To defend against cyberattacks, the federal Transportation Security Administration (TSA) is actively increasing the abilities of utilities and pipelines. Two recent security directives (SDs) have been issues by the TSA requiring comprehensive assessments of assets owned and operated by electric and gas utilities and oil and gas pipelines.
SD: May 28, 2021 – The first SD was issued to remind pipeline operators that self-assessments of security measures must be completed under the 2019 TSA cybersecurity guidelines. It also confirmed new requirements for internal security staffing and reporting of any cyberattacks or related incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
SD2: July 20, 2021 – The second directive (SD2) was issued to require both pipelines and utilities to conduct assessments of assets and operations to determine if they meet new criteria defining critical energy infrastructure. This comprehensive assessment is required for all assets that may have exposure to cyberattacks.
The SD2 has additional requirements and a set of strict compliance deadlines beyond the requirements of the first SD issued. A cyber asset inventory must be completed, security vulnerability assessments must be made, and mitigation measures must be implemented.
The TSA will now require separation of information technology and operational technology (IT/OT) systems. Utilities will need to review IT/OT systems and run reviews to implement steps to separate them.
Another significant requirement is a cyber asset inventory. This is a detailed list of assets likely to meet criteria for critical energy infrastructure that must be completed.
Mitigation measures are also required, including a security vulnerability assessment of all cyber assets listed in the inventory looking at assets that could cause downstream service impacts if compromised. Only larger assets such as compressor stations and other key operational components, in particular those that can be controlled by a remote control, need to be assessed.
Mitigation efforts will likely include implementing password protection and multifactor authentication on field assets that are not currently protected. This will included laptops used by field personnel as well as any remote access and controls, including remote terminal units (RTUs), and wireless cellular modem drops.
Operators should still expect to face compliance requirements even if one of the seven criteria boxes is checked.
Some requirements will be quicker to complete than others. Implementing password and multifactor authentication for certain assets will be easier to manage than pushing out protections for other types of field assets that aren’t properly designed to protect against cyberattacks. Operators and utilities face the likelihood of changing out certain components with newer pieces of equipment that are designed to be protected in these cases.
Until the assessments are complete, operators and utilities are not going to have a clear picture of the job they have ahead. Operators and utilities have typically adopted business-focused criteria on what assets are business-critical, and now those assessments must be broadened to incorporate a look at the impact a cyberattack may have on broad classifications of customers.
Convergint can help companies meet the strict compliance deadlines.
To schedule your free consultation, fill out the form below.