- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
New Pipeline Directive Creates Urgency – Cisco Blogs
As of May 28,2021, pipeline operators doing business in the USA are under a new security directive on pipeline cybersecurity from the TSA (Transportation Security Administration). For owner/operators who have a strong security practice the adjustments will be straight forward, but I expect there is significant work to do for many who apply security practices in a less structured way.
This directive has 3 requirements:
- Reporting: As of June 28, owner/operators are required to report security incidents to the TSA and CISA within 12 hours of the incident
- Coordinator role: Additionally, owner/operators are required to have identified a “corporate level” security coordinator that must be available to the TSA and CISA 24/7.
- Vulnerability assessment: Perform a vulnerability assessment to identify any gaps, then develop and implement appropriate remediation measures.
Let’s take a closer look at how this works. The third requirement points to a supporting document of pipeline security guidelines from the TSA that has been out for a few years. These guidelines have been recommendations until now, but with this directive, they become requirements for compliance. Each company is required to compare their current activities with these security guidelines and then “… review their current activities against TSA’s recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA.” [TSA Security Directive Pipeline-2021-01]
This mandated activity will likely become a periodic event (e.g. annual) that could be enforced with audits and other governance mechanisms. This process of assessing security risks and then building a plan to remediate gaps is not a new one but until now it hasn’t been mandated by anyone. This is where the urgency comes in.
The requirement to report incidents and the potential for regularly scheduled assessments will likely accelerate cybersecurity deployments within line of business operations.
If you are one of the owner/operators that the TSA has sent this directive to, I’d like to offer some help. At Cisco, we have security practitioners and partners that do security assessments, mitigation planning, infrastructure deployment and incident response work, and they’re passionate about it.
Please reach out to your Cisco account team for more information, or feel free to message me directly: Roland Plett on LinkedIn
Resources
Security Directive Pipeline-2021-01 (pdf)
TSA Pipeline Security Guidelines (pdf)
Pipeline Security Tunnel Vision (blog)
Share: