Category: Transport sector

Transport sector

Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

The USA's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list.

Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks to the sectors as a whole. Without a holistic assessment, the agencies can't know what additional cybersecurity protections might be needed.

Cyber threats to critical infrastructure IoT and OT represent a significant national security challenge. Recent incidents—such as the ransomware attacks targeting health care and essential services during the COVID-19 pandemic—illustrate the cyber threats facing the nation's critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.

This report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity; and (3) identifies leading guidance for addressing IoT cybersecurity and determines the status of OMB's process for waiving cybersecurity requirements for IoT devices. To describe overall initiatives, GAO analyzed pertinent guidance and related documentation from several federal agencies.

To assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analyzed documentation, interviewed sector officials, and compared lead agency actions to federal requirements.

GAO also analyzed documentation, interviewed officials from the selected sectors, and compared those sector's cybersecurity efforts to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver process.

The nation's critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things,” throughout such places as buildings, transportation infrastructure, or homes. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature.

Figure: Overview of Connected IT, Internet of Things (IoT), and Operational Technology

To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.

Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems.

Title: Sector Lead Agencies' Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives

Sector (Lead Federal Agency)

Examples of IoT or OT Initiatives

Energy (Department of Energy)

Considerations for OT Cybersecurity Monitoring Technologies guidance provides suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid.

Cybersecurity for the Operational Technology Environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks.

Healthcare and public health (Department of Health and Human Services)

Pre-market Guidance for Management of Cybersecurity identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment.

Post-market Management of Cybersecurity in Medical Devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps.

Transportation systems (Departments of Homeland Security and Transportation)

Surface Transportation Cybersecurity Toolkit is designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel.

Department of Homeland Security's Transportation Security Administration's Enhancing Rail Cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads.

Source: GAO analysis of agency documentation │ GAO-23-105327

However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.

The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.

As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities. According to OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the act's restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies.

Leave a comment , , ,

Chemical security experts call for multisector cooperation against terrorism

Agency News, Industry News, Power/Energy/Oil & Gas sector, Transport sector, Water sector

The devastating impact of chemical weapons and explosives used in acts of terrorism continues to affect civilian populations and is well known for its destructive and long-term harm.

Last year over 1,000 improvised explosive device (IED) attacks were conducted by non-state actors, injuring over 7,150 people in more than 40 countries. Many attacks come from chemicals that criminals acquired through weak points in the supply chain – from manufacturing to storage and retail– and made into weapons.

To counter this threat, some 220 chemical security practitioners from more than 70 countries met at INTERPOL’s 3rd Global Congress on Chemical Security and Emerging Threats to find ways of reducing vulnerabilities by enhancing multisector cooperation and collaboration.

With a focus on acquisition, transportation, physical and cyber security of chemical materials, the meeting highlighted a range of security issues, such as detecting cross-border movements of regulated material and implementing regulatory frameworks.

Terrorists’ misuse of e-commerce and new technologies

The Global Congress also explored ways to counter emerging threats including terrorists’ misuse of e-commerce and new technologies to acquire toxic and precursor chemicals.

Due to the substantial growth and access to the Internet in recent years, so too we have seen an increase in digital content produced and shared through platforms such as instant messaging, social networking, blogs and online portals. The misuse of technologies can be seen as a result of this rapid growth in content, and with it a rise in suspicious activities.

Law enforcement agencies provided examples of investigative techniques that could be used to identify and prosecute the illicit purchase or sale of chemicals on the Dark Net. These lessons provided delegates with solutions to address the use of sophisticated technologies for nefarious purposes.

"The concerted effort of global law enforcement, along with our partners, is key to combatting the use of explosive precursor chemicals and chemical weapons,” Mr Hinds added.

Dual-use and precursor chemicals have a wide legitimate function in the production of consumer goods such as pharmaceuticals, cleaning supplies and fertilizers. This raises significant challenges to prevent and monitor, and remains one of the inherent threats to chemical security worldwide.

INTERPOL awareness video - ‘The Watchmaker’

In this context, an INTERPOL-produced awareness video was premiered at the meeting to engage a broad spectrum of stakeholders in understanding the importance of individuals and companies to secure dangerous toxic chemicals, including equipment.

Entitled ‘The Watchmaker’, the video highlights the need for multisector cooperation to combat these threats and will be used in a series of INTERPOL capacity building workshops and other activities related to counter-terrorism and prevention.

“Multisector collaboration is essential for us to tackle the threats we face from criminals who gain access to dangerous chemicals with malevolent intentions. Morocco is committed to strengthening the engagement of these issues as part of our proactive approach to combating terrorism,” said Mr. Mohammed Dkhissi, Head of National Central Bureau, Rabat.

