TSA Updates Oil and Gas Cybersecurity Guidelines
Image courtesy of Jason Woodhead under Attribution 2.0 Generic License, resized to 700 x 391 pixels.
The Transportation Security Administration (TSA) has issued revised oil and gas cybersecurity guidelines as a result of the extensive due diligence that has been conducted since the Colonial Pipeline attack in May 2021. Considering the May 2021 attack caused the pipeline to shut down for a week, the updated standards are just what the cyber-doctor ordered!
How Did the Oil and Gas Cybersecurity Requirements Change?
Interestingly, this is not the first time that changes have been put forth following the Colonial Pipeline attack. The requirements were updated just 2 months after the attack, but industry stakeholders pushed back because they were too stringent.
Simply put, the initial updated requirements were structured as a one-size-fits-all approach, which is not appropriate for the oil & gas industry because different pipelines and operators have different systems, configurations, policies, levels of expertise, and other nuances.
So, these new TSA guidelines offer more flexibility. This time, owners and operators will be tasked with developing their own cybersecurity implementation plans. This will allow the experts in the pipeline system ? the operators ? to determine the precise approach.
TSA is also requiring owners and operators to:
- Develop incident response plans designed to recover from an attack as quickly and safely as possible.
- Implement ongoing audit and testing programs to continuously evaluate the integrity of the security measures and get an early jump on emerging threats.
- Establish network segmentation processes to ensure the critical areas of the system can continue to function following an attack.
- Fortify access-control protocols to minimize unauthorized system access.
- Be diligent with respect to security patches and keeping operating systems and software up to date.
There’s no doubt about it, pipeline hacks impact us all, from consumers using heating oil to electric utilities with oil-fired plants. For that reason alone, I applaud the TSA’s efforts to ensure their recommended oil and gas cybersecurity requirements are as optimal and as up to date as possible.