Exploring the TSA Pipeline Security Guidelines Against the NERC CIP Standards

One may see parallels where there may be none, but I can’t help myself from drawing some comparisons regarding the currently volunteer Transportation Security Administration (TSA) Pipeline Security Guidelines and the mandatory North America Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards. Many may not recall or know that the NERC CIP Standards began as a volunteer set of “requirements.” First showing up in Appendix G of a failed Standards Market Design (SMD) Notice of Potential Ruling (NOPR) back in 2002 and quickly progressing into what the electric sector called the Urgent Action Standards (UAS), utilities were asked to voluntarily comply with a set of base security constructs and report their compliance back to NERC.

As it stands right now, pipeline owners and operators are obligated to perform a gap assessment of their existing security practices against the TSA Pipeline Security Guidelines. They have 30 days to complete that task and the ticker began May 27th, 2021. If they fail to perform the assessment, there is a potential for a $7500 per day fine. That alone gives one a hint of where all this is potentially going!

From my years of experience with the NERC CIP Standards, I can imagine several things that are happening in the pipeline sector right now. First, I am sure that they are projecting that they can manage this without any need for regulatory interference. Denial is always where it begins! However, it is best to champion a little regulation to avoid an onslaught. This is evidenced with the American Gas Association’s (AGA) response to the TSA’s recent update (April 2021) to the Pipeline Security Guidelines and directives to perform the aforementioned gap assessment.  In this response, the AGA states:

“Last week, the American Gas Association Board of Directors passed a resolution to support reasonable cybersecurity regulations. Elements of reasonable regulation would allow risk-based methodology; support a framework organized by the function’s identity, protect, detect, respond and recover; permit operator flexibility to pivot to a constantly evolving cyber threat landscape; and align with natural gas industry cybersecurity guidelines and standards for operational technology.”

This would be akin to what many electric sector groups like Edison Electric Institute (EEI) and America Public Power Association (APPA) did back when volunteer electric sector cybersecurity requirements began to receive a lot of attention and there was a sense of mandatory obligations in the air. One can’t blame them either. No one wants more regulation. It is intrusive, costly, and often very awkward.

That said, the business of cybersecurity in the Operation Technology (OT) realm continues to suffer from a lack of skilled professionals. It is getting better, but far from being enough to satisfy the OT cybersecurity needs. There is also a serious lack of qualified cybersecurity process specialists who can really help utilities build the necessary practices around security technology so that it is integrated with minimal impact but also can be demonstrably compliant. Of course, we must not forget there is the bridging of worlds that needs to be navigated between the OT and Information Technology (IT) personnel.

Back to the comparison. There is a lot of pressure for critical infrastructure to do much better with cybersecurity (including the related physical security elements). Even with the NERC CIP Standards, there is a significant gap in how well they support the overall cybersecurity needs of the electric sector. This can be seen from bipartisan bills being pushed through congress like the PROTECT Act led by Senator Joe Manchin (D-WV) and the Biden administration’s recent 100-day Plan to Address Cybersecurity Risks to the U.S. Electric System. What was the catalyst for the Urgent Action Standards to become the now mandatory NERC CIP Standards? Well, there were many reasons, but one of the biggest ones was the Northeast blackout of 2003. That event, coming on the heels of the 911 catastrophe, along with continued warnings from former National Security Advisor Richard Clarke regarding how easy it really was to gain access to SCADA systems and other process control systems, are but several pieces of the puzzle. At the time, volunteerism in the electric sector kept showing a very large percentage of “we are doing great” with cybersecurity and that wasn’t sitting well with congress at all. In fact, one might even suggest they didn’t believe the industry. I see the same thing happening with the pipeline sector.

With the recent pipeline ransomware attacks, the cyberattacks against the meat supplier, JBS Snarls Food Chain, and the claims from organized crime groups to do even more damage to U.S. critical infrastructure, there is no doubt a tipping point for more stringent cybersecurity regulation is in play. My prediction is it will end up tipping toward more mandatory pipeline cybersecurity requirements than the industry desires. For that matter, other sectors might want to take note of this as well because cybersecurity regulation may not be too far from their future either. Of course, reading the tea leaves is an art and not a science. We’ll have to see where this all goes together.

Avatar photo
Author: Stacy Bresler
Stacy Bresler is a Managing Partner for Archer Security Group. He has been supporting critical infrastructure organizations with their cyber security needs for over 20 years with a focus on operational technology security practices.

Leave a Reply