Anyone in critical infrastructure, specifically covered pipelines should be aware of this recent security directive from the TSA. This is good to see because these are best practices ALL businesses should follow.
View the directive here:
Key Requirements for Pipeline Owners and Operators
There are several key requirements that are now explicitly stated and defined as part of this directive, leaving no room for ambiguity. These requirements are foundational best practices of any Cybersecurity Program and should be followed by all businesses, whether they are mandated under the TSA or not.
The previously established requirements included:
It is required to report significant cybersecurity incidents to CISA.
There must be an established cybersecurity point of contact within the organization.
The business must conduct a cybersecurity vulnerability assessment, at minimum, once per year.
The additional requirements stated include:
The organization must establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth by the security directive.
The business must develop, manage, and maintain a Cybersecurity Incident Response Plan (IRP) that includes specific actions the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident.
Keep in mind, although similar to a Disaster Recovery Plan, this is distinctly different because it covers the escalation process and remediation steps for Cyber incidents that impact the Confidentiality, Integrity, and/or Availability of the data and/or systems within the organization. Depending on the impact of the security incident, the IRP may require invoking the DR plan to restore operations.
Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.
A Cybersecurity framework should be leveraged and adopted in order to successfully implement this. NIST would be the primary framework/resource to leverage in this case (link below).