US midstream sector approaching TSA’s deadline for cybersecurity compliance

US pipeline companies are facing a deadline for compliance with a cybersecurity directive issued last month by the Transportation Security Administration (TSA) following a ransomware attack on Georgia-based Colonial Pipeline.

In the directive, TSA gave the owners and operators of LNG terminals and midstream assets (oil, gas and petroleum product pipelines) designated as strategic infrastructure facilities 30 days to evaluate and report on their cybersecurity position. Specifically, it instructed them to identify their cybersecurity co-ordinators, compare their cybersecurity strategies to a TSA guide published three years ago, report any gaps they discovered, draw up remediation plans for the gaps and report potential and confirmed cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security (DHS).

The 30-day period is due to expire on June 28. As of press time, it was not clear what level of compliance TSA could expect from the companies affected by the directive.

According to Chris Bihary, the CEO and co-founder of Garland Technology, a provider of network test access point (TAP) visibility solutions, meeting TSA’s requirements is likely to be easier for pipeline owners and operators that have already made efforts to establish strong and effective cybersecurity strategies. Bihary described the agency’s 30-day deadline as “definitely aggressive” and told NorthAmOil that unprepared companies might struggle to take all the steps prescribed.

Meanwhile, Bill Lawrence, the CISO of the SecurityGate.io risk management SaaS (Software-as-a-Service) platform for industrial cybersecurity, reported that his own company had taken steps to help midstream companies achieve compliance. “SecurityGate.io integrated the TSA framework into our platform to help pipeline owners and operators complete this short-fused task in a digitally automated manner and complete this security directive before the deadline,” he told NorthAmOil.

He was referring to SecurityGate.io’s announcement in mid-June that it had made the cybersecurity assessment framework available to companies affected by the TSA directive outside its own platform. The announcement pointed out that the framework could help midstream owners and operators meet requirements more quickly, calling it a good alternative to “time-consuming manual efforts that put them at risk of missing DHS’s 30-day response requirement.”

The agency itself has not commented on the matter. Instead, it has signalled that it expects the US government to adopt additional requirements with respect to cybersecurity in the midstream sector.

Earlier this month, Sonya Proctor, TSA’s assistant administrator for surface operations, told members of the House of Representatives at a virtual hearing that a second directive was in the works. The new directive “will require more specific mitigation measures, and it will ultimately include more specific requirements with regard to assessments,” she said. TSA intends to establish teams of inspectors with experience in both cybersecurity and pipeline operations to monitor compliance with these additional requirements, she said.

Proctor did not say when she expected the new instructions to be rolled out, but some industry observers expect TSA to move forward soon. For example, John Stoody, vice-president for government and public relations at the Association of Oil Pipe Lines (AOPL), told NorthAmOil earlier this week that officials in Washington were likely to clarify their expectations on this front in the near future.