Advancing Pipeline Protection: A Guide to TSA Cybersecurity Compliance

In 2021, the Colonial Pipeline ransomware attack served as a stark reminder of the vulnerabilities within the cybersecurity infrastructure of the oil and gas industry. This attack caused massive supply chain disruptions, resulting in fuel shortages and significant financial losses. It also prompted the issuance of a declaration of a state of emergency.

In response, the Transportation Security Administration (TSA) issued a security directive designed to improve cybersecurity within the sector. However, as cybersecurity threats continue to evolve and intensify, industry leaders must go beyond simply complying with oil and gas cybersecurity regulations and implement enhanced cybersecurity methods to ensure the resiliency of their pipeline systems.

The Attack on the Colonial Pipeline

The attack on the Colonial Pipeline was made possible by attackers exposing employee passwords to the company VPN. Attackers discovered that one employee's password was being used for different accounts, which gave them a window of opportunity. Once launched, this ransomware attack infected a portion of the pipeline’s digital system, allowing hackers to shut the entire pipeline down for several days and causing far-reaching consequences nationwide.

This targeted attack most significantly impacted airlines and consumers across the East Coast. Some of the most significant consequences included:

• Supply Disruptions: The pipeline shutdown led to major disruptions in jet fuel, diesel, and gas supply across the East Coast. This caused massive fuel shortages, which led to price surging and long, frustrated lines at gas stations.
• Financial Impacts: The attack revealed significant vulnerabilities in pipeline cybersecurity. This caused many stakeholders and investors to re-evaluate the risks associated with this industry.
• Reputation Damage: Not only did the Colonial Pipeline experience significant damage to its reputation, but the entire industry was perceived as having inadequate TSA-directed pipeline security in place.
• Increased Scrutiny: This attack triggered significant discussions regarding ways to enhance TSA cybersecurity requirements, standards, and practices within the oil and gas industry, as well as other critical infrastructure sectors.

How Did the Industry Respond?

In response to the cybersecurity attack, industry leaders saw the need for a quick response and new security measures to enhance pipeline cybersecurity. This response encompassed:

• TSA Directive: The TSA responded by requiring pipeline operators to report all pipeline cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). Operators were also directed to review all cybersecurity practices to identify gaps and develop strong remediation measures.
• Ransom Payment and Restoration: The Colonial Pipeline paid approximately $4.4 million to the attackers to regain access to their system. This allowed them to restore their operations and get the pipeline up and running again.
• Government and Industry Collaboration: This incident highlighted the importance of strong collaborative efforts between the government and private sectors to provide the best possible protection over critical infrastructure.
• Increased Investment in Pipeline Cybersecurity: Companies within the oil and gas industry were encouraged to invest more money in enhancing their pipeline security to ensure they are protected moving forward.

For many, both in and outside the oil and gas industries, this was a wake-up call that truly highlighted the need for more robust cybersecurity measures within critical infrastructure.

Taking Action While Moving Ahead

Historically, oil and gas cybersecurity regulations have lagged behind. The TSA never implemented strong guidelines for this sector because the industry has been fairly unorganized as a whole. On July 27, 2023, the TSA guidelines shifted from suggestions to firm mandates.

Recognizing the need to go beyond merely complying with cybersecurity, many pipeline operators have considered strategies to improve pipeline cybersecurity. These strategies suggest that operators do the following:

• Assessment Plan: Develop an assessment plan that details the methods used to assess cybersecurity controls as well as policies and procedures. The plan should be updated annually.
• Infrastructure Assessments: Routinely conduct thorough assessments to identify any assets, existing infrastructure, and existing vulnerabilities. Ensure 30% of policies and procedures are assessed annually. Assessments can help companies understand the weakest links and develop a robust cybersecurity plan to address them.
• Incident Response Plans: Develop and implement a comprehensive incident response plan specific to each pipeline cybersecurity incident. This plan should include strategies for communication, public awareness, and compliance with relevant oil and gas cybersecurity regulations.
• Employee Training: Raise awareness among employees about the importance of cybersecurity and the potential risks associated with actions such as clicking on links sent in phishing emails.
• Layered Cybersecurity: Adopt layers of protection to safeguard all critical assets. This approach will provide multiple barriers to protect the pipelines from potential attackers.
  

The oil and gas sector plays a crucial role in our daily lives, making it a prime target for cyberattacks. As seen in cases like the Colonial Pipeline ransomware attack, the consequences of inadequate cybersecurity can be substantial. Organizational leaders must prioritize cybersecurity and proactively protect essential systems and facilities.

Investing in comprehensive assessments, response plans, employee training, and a layered approach to cybersecurity can mitigate risks and ensure future stability and growth. It is time for the industry to go beyond compliance and embrace robust cybersecurity practices to stay ahead of the evolving threat landscape. Only then can we truly protect our energy supply chain against potential cyber threats.

Contact CTG today to start shoring up your defenses with our Cybersecurity Regulatory Compliance Solutions.