Other measures proposed by the Global Congress Network include:

- Advocating chemical security recommendations such as increased retail reporting on suspicious activity;
- Expanding the INTERPOL-hosted Global Knowledge Hub, which allows members to engage in interactive discussions and access good practice guidance;
- Strengthening the Global Congress Network through greater diversity of expertise and activities across regions and sectors;
- Promoting decision-making tools such as a customer database, which can flag areas of security concern.

Since its inception in 2018, the Global Congress has been jointly led by INTERPOL, the US Cybersecurity and Infrastructure Security Agency (CISA), the US Defense Threat Reduction Agency (DTRA) and the US Federal Bureau of Investigation (FBI), and implemented in cooperation with the G7 Global Partnership Against the Spread of Weapons and Materials of Mass Destruction.

Leave a comment , ,

TSA issues new cybersecurity requirements for passenger and freight railroad carriers

Agency News, Industry News, Transport sector

The Transportation Security Administration (TSA) announced a new cybersecurity security directive regulating designated passenger and freight railroad carriers. Today’s announcement demonstrates the Biden-Harris Administration’s commitment to strengthen the cybersecurity of U.S. critical infrastructure. Building on the TSA’s work to strengthen defenses in other transportation modes, this security directive will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations.

Developed with extensive input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), this Enhancing Rail Cybersecurity – SD 1580/82-2022-01 strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes.

“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” said TSA Administrator David Pekoske. “We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.

The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:

1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
2. Create access control measures to secure and prevent unauthorized access to critical cyber systems;
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Passenger and freight railroad carriers are required to:

1. Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the passenger and freight rail carriers are utilizing to achieve the security outcomes set forth in the security directive.
2. Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.

This is the latest in TSA’s performance-based security directives; previous security directives include requirements such as reporting significant cybersecurity incidents to CISA, establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment. Through this security directive, TSA continues to take steps to protect transportation infrastructure in the current threat environment. TSA also intends to begin a rulemaking process, which would establish regulatory requirements for the rail sector following a public comment period.

To view TSA’s security directives and guidance documents, please visit the TSA cybersecurity toolkit.

Leave a comment , , , ,

Forest fires: €170 million to reinforce rescEU fleet

Agency News, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector, Water sector

Following a record-breaking forest fire season in Europe, the Commission is proposing today €170 million from the EU budget to reinforce its rescEU ground and aerial assets  starting from the summer of 2023. The rescEU transitional fleet would therefore have a total of 22 planes, 4 helicopters as well as more pre-positioned ground teams. As from 2025, the fleet would be further reinforced through an accelerated procurement of airplanes and helicopters.

Commissioner for Crisis Management Janez Lenarčič said: "Due to climate change the number of regions affected by wildfires is increasing, going beyond the traditionally affected Mediterranean countries. The last summers have clearly shown that more firefighting assets are needed at EU-level. By building up our fleet of aerial means and ground forces, the EU will be able to ensure a prompt, flexible response, including in situations where fires are burning in multiple Member States at the same time.”

Commissioner for Budget and Administration, Johannes Hahn said: “While the record-breaking forest fires this summer may have been overshadowed by other crises, today's proposal to reinforce rescEU shows that the EU budget will continue to support those in need. European solidarity across EU Member States remains strong and we are ready to support this solidarity with financial means.”

Wildfires in the EU are increasing in scope, frequency, and intensity. By 1 October, the data for 2022 reveal a 30% increase in the burnt area over the previous worst year recorded (2017) and a more than 170% increase over the average burnt area since EU-level recording started in 2006.

This season, the Emergency Response Coordination Centre  received 11 requests for assistance for forest fires. 33 planes and 8 helicopters were deployed across Europe via the EU Civil Protection Mechanism, which were joined by over 350 firefighters on the ground. In addition, the EU's emergency Copernicus satellite provided damage assessment maps of the affected areas.

Leave a comment , , ,

CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks, that directs federal civilian agencies to better account for what resides on their networks.

Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices. The Biden-Harris Administration and Congress have supported significant progress by providing key authorities and resources. This Directive takes the next step by establishing baseline requirements for all Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.

“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly. “Knowing what’s on your network is the first step for any organization to reduce risk. While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”

CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies. Implementation of this Directive will significantly increase visibility into assets and vulnerabilities across the federal government, in turn improving capabilities by both CISA and each agency to detect, prevent, and respond to cybersecurity incidents and better understand trends in cybersecurity risk.

This Directive is a mandate for federal civilian agencies. However, CISA recommends that private businesses and state, local, tribal and territorial (SLTT) governments review it and prioritize implementation of rigorous asset and vulnerability management programs.

The new Directive can be found at Binding Operational Directive (BOD) 23-01.

