Page 12 - GLNG Week 25 2021
P. 12
GLNG AMERICAS GLNG
US midstream sector approaching TSA’s
deadline for cybersecurity compliance
POLICY US pipeline companies are facing a deadline pipeline owners and operators complete this
for compliance with a cybersecurity directive short-fused task in a digitally automated man-
issued last month by the Transportation Security ner and complete this security directive before
Administration (TSA) following a ransomware the deadline,” he told GLNG.
attack on Georgia-based Colonial Pipeline. He was referring to SecurityGate.io’s
In the directive, TSA gave the owners and announcement in mid-June that it had made
operators of LNG terminals and midstream the cybersecurity assessment framework avail-
assets (oil, gas and petroleum product pipelines) able to companies affected by the TSA directive
designated as strategic infrastructure facilities outside its own platform. The announcement
30 days to evaluate and report on their cyber- pointed out that the framework could help
security position. Specifically, it instructed them midstream owners and operators meet require-
to identify their cybersecurity co-ordinators, ments more quickly, calling it a good alternative
compare their cybersecurity strategies to a TSA to “time-consuming manual efforts that put
guide published three years ago, report any gaps them at risk of missing DHS’s 30-day response
they discovered, draw up remediation plans for requirement.”
the gaps and report potential and confirmed The agency itself has not commented on the
cyberattacks to the Cybersecurity and Infra- matter. Instead, it has signalled that it expects
structure Security Agency (CISA), a division of the US government to adopt additional require-
the Department of Homeland Security (DHS). ments with respect to cybersecurity in the mid- As of press time,
The 30-day period is due to expire on June stream sector.
28. As of press time, it was not clear what level of Earlier this month, Sonya Proctor, TSA’s it was not clear
compliance TSA could expect from the compa- assistant administrator for surface operations,
nies affected by the directive. told members of the House of Representatives what level of
According to Chris Bihary, the CEO and at a virtual hearing that a second directive was in
co-founder of Garland Technology, a provider the works. The new directive “will require more compliance TSA
of network test access point (TAP) visibility specific mitigation measures, and it will ulti- could expect from
solutions, meeting TSA’s requirements is likely mately include more specific requirements with
to be easier for pipeline owners and operators regard to assessments,” she said. TSA intends to the companies
that have already made efforts to establish strong establish teams of inspectors with experience
and effective cybersecurity strategies. Bihary in both cybersecurity and pipeline operations affected by the
described the agency’s 30-day deadline as “defi- to monitor compliance with these additional
nitely aggressive” and told GLNG that unpre- requirements, she said. directive.
pared companies might struggle to take all the Proctor did not say when she expected the
steps prescribed. new instructions to be rolled out, but some
Meanwhile, Bill Lawrence, the CISO of the industry observers expect TSA to move forward
SecurityGate.io risk management SaaS (Soft- soon. For example, John Stoody, vice-president
ware-as-a-Service) platform for industrial for government and public relations at the Asso-
cybersecurity, reported that his own company ciation of Oil Pipe Lines (AOPL), told GLNG
had taken steps to help midstream companies earlier this week that officials in Washington
achieve compliance. “SecurityGate.io integrated were likely to clarify their expectations on this
the TSA framework into our platform to help front in the near future.
P12 www. NEWSBASE .com Week 25 25•June•2021
