Page 9 - NorthAm Week 25 2021
P. 9
NorthAmOil POLICY NorthAmOil
US midstream sector approaching TSA’s
deadline for cybersecurity compliance
US US pipeline companies are facing a deadline pipeline owners and operators complete this
for compliance with a cybersecurity directive short-fused task in a digitally automated man-
issued last month by the Transportation Security ner and complete this security directive before
Administration (TSA) following a ransomware the deadline,” he told NorthAmOil.
attack on Georgia-based Colonial Pipeline. He was referring to SecurityGate.io’s
In the directive, TSA gave the owners and announcement in mid-June that it had made
operators of LNG terminals and midstream the cybersecurity assessment framework avail-
assets (oil, gas and petroleum product pipelines) able to companies affected by the TSA directive
designated as strategic infrastructure facilities outside its own platform. The announcement
30 days to evaluate and report on their cyber- pointed out that the framework could help
security position. Specifically, it instructed them midstream owners and operators meet require-
to identify their cybersecurity co-ordinators, ments more quickly, calling it a good alternative
compare their cybersecurity strategies to a TSA to “time-consuming manual efforts that put
guide published three years ago, report any gaps them at risk of missing DHS’s 30-day response
they discovered, draw up remediation plans for requirement.”
the gaps and report potential and confirmed The agency itself has not commented on the
cyberattacks to the Cybersecurity and Infra- matter. Instead, it has signalled that it expects
structure Security Agency (CISA), a division of the US government to adopt additional require-
the Department of Homeland Security (DHS). ments with respect to cybersecurity in the mid- As of press time,
The 30-day period is due to expire on June stream sector.
28. As of press time, it was not clear what level of Earlier this month, Sonya Proctor, TSA’s it was not clear
compliance TSA could expect from the compa- assistant administrator for surface operations,
nies affected by the directive. told members of the House of Representatives what level of
According to Chris Bihary, the CEO and at a virtual hearing that a second directive was in
co-founder of Garland Technology, a provider the works. The new directive “will require more compliance TSA
of network test access point (TAP) visibility specific mitigation measures, and it will ulti- could expect from
solutions, meeting TSA’s requirements is likely mately include more specific requirements with
to be easier for pipeline owners and opera- regard to assessments,” she said. TSA intends to the companies
tors that have already made efforts to establish establish teams of inspectors with experience
strong and effective cybersecurity strategies. in both cybersecurity and pipeline operations affected by the
Bihary described the agency’s 30-day deadline as to monitor compliance with these additional
“definitely aggressive” and told NorthAmOil that requirements, she said. directive.
unprepared companies might struggle to take all Proctor did not say when she expected the
the steps prescribed. new instructions to be rolled out, but some
Meanwhile, Bill Lawrence, the CISO of the industry observers expect TSA to move forward
SecurityGate.io risk management SaaS (Soft- soon. For example, John Stoody, vice-president
ware-as-a-Service) platform for industrial for government and public relations at the Asso-
cybersecurity, reported that his own company ciation of Oil Pipe Lines (AOPL), told NorthAm-
had taken steps to help midstream companies Oil earlier this week that officials in Washington
achieve compliance. “SecurityGate.io integrated were likely to clarify their expectations on this
the TSA framework into our platform to help front in the near future.
Week 25 24•June•2021 www. NEWSBASE .com P9