentation,
multi-factor authentication (MFA), zero trust, and any workarounds that
might be needed. One requirement asks pipeline companies to change all
passwords.

The directive says that pipeline owners and operators can suggest
alternatives to the above security measures for TSA's review on a per asset
owner, per pipeline segment basis, sources say. The due dates for the
various requirements range from 60 days to 365 days.

Penalties for failing to meet security measures are unclear

A crucial component missing from the directive is any discussion of an
enforcement mechanism that comes into play if companies fail to abide by
the provisions. A media representative for TSA tells CSO that the directive
would "be enforced by TSA under appropriate statutory and regulatory
authorities.  Failure to comply with the [directive], including the
requirement to report cybersecurity incidents and conduct an assessment,
could result in civil penalties levied against an owner/operator."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210721/7a2f3d10/attachment.html>