Leave a comment ,

The fastest-growing port in Texas just got even safer

Industry News, Transport sector

Mariners sailing in and around Port Freeport — the fastest-growing port in Texas — have something to celebrate.

The seaport, located outside of Houston, is now fitted with a NOAA system that improves safe and efficient marine navigation. The technology is part of a nationwide network called Physical Oceanographic Real-Time System, or PORTSⓇ.

Freeport PORTS is the 38th system in this network of precision marine navigation sensors. The integrated series of sensors track oceanographic and meteorological conditions as they unfold around the port. This will greatly increase the navigation safety of vessels entering and exiting Port Freeport.

“Precision navigation is critical to our nation’s data-driven blue economy and helps our environment,” said NOAA Administrator Rick Spinrad, Ph.D. “The real-time information tracked by NOAA allows ships to move safely within U.S. waterways to make operations more efficient and lower fuel consumption, which also lowers carbon emissions.”

More than 30 million tons of cargo moved through Port Freeport in 2019, which supported more than 279,000 jobs nationwide, for a total economic impact of $149 billion. The new system will allow all mariners to have access to real-time water level, currents and meteorological information, helping them to better plan vessel transits and prevent accidents.

Studies prove that the NOAA PORTS program reduces shipping collisions, groundings, injuries and property damage. When a new PORTS is designed, local stakeholders determine the sensor types and location requirements to support their safety and efficiency decisions.

“This new system, and the others like them around the country, reduce ship accidents by more than 50%, and allow for larger ships to get in and out of seaports and reduce traffic delays,” said Nicole LeBoeuf, director of NOAA’s National Ocean Service. “PORTS can also provide real-time data as conditions rapidly change, giving our coastal communities time to prepare and respond.”

Newly installed current meters collect and transmit real-time current observations in waterways where those conditions can change quickly and over small distances. One current meter that is mounted on a buoy is installed along the port entrance channel to capture critical cross currents data outside of the Surfside Jetty. A second current meter is installed on a pier in the intercoastal waterway near the Surfside Bridge to collect data that will indicate the strength of currents near an important turning point for vessels coming in and out of Freeport Harbor.

The new system also integrates real-time water level and meteorological information from the NOAA Freeport Harbor National Water Level Observation Network station. That equipment is installed on a specialized single platform structure which is common in the Gulf of Mexico. Wind speed and directional data will help users plan for safe pilot boarding and ship passages during adverse weather.

Leave a comment , , ,

UNOCT launches five new thematic guides on Protecting Vulnerable Targets Against Terrorist Attacks

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

The United Nations Office of Counter-Terrorism (UNOCT) hosted a high-level virtual event to launch five new specialized guides (modules) dedicated to the protection of particularly vulnerable targets against terrorist attacks, on 6 September 2022. “Vulnerable targets” refers to public places (e.g. tourist venues, urban centers, religious sites) or critical infrastructure (e.g. public transportation systems, energy sector) which are easily accessible and relatively unprotected, and therefore vulnerable to terrorist attacks.

The online launch event was opened by the Under-Secretary-General of the United Nations Office of Counter-Terrorism (UNOCT), Mr. Vladimir Voronkov, along with the Permanent Representative of Qatar to the United Nations, H.E. Ambassador Alya Ahmed Saif Al-Thani; Acting Executive Director of the United Nations Counter-Terrorism Committee Executive Directorate (CTED), Mr. Weixiong Chen; Director of the United Nations Interregional Crime and Justice Institute (UNICRI) Ms. Antonia Marie De Meo; and Chief of Cabinet of the Under-Secretary-General of the United Nations Alliance of Civilizations (UNAOC), Ms. Nihal Saad.

The participants included decision-makers, practitioners and experts on vulnerable targets protection from Member States, international and regional organizations, the private sector, civil society and academia, including members of the United Nations Global Expert Network to Protect Vulnerable Targets against Terrorist Attacks.

The high-level opening was streamed live via UN WebTV. It will be followed by an expert session, during which Member States will share experiences, good practices and tools related to the themes of the five modules:

1. The protection of “soft" targets;
2. The protection of touristic sites;
3. The protection of religious sites and places of worship;
4. The protection of urban centres; and
5. Threats posed by unmanned aircraft systems (UAS) to vulnerable targets.

The 5 modules are published in Arabic, English, French and Russian and are presented by the United Nations Global Programme on Countering Terrorist Threats Against Vulnerable Targets, which is led by UNOCT and jointly implemented with CTED, UNICRI and UNAOC.

