CYE Strategy

Making Sense of the TSA’s Latest Cyber Regulations for LNG Facilities

July 27, 2021

Making Sense of the TSA’s Latest Cyber Regulations for LNG Facilities

By now, everyone who works in the cyber industry – and most who don’t – are all too familiar with the frequency, severity and sophistication of ransomware attacks – particularly against pipelines and liquefied natural gas (LNG) facilities – as well as the potentially devastating business, financial, reputational and legal impact they can have on businesses of all sizes. In fact, less than a month after the high-profile ransomware attack against Colonial Pipeline, which caused fuel shortages across the East Coast of the U.S for over a month and led to a payment of a $4.4 million ransom, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued its first mandatory cybersecurity directive for LNG facilities.

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas.  “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

Here’s what you need to know

The TSA’s Security Directive, which was announced on May 27, 202, essentially has three parts. It requires owners and operators of “critical” hazardous LNG pipelines and facilities to:

  • Designate a “corporate level” cybersecurity coordinator to be available to the TSA and CISA “24 hours a day, seven days a week”
  • Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency “no later than 12 hours after a cybersecurity incident is identified.”
  • Perform a cybersecurity assessment to identify any vulnerabilities and develop and implement the necessary remediation measures.

The requirements point to the TSA’s 2018 Pipeline Security Guidelines, which until now have been recommendations, rather than requirements for compliance. The 2018 document notes that the “intent of these guidelines is to bring a risk-based approach to the application of the security measures throughout the pipeline industry” and follows similar categories as the NIST Cybersecurity Framework of Identify-Protect-Detect-Respond-Recover.

According to the TSA’s latest directive, owners/operators must review section 7 of the 2018 document within 30 days and:

  • Report on whether current practices sufficiently align to the guidelines
  • Identify gaps
  • Institute remediation measures

Section 7 guidelines list several cybersecurity measures categorized either as “baseline” or “enhanced,” depending on whether assets are deemed to be “critical” (whereby “enhanced” security measures would apply) or “non-critical” (whereby “baseline” security measures apply).

This classification assumes that pipeline owners and operators have full visibility of all cyber assets, as well as ongoing awareness of both IT and OT systems and networks. They need to be able to identify, evaluate and prioritize risks and determine effective security controls to put in place in order to limit the risk to an acceptable one.

Turning the directive into an opportunity with nation-level cyber experts

Thankfully, they don’t have to do it alone. CYE’s team of national-level cybersecurity experts can help:

  • Assess – in real time – the entire organizational environment, including third party vendors.
  • Identify where vulnerabilities lie and the attack routes that lead to the business’s crown jewels
  • Quantify the risk that each vulnerability poses to business-critical assets based on our unique, mathematical approach
  • Translate the regulations into actionable items and work plans that can be transferred to the technical teams
  • Review the policies from the perspective of a hacker by infiltrating the organizations, breaching their security systems, executing social engineering campaigns, collecting passwords and bypassing each and every security control.
    • This approach enables organizations to better identify their organizations’ most critical vulnerabilities and prevent attacks before they occur.
  • Maintain a risk dashboard in our cloud-based cybersecurity optimization platform, Hyver, to help management and technical teams see the status of each vulnerability, as well as the risk it poses to the organization – in order to manage them accordingly.
  • Establish an incident response readiness program to test organizational policies and procedures
  • Provide security training to management, technical personnel and general employees and help them react to different cyber attack scenarios
  • Build long-term cybersecurity best practices that not only conform to the regulations, but improve overall cyber resilience.

Furthermore, in an effort to provide cyber visibility across all IT, OT and IoT environments, we partnered with OTORIO, the provider of next-generation OT cyber and digital risk management solutions, to provide an integrated solution to companies with converged IT, OT and IoT environments looking for proactive ransomware protection.

By combining forces, CYE and OTORIO complement each other’s solutions by offering:

  • A single pane of glass to continuously monitor IT, OT and IoT security postures
  • Complete coverage of security visibility, including areas that are currently being shielded by blind spots
  • Quantification of risks and identification of exposures across all IT, OT and IoT environments
  • Long-term cybersecurity best practices though a combination of technology and services
  • Simplified compliance processes

Recent events have highlighted that no company is safe from being targeted by ransomware no matter the size or location. “Businesses of every size are finding it hard to combat the emerging cyber threat either because they lack the financial resources or because they lack the skill set,” says Scott E. Augenbaum, former supervisory special agent at the FBI’s Cyber Division, Cyber Crime Fraud Unit. “The answer lies with the public/private sector taking proactive steps to keep their networks safe by partnering with subject matter experts who develop smart cybersecurity solutions that are easy to install and manage.”


Watch: Expert panel discussion

Click here to watch leading security experts discuss the TSA Pipeline Security Directive and how it can be turned into an actionable work plan.

Itay Peled

By Itay Peled

Technical Account Manager, CYE