Late last month, the Transportation Security Administration renewed and updated its security directive aimed at enhancing the cybersecurity of oil and natural gas pipelines. The reissued guidance, known as Security Directive (SD) Pipeline-2021-02D Pipeline Cybersecurity Mitigation, Actions, Contingency Planning, and Testing, applies to owners and operators of critical pipeline companies and follows initial directives announced by the agency in July 2021 and July 2022 following the highly publicized and disruptive ransomware attack on Colonial Pipeline.
This most recent update does not vacate previously established requirements in the simple pursuit of change. Nor does it maintain only the status quo. Instead, the new directive pursues incremental change that builds on, but does not abandon, previous requirements.
Maintaining what works
As the Biden Administration continues to expand cybersecurity regulatory requirements for critical infrastructure like the nation’s pipelines, it is noteworthy that TSA has maintained the community-driven controls identified in the previous directive issued in 2022, known as SD-02C, and augmented the requirements with only minor updates largely focused on reporting and exercising incident response plan objectives.
Last year after consulting with experts from the private sector, TSA significantly improved on earlier pipeline security directives, which had been criticized by industry stakeholders who were not adequately consulted.
The 2023 update continues the focus on performance-based, rather than prescriptive, measures to support the distinct needs and challenges of the sector and of individual companies. In their required Cybersecurity Implementation Plans (CIP), owners and operators have the flexibility to leverage various industry standards (like the NIST Cybersecurity Framework (CSF), API 1164, and the ISA/IEC 62443 series) allowing them to develop actionable implementation plans around their environments utilizing a broader set of guidance, experience, and solutions and achieve strategic cybersecurity outcomes and to accommodate differences in systems and operations.
Most importantly, they have the flexibility to structure implementation plans for their OT environments given their specific risk profile that is unique from the IT environment. Further, the focus on continuous monitoring and exercising to assess the achievement of outcomes, as well as the approval to use compensating controls, represents a major improvement for all pipeline owners and operators.
Because infrastructure owners and operators are the experts in their own systems, they are well-positioned to provide valuable input that allows for the best possible security outcomes from the regulatory process. It is imperative that they are a part of the dialogue with the government in developing new standards and regulations to put our nation’s infrastructure companies in a better position to maintain resilience in the face of the evolving cyber threat environment.
Consistency without complacency
In addition to retaining industry-informed elements, the SD-02D’s consistency with previous security directive versions also demonstrates an understanding on the part of TSA that compliance comes with a cost. Organizations should not have to sacrifice security dollars to meet compliance requirements; they should be one and the same. Well-informed, performance-based requirements help support a focus on real security, not simply compliance checklists.
Consistent, performance-based requirements that are improved iteratively with input from industry consultation are a model for how to evolve regulatory frameworks to address the evolving threat environment while allowing organizations to truly stay focused on security. Keep what works. Improve what doesn’t. Fill the gaps.
With the latest pipeline security directive update, TSA has incrementally augmented requirements to include evaluating cybersecurity assessment plans and testing incident response plans. Moving forward, as they continue to update and improve these and other security directives, it will be essential that TSA continues to engage with the private sector and industry experts to ensure the best possible security outcomes.
Keeping a focus on security through regulatory harmonization
The Biden Administration has committed to enhancing the cybersecurity of our nation’s critical infrastructure through expanded regulation, including the National Cybersecurity Strategy and the associated Implementation Plan, both released earlier this year.
Employing a sector-by-sector approach, the Administration has allowed for regulations to be tailored to the affected industries. It has also unintentionally caused a web of overlapping and sometimes duplicative requirements for organizations that operate across multiple sectors or are covered by more than one oversight body.
To reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities and allow organizations to focus on true security, it will be imperative that the Administration makes meaningful progress on regulatory harmonization, a priority in both the National Cybersecurity Strategy and Implementation Plan. Different and sometimes conflicting regulatory requirements combined with multiple streams of reporting requirements distract from security and resilience outcomes.
As the Administration tackles the regulatory harmonization, they must do so in consultation with industry to fully understand the total cost and burden of duplicative requirements and to streamline most efficiently without sacrificing security and resilience. In the same way, it is essential that TSA continue to engage with industry experts and stakeholders to evaluate and improve future security directives for the best possible security outcomes.