The new guides present the knowledge and resources and lessons learned identified during the three Expert Group Meetings held by UNOCT with partners CTED, UNAOC and UNICRI in 2021. They also complement the 2018 United Nations Compendium of Good Practices on the Protection of Critical Infrastructure (CIP) against Terrorist AttacksPDF by focusing on public places/"soft" targets as distinct types of sites worthy of a dedicated security approach. The guides feature specific case studies, good practices and recommended tools from around the world to support both the public and private sectors to further strengthen the safety and security of their public places, keeping them open and accessible and promoting shared responsibility.

Leave a comment , , , ,

USDA invests more than $698,000 in critical infrastructure to combat climate change

Agency News, Industry News, Power/Energy/Oil & Gas sector, Transport sector

The U.S. Department of Agriculture announced this week that USDA Rural Development will invest more than $698,000 in critical infrastructure to combat climate change across rural Missouri.

Among the funded projects is Macon Coca-Cola Bottling Company's installation of a 46.98 kilowatt solar array system. The company will use a $20,000 Rural Energy for America Program grant to replace 71,831 killowatt hours (100% of the company's energy use) per year, saving the company more than $6,000.

The investments reflect the goals of President Biden’s Inflation Reduction Act, which addresses immediate economic needs and includes the largest ever federal investment in clean energy for the future, the USDA said.

For example, the Act includes $14 billion in funding for USDA programs that support the expansion of biofuels and help rural businesses and electric cooperatives transition to renewable energy and zero-emission systems.

USDA is making these investments through Community Facilities Disaster Grants, Rural Energy for America Program Renewable Energy Systems & Energy Efficiency Improvement Guaranteed Loans & Grants, and Rural Energy for America Program Energy Audits and Renewable Energy Development Grants.

Leave a comment , , ,

Police Committee Initiates Process to Consider the Critical Infrastructure Protection Act Regulations

Cyber Security CII sector, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector, Water sector

The Portfolio Committee on Police in South Africa has resolved to allow the Civilian Secretariat for Police Service (CSPS) to table part of the regulations of the Critical Infrastructure Protection Act (CIPA) 2019, which deals directly with the functions of the Critical Infrastructure Council to enable the council to start performing its functions immediately. The committee today met the Ministry of Police and representatives of the CSPS.

The committee has urged the CSPS to move with speed to table the regulations to ensure that Parliament completes the process of considering them. “We have raised a concern that the committee undertook an extensive process of interviews for the council in 2021 and to date, the Council has not been able to move and implement their mandate. This is the reason we will move with speed to consider the regulations and ensure the effectiveness of the Council,” said Ms Tina Joemat-Pettersson, the Chairperson of the committee.

Meanwhile, the committee deliberated on various issues affecting policing, including crime statistics, morale within the South African Police Service (SAPS), the increase in illegal mining, and challenges with gender-based violence. As a result, the committee agreed on the need for a two-day session, where the Minister of Police together with the National Commissioner and senior leadership of the SAPS outline strategies to remedy these concerns. The session’s intentions are to work together to find solutions to the crime challenge facing the country in order to create a safe environment that fosters socio-economic development.

Leave a comment ,

TSA revises and reissues cybersecurity requirements for pipeline owners and operators

Agency News, Industry News, Transport sector

The Transportation Security Administration (TSA) announced the revision and reissuance of its Security Directive regarding oil and natural gas pipeline cybersecurity. This revised directive will continue the effort to build cybersecurity resiliency for the nation’s critical pipelines.

Developed with extensive input from industry stakeholders and federal partners, including the Department’s Cybersecurity and Infrastructure Security Agency (CISA), the reissued security directive for critical pipeline companies follows the directive announced in July 2021. The directive extends cybersecurity requirements for another year, and focuses on performance-based – rather than prescriptive – measures to achieve critical cybersecurity outcomes.

“TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said TSA Administrator David Pekoske. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”

Following the May 2021 ransomware attack on a major pipeline, TSA issued several security directives mandating that critical pipeline owners and operators implement several urgently needed cybersecurity measures. In the fourteen months since this attack, the threat posed to this sector has evolved and intensified. Reducing this national security risk requires significant public and private collaboration.

Through this revised and reissued security directive, TSA continues to take steps that protect transportation infrastructure from evolving cybersecurity threats. TSA also intends to begin the formal rulemaking process, which will provide the opportunity for the submission and consideration of public comments.

The reissued security directive takes an innovative, performance-based approach to enhancing security, allowing industry to leverage new technologies and be more adaptive to changing environments. The security directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas facilities take action to prevent disruption and degradation to their infrastructure to achieve the following security outcomes:

- Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Pipeline owners and operators are required to:

- Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth in the security directive.
- Develop and maintain a Cybersecurity Incident Response Plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident.
- Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.

These requirements are in addition to the previously established requirement to report significant cybersecurity incidents to CISA, establish a cybersecurity point of contact and conduct an annual cybersecurity vulnerability assessment.

Leave a comment , , ,
1 2 3 4 5 9