The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
TSA Relaxing Pipeline Cyber Security Directive
July 25, 2022 | Robert Bergman
The Transportation Safety Administration (TSA) is relaxing the cyber security restrictions that it placed on the pipeline industry immediately after the Colonial Pipeline attack. Where the May 27, 2021 directive required pipeline operators to report breaches within 12 hours; the new directive issued on May 29, 2022 allows 24 hours.
The greatest point of contention with last year’s directive, however, was the requirement for pipeline operators to review and fill gaps between their current cyber security practices and the TSA’s 33-page cyber security guidelines as updated in April of 2021, most of which industry groups felt were too IT focused and not relevant to OT security. The TSA says it will issue an update to that directive soon
Although the TSA did not make last year’s requirements public, CSO magazine wrote that they reportedly contained mandates related to disabling Microsoft macros, and programmable logic controllers (PLCs,) as well as additional mandates covering topics such as antivirus protection, malware protection, detection technologies, ingress and egress communications, system segmentation, multi-factor authentication (MFA), and zero trust.” One requirement mandated pipeline companies to change all passwords.
Industry groups spent much of the past year challenging those mandates. Susan Lemieux, director of operations security and emergency response policy at the American Petroleum Institute, for example, told the Wall Street Journal that PLC passwords must often be reset in person, which would be burdensome, especially for companies that might have thousands of PLCs in operation. Patrick Miller, owner and CEO of Ampere Industrial Security, quoted in CSO Online said that changing PLC passwords could also be a burden for smaller operations as well.
“If I’ve got a line, some sort of gas transmission line, and it’s got, we’ll just arbitrarily say 40 or 50 PLCs along the way from end to end, I have to roll a truck to 40 or 50 individual locations to make a password change,” he said.
Lemieux hopes to move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology and believes that the TSA will accommodate the performance-based needs expressed by the industry.”
A spokesman for the American Gas Association (AGA), a trade group that represents energy firms including Southern Co. and National Grid PLC, also told the Journal that many of its members support the proposed shift away from that prescriptive approach.
“Since there are a multitude of ways a pipeline operator can set up its cybersecurity and pipeline system, any new security directive should allow the experts in the pipeline system—the operators—to determine the specific method of security to meet TSA’s objective,” an AGA spokesperson told the Journal.
Like the pipeline industry, we await the new guidelines, especially to see how the distinction between IT and OT cyber security breaks out. Bedrock believes that some IT-originated solutions like multifactor authentication and zero trust strategies can be effective in OT cyber security, but they should be built-in to the control system, not bolted on to the IT network.
Furthermore, when companies take what are now relatively easy measures to secure systems and devices across internet, cloud, public carriers, satellite, and other wide area communications, updating assets for security as well as performance, can done instantly from one location. See demonstration here: Live Bedrock OSA Solutions Lab Demo: The Complete Manifestation of Open Secure Automation | Bedrock Automation®
Granted, in the near term, it may not be easy for some oil & gas providers to switch to intrinsically secure controls, but we know they are concerned about cyber security, as long as it is OT appropriate. Those who are concerned about cyber security, for any immediate OT capacity expansion, could transition using control systems that are intrinsically secure. For more details on how to transition to cyber secure controls, seamlessly, go here.