TSA Pipeline directives

US TSA issues relaxed pipeline cybersecurity directives [from the CyberWire]

[Originally published in V4 Issue 125 of the CyberWire Policy Briefing Newsletter at https://thecyberwire.com/newsletters/policy-briefing/4/125]

After last year’s unprecedented Colonial Pipeline attack, the US Transportation Security Administration (TSA) responded by issuing a set of strict cyber security directives for pipelines and other surface transportation industries. The first-of-their-kind directives received pushback from companies and industry lobbyists who felt that the rules, written in the heat of the moment, were too extreme and could disrupt business operations. Now the TSA has released updated, less stringent directives that industry experts say could indicate how the administration plans to write permanent rules going forward.

One revised directive allows designated pipeline operators a full twenty-four hours to report an attack (twice the time allotted in the original rules). An update to a second directive is expected to be less stringent about required security measures like multi-factor authentication password-reset requirements, which work in traditional business settings but would prove nearly impossible for pipelines’ more complicated systems.

TSA says they consulted with industry and government partners in drafting the new rules, explaining, “The goal is to move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology.” Suzanne Lemieux, director of operations security and emergency response policy at the American Petroleum Institute, told the Wall Street Journal, “We’re encouraged by the changes they’ve made. There were a lot of things that weren’t well thought out in the urgency of getting this out [last year].”

Comments from SynSaber & Nozomi

We received comment on the regulations from various industry experts. SynSaber Co-founder Ron Fabela thinks it worth remembering that compliance isn’t an end in itself. He wrote to say:

“Reactive cyber security rules for industry continue to be a challenge for the entire industry, not just pipeline operations. The move to more performance-based metrics does give asset owners and operators room to implement security controls that meet their unique environmental requirements, and while expanding the breach notification timeline from 12 to 24 hours must be a relief, the industry needs to ask, ‘what happens after I report?’ Breach notification has potential for confusion as the community wrestles with ‘what event or events constitute a reportable breach,’ and more critically, ‘what are the benefits of reporting besides compliance.’ With a focus on breach notification becoming standard across all sectors, it’s apparent that scalable and flexible monitoring be factored into every compliance program, as the answer of “we didn’t know” is no longer acceptable to regulators.”

Chris Grove, Cyber Security Strategist, Director at Nozomi Networks, sees two important issues the updated guidelines emphasize:

“The updated guidance serves to highlight 2 important things; 1- Attempting to prescribe solutions across an entire sector can be complicated, if not impossible, and 2- cooperation between government and the private sector is crucial to our success. We need an increase in transparency between asset owners, government, and other stakeholders, in a way that improves our ability to respond to threats without overburdening the asset operators, or codifying recommendations that could work against the tenants of safe and secure industrial operations. These much-needed changes allow for defenders to be more agile, and do what’s best for their specific infrastructure and environment using a measurable, performance-based approach.

[Read the full article at https://thecyberwire.com/newsletters/policy-briefing/4/125]