Government Regulations and Fundings Site
Cybersecurity for Oil & Gas Pipeline
Implementing TSA’s New Oil & Gas Pipeline Cybersecurity Requirements
On July 27, 2023, the Transportation Security Administration (TSA) updated its cybersecurity requirements for TSA-regulated oil and gas pipeline systems and facilities. Tenable makes it easy to comply with these requirements while maintaining the security and productivity of your systems. (Security Directive Pipeline-2021-02D)
Request a DemoHow Tenable Can Help
TSA rules require oil and gas pipeline owners and operators to establish and implement a TSA-approved cybersecurity implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their operational technology (OT) and IT infrastructure. The rules also require organizations to proactively assess the effectiveness of these measures.
This is only a partial list of TSA requirements. For the complete list, please see here (pp. 5-10) and here.
Regulation / Recommendation
(SD III.A.) Identify the Owner/Operator’s Critical Cyber Systems as defined in Section VII.
(SD VII.A.) Critical Cyber Systems means any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.
How We Help
Tenable helps customers identify their Critical Cyber Systems using a hybrid discovery approach that involves passive traffic analysis and active querying to identify IT/OT/ICS assets.
Regulation / Recommendation
(SD III.B.) Implement network segmentation policies and controls designed to prevent operational disruption to the Operational Technology system if the Information Technology system is compromised or vice versa.
As applied to Critical Cyber Systems, these policies and controls must include:
1. A list and description of:
All external connections to the Operational Technology system; and
How We Help
Segmenting a network creates barriers limiting how far an attack can spread; however, segmentation also limits device visibility. Tenable discovers how devices communicate and which protocols they leverage, providing a contextual asset inventory that is critical for securing your OT environment. Additionally, you can identify high-risk IT assets an attacker would target and then prioritize actions to mitigate risk.
(1.b) Tenable can identify and notify of any connections between IT and OT systems/networks.
Regulation / Recommendation
(SD III.D.) Implement continuous monitoring and detection policies and procedures that are designed to prevent, detect, and respond to cybersecurity threats and anomalies affecting Critical Cyber Systems.
These measures must include:
1. Capabilities to:
Monitor and/or block connections from known or suspected malicious command and control servers (such as Tor exit nodes, and other anonymization services).
2. Procedures to:
Audit unauthorized access to internet domains and addresses;
Document and audit any communications between the Operational Technology system and an external system that deviates from the Owner/Operator’s identified baseline of communications;
3. Logging policies that:
Require continuous collection and analyzing of data for potential intrusions and anomalous behavior; and
Ensure data is maintained for sufficient periods to allow for effective investigation of cybersecurity incidents.
How We Help
Tenable leverages multiple detection methodologies to alert on threats coming from external and internal sources. It identifies controller configuration changes, even if a human or malware makes changes directly on a device. Tenable monitors for unauthorized changes and alerts critical stakeholders, providing extended information for a comprehensive audit trail, which results in faster incident response and forensic investigations.
(1.a.) Tenable alerts users on any connections from known or suspected malicious command and control servers.
(2.a.) Tenable alerts users on connections to internet domains and addresses. Authorized domains and addresses can be whitelisted.
(2.b.) Tenable alerts users on deviations from the established baseline of network connectivity.
(3.a.) Tenable continuously analyzes data for potential intrusions and anomalous behavior on Critical Cyber Systems and other Operational and Information Technology systems that directly connect with Critical Cyber Systems.
(3.b.) Tenable retains packet captures to provide an effective investigation of cybersecurity incidents.
Regulation / Recommendation
(SD III.E.) Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems consistent with the Owner/Operator’s risk-based methodology.
These measures must include:
2. This strategy required by Section III.E.1. must include:
The risk methodology for categorizing and determining criticality of patches and updates, and an implementation timeline based on categorization and criticality; and
Prioritization of all security patches and updates on CISA’s known exploited vulnerabilities catalog.
How We Help
Tenable offers complete visibility, security and compliance, enabling TSA-regulated oil and gas pipeline systems and facilities to mitigate risk.
(2.a) Tenable uses CVSS scores as a standardized view of vulnerabilities across the environment. In addition, Tenable’s Vulnerability Prioritization Rating (VPR) helps practitioners identify high-risk systems and vulnerabilities to focus on, making the best use of your security team’s time during a maintenance window.
(2.b) Through integration with Tenable Security Center, users can prioritize all security patches and updates based on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog.
Available Government Funding for the Oil & Gas Sector
Municipal and community-owned utilities can take advantage of new funding programs from the Department of Transportation.
Among some of the available funding programs are:
- Natural Gas Distribution Infrastructure Safety and Modernization (NGDISM) Grant: A competitive grant program that provides $1 billion funding over five years (fiscal years 2022-2026) to nonprofit utilities to repair, rehabilitate or replace natural gas distribution pipeline systems. Applicants must demonstrate an effort to address physical and cybersecurity risks relevant to the project.
Regulation and government funding information provided on this web page is dynamic and subject to change. Refer to tsa.gov for the most up-to-date information.