Operationalizing NIST CSF 2.0 and TSA Security Directives in Pipeline Cybersecurity
Main Article Content
Abstract
As oil and gas pipeline operators in the United States respond to the TSA's cybersecurity rules and prepare for NIST's August 2023 release of cybersecurity guidance and framework updates version 2.0, another level of complexity may be introduced. Over the last two years, TSA guidance has progressed away from prescriptive rules and moved into a more performance-based methodology of instructing operators to document how they have planned for and execute TSA security protocols. The August public draft of NIST guidance (version 2.0) added the sixth Cybersecurity Framework function of Govern and restructured the existing five functions in accordance with a decade of practice. This paper looks into both regulations and identifies their points of alignment, offering some views into how operators can meet the mandates of both without establishing and running dual cybersecurity compliance efforts. This guide is aimed at the pipeline cybersecurity leaders who lead this effort and the engineers who support it, along with the compliance partners they work with. The main goal of this document is to make the regulatory framework more approachable than add new obligations
Article Details
Section
How to Cite
References
[1] National Institute of Standards and Technology, “The NIST Cybersecurity Framework 2.0,” Initial Public Draft, August 8, 2023.
[2] U.S. Department of Homeland Security, Transportation Security Administration, “Security Directive Pipeline-2021-01: Enhancing Pipeline Cybersecurity,” May 28, 2021.
[3] U.S. Department of Homeland Security, Transportation Security Administration, “Security Directive Pipeline-2021-02C and Pipeline-2021-02D,” December 2022 and July 2023.
[4] National Institute of Standards and Technology, “Cybersecurity Framework Concept Paper: Potential Significant Updates to the Cybersecurity Framework,” January 2023, and Discussion Draft, April 2023.
[5] V. Shewale, “Third-Party and Supply Chain Risk in Oil & Gas,” December 2022.
[6] W. Barker, K. Scarfone, W. Fisher, and M. Souppaya, “Ransomware Risk Management: A Cybersecurity Framework Profile,” NIST Interagency Report 8374, February 2022.
[7] National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.1, April 2018.
[8] U.S. Department of Energy, “Cybersecurity Capability Maturity Model (C2M2),” Version 2.1, June 2022.
[9] U.S. Cybersecurity and Infrastructure Security Agency, “Cross-Sector Cybersecurity Performance Goals,” October 2022, updated March 2023.
[10] U.S. Government Accountability Office, “Critical Infrastructure Protection: TSA Should Ensure That Pipeline Operators Address Cybersecurity Recommendations,” GAO-22-104733, January 2022.
[11] U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” Joint Advisory AA21-131A, May 2021.
[12] American Petroleum Institute, “API Standard 1164: Pipeline Control Systems Cybersecurity,” third edition, 2021.
[13] U.S. Department of Homeland Security, “Transportation Systems Sector-Specific Plan,” most recent revision.
[14] K. Stouffer, M. Pease, C. Tang, T. Zimmerman, V. Pillitteri, S. Lightman, A. Hahn, S. Saravia, A. Sherule, and M. Thompson, “Guide to Operational Technology (OT) Security,” NIST Special Publication 800-82 Revision 3, Final Public Draft, April 2023.