November 2021, Vol. 248, No. 11
Features
Tight Deadlines, Imminent Concerns Result from Security Directives
By Michael D. Falk, Pipeline and Facility Group, Burns & McDonnell
The federal Transportation Security Administration (TSA) is moving quickly to ramp up the ability of utilities and pipelines to defend themselves against future cyberattacks.
TSA has issued two recent security directives (SDs) that require comprehensive assessments of assets owned and operated by electric and gas utilities as well as oil and gas pipelines. The first SD was issued May 28, shortly after a ransomware attack caused Colonial Pipeline to shut down its system for five days.
That initial SD was sent as a reminder to pipeline operators that they must complete self-assessments of security measures enacted under 2018 TSA cybersecurity guidelines. The May SD also established new requirements for internal security staffing and reporting of any cyberattacks or related incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
On July 20, TSA issued its second directive (SD2), requiring both pipelines and utilities to conduct assessments of assets and operations to determine if they meet new criteria defining critical energy infrastructure. Called a criticality analysis, this comprehensive assessment is required for all assets that may have exposure to cyberattacks.
The SD2 contains additional requirements and sets strict deadlines for compliance, going well beyond requirements of the earlier SD. If any assets are deemed critical energy infrastructure according to the criteria, cyber-asset inventories must be completed, security vulnerability assessments must be made, and mitigation measures must be implemented.
Clock Is Ticking
Tight deadlines are imminent, with critical 90-day and 180-day windows for utilities and operators to complete requirements for SD2 compliance.
The first requirement for a criticality assessment is a rigorous analysis designed to determine whether assets meet any of seven specific criteria that define critical energy infrastructure. For example, energy infrastructure assets necessary to serve military, Department of Defense or federal civilian installations would be deemed critical energy infrastructure.
Large multistate utilities and interstate pipelines will likely have some assets that meet critical energy infrastructure criteria, but some assets may not.
It is likely there will be many questions and much uncertainty regarding which assets meet the standards and criteria for critical energy infrastructure. To demonstrate good faith in meeting compliance requirements, listing assets that could potentially be classified as critical energy infrastructure is recommended, pending follow-up consultation with the Department of Homeland Security.
Homeland Security staff will be conducting extensive follow-up audits and are authorized to issue significant citations for violations of the SD2 requirements. Thus, utilities and pipelines would be in stronger positions if initial assessments demonstrate a consistent good faith methodology for identifying and categorizing assets that could be considered critical energy infrastructure.
There could be fewer consequences for mistakenly classifying an asset as critical than for omitting assets that are later found to be critical.
Next Steps
If assets meet any of the seven criteria for critical energy infrastructure, then utilities and operators are required to conduct a comprehensive cyber-asset inventory and conduct security vulnerability assessments of the assets.
This requirement is particularly onerous because the deadline to complete these analyses is within 180 days after July 26. SD2 is considered Security Sensitive Information (SSI) and operators will be expected to comply with SSI requirements.
It is important for operators and utilities to be fully aware of the significance of SD2. Choosing to ignore or putting off steps for compliance will put them significantly behind the curve and could potentially result in significant citations for noncompliance. The requirements are tedious and prescriptive rather than voluntary, as in the past.
Among other measures, TSA will now require separation of information technology and operational technology (IT/OT) systems. Utilities may need to review IT/OT systems and conduct an architectural review to implement steps to separate them. This measure is of particular focus for the TSA because of the recent Colonial Pipeline attack.
In that incident, an obsolete virtual private network (VPN) became the gateway of entry that allowed hackers into the Colonial Pipeline IT system. Once the attackers were inside the IT system, there was concern that the OT system could quickly become compromised, which led to the decision to shut down pipeline operations.
A cyber-asset inventory is another significant requirement. A detailed list of assets likely to meet criteria for critical energy infrastructure must be completed, and that list should include enough information to allow auditors to check all methodologies used to compile the lists.
Mitigation measures also are required, including a security vulnerability assessment of all cyber-assets listed in the inventory. This should be a system-based evaluation that looks at assets that could cause downstream service impacts if compromised.
In other words, not every valve or fitting needs to be assessed, but larger assets like compressor stations or other key operational components – particularly those that can be operated via remote controls – should be.
The mitigation effort is likely to include implementing password protection and multifactor authentication on field assets that are not currently protected. This is likely to include laptops used by field personnel as well as any remote access and controls, including remote terminal units (RTUs) and wireless cellular modem drops.
Meeting the Threshold
Even if only one of the seven criteria boxes is checked, operators should expect to face compliance requirements.
Some requirements are onerous, and some are not. Implementing password and multifactor authentication for certain assets may be easier to manage than pushing out protections for other types of field assets that aren’t properly designed to protect against cyberattacks. In those cases, some operators and utilities are likely to face the prospect of changing out certain components with newer pieces of equipment that are designed to be protected.
Utilities and operators are unlikely to have a clear picture of the task they face until assessments are completed. Until now, they have typically adopted business-focused criteria on what assets are business-critical. Now those assessments must be broadened to incorporate a look at the impact a cyberattack may have on broad classifications of customers.
There is not a lot of time. Operators and utilities may not think they own critical infrastructure, but they still may be at risk if they take no action. It would be advisable to rethink these conclusions and get started on an assessment and criticality analysis.
Author: Michael D. Falk, a leader in the Pipeline and Facility Group at Burns & McDonnell, consults with electric and gas utilities and specializes in operations management and regulatory compliance for interstate natural gas transmission and liquefied natural gas (LNG) and liquefied petroleum (LP) propane air mix plants.
Comments