At a glance.
- TSA updates security rules for oil and natural gas operators.
- SEC to adopt new rules for cyberincident reporting and use of AI by trading platforms.
- CISA to establish regional election security adviser network.
TSA updates security rules for oil and natural gas pipeline operators.
Yesterday the US Transportation Security Administration (TSA) released a memorandum announcing an update to its Security Directive regarding strengthening the cybersecurity of oil and natural gas. While earlier versions of the directive required oil and natural gas pipeline owners/operators to develop processes and cybersecurity implementation plans, the revision requires testing and evaluation of those plans. TSA Administrator David Pekoske stated, “TSA is committed to keeping the nation’s transportation systems secure in this challenging cyber threat environment. This revised security directive sustains the strong cybersecurity measures already in place for the oil and natural gas pipeline industry.” The TSA website explains that ever year operators must submit an updated Cybersecurity Assessment Plan to TSA for review and approval and report the results from previous year assessments. TSA requires 100% of an owner/ operator’s security measures be assessed every three years, and operators must provide an assessment schedule that meets these criteria. As well, the update calls for operators to test at least two Cybersecurity Incident Response Plan (CIRP) objectives and include individuals serving in positions identified in the CIRP yearly.
Chris Warner, OT Senior Security Consultant at GuidePoint Security, wrote to offer a summary of the changes to the regulations, and their likely implications.
"The TSA has announced updates to its Security Directive (SD) aimed at strengthening the operational resilience of oil and natural gas pipeline owners and operators against cyber-attacks. These updates, effective from July 27th, 2023, introduce certain requirements that may demand additional resources from organizations to comply. At a high level, the updated SD includes the following provisions:
- "Annual submission of an Updated Cybersecurity Assessment Plan (CAP) for TSA review and approval.
- "Reporting of the previous year's assessment results and providing an annual schedule for auditing cybersecurity measures, with 100% assessment of security measures required every three years.
- "Annual testing of at least two objectives of the Cybersecurity Incident Response Plan (CIRP), involving relevant individuals identified in the plan.
- "Maintaining existing requirements, such as reporting significant cybersecurity incidents to CISA, designating a cybersecurity point of contact, and conducting a cybersecurity vulnerability assessment (SD Pipeline 2021-01C).
"The updated SD introduces several changes:
- "Section II.A.3 now requires Owner/Operators to reassess their systems if they change their method of pipeline operations, notifying TSA of a schedule for compliance with the SD's requirements.
- "A new Section II.B.3 clarifies whether an Owner/Operator needs to amend their TSA-approved Cybersecurity Implementation Plan (CIP) based on the updated SD.
- "Section II.B.4 has been removed, and Section III.A allows TSA to identify additional Critical Cyber Systems not previously identified during review.
- "Section III.F.1.e updates requirements for CIRP exercises, mandating Owner/Operators to test at least two CIRP objectives, such as network segmentation and OT and IT system isolation, at least twice a year. They must also identify two employee positions that participated in the exercises. Additionally, an annual CAP Report must include the assessment results, methods used, and the effectiveness of policies, procedures, and capabilities.
- "Section III.G changes the acronym CAP to Cybersecurity Assessment Plan, requiring not only its annual submission but TSA approval. The CAP schedule must assess 30% or more of policies, procedures, measures, and capabilities annually to achieve 100% completion of the TSA-approved CIP within three years.
- "Section IV.A now requires referencing previously developed plans, assessments, tests, and evaluations in the CIP and making them available to TSA upon request.
- "Finally, Section V.C is a new requirement addressing how documents are written and submitted to the TSA to provide flexibility for future capabilities in enhancing operational resilience.
"Overall, these newly introduced provisions mandate pipeline owners and operators take proactive steps to enhance their systems' security and protect against potential cybersecurity threats in the oil and natural gas sector. Despite the resource challenges, pipeline owners and operators understand the critical importance of strengthening their cybersecurity measures. While the implementation may be demanding, it is essential to safeguard their systems against potential cyber threats in the oil and natural gas sector. This calls for strategic planning and resource allocation to effectively address the new TSA SD requirements and enhance the overall security posture of these vital infrastructure systems."
Ron Fabela, Field CTO at XONA Systems, wanted to highlight the changes that seem most interesting, and that might be overlooked. "Some minor but interesting updates have been made to TSA SD Pipeline-2021-02D. Interesting bits by section:
- "Section II - TSA seems to be making some clarifications, additions, and removals of sections based on feedback from the pipeline community or as a result of successes (or lack thereof) with certain requirements. For instance, those owner/operators that have identified no "critical cyber systems" will have to reevaluate when operations change, or now TSA may add "critical cyber systems" that were not previously included before. This may be an indication in owner/operator requirement avoidance by simply stating they have no systems applicable to new regulation. NERC had similar challenges early in CIP regulation days when asset owners were allowed to self identify if they had any "Critical Cyber Assets". Of course the answer at the time was "none here, regulation not applicable"
- "Section III changes incident response plans testing and introduces a new term "Cybersecurity Assessment Plan". Changes to exercising the cybersecurity incident response plan are interesting in that they now only require that half of the requirements (at least 2 out of the 4 objectives) be tested annually instead of all. These requirements are not especially rigorous, so one wonders what prompted the change. Similarly, while Cybersecurity Assessment Plans must now be reviewed and approved by TSA a section was added only requiring 30% coverage of requirements to be assessed each year, with 100% assessed over any three-year period. Ignoring the obvious math error (3x30%=90%, not 100%) assessing only one third of your security measures a year is a bold outlier to an effective security program.
- "Section IV changes make an interesting clarification. Use of previous plans, assessments, tests, and evaluations as evidence to meet the SD security directives must now explicitly incorporate these by reference into the CIP and made available to TSA upon request. With TSA having to make these specific changes, I speculate that owner/operators may have said that they have requirements met by other artifacts but then failed to produce said evidence.
"Overall it's great to see updates being made by TSA to clarify the requirements and in some cases, remove any loopholes as a result of practical application of these Security Directives in the field. I would expect more revisions as assessments and technical evaluation of control effectiveness are conducted in the years to come.
Josh Thorngren, Senior DevSecOps Engineer at ForAllSecure, likes the recognition that cybersecurity is a dynamic challenge: "The encouraging piece here is that it treats cyber strategy as something that needs to evolve. Most of the changes related to ensuring cybersecurity strategy and implementation are reviewed at least annually seem apparent, but it is a pretty impactful task. It's easy to think about cybersecurity as 'maintaining walls' - a legacy of the era where we just cared about the perimeter is an acceptance and encouragement to play active defense instead. To continually update and reevaluate. It's too early to tell the impact, but it's incredibly encouraging to treat cyber as an evolving posture vs a fixed one."
Jason Christopher, Director of Cyber Risk at Dragos, approves of the non-prescriptive approach the regulations take:
"Like the last version TSA’s update to its Security Directive for oil and natural gas pipeline cybersecurity focuses on performance-based, rather than prescriptive, measures. That, along with the fact that pipeline companies can incorporate these measures into their existing Cybersecurity Implementation Plans (CIP) to achieve the right outcomes while accommodating differences in systems and operations, shows strong progress in TSA’s support for the distinct needs of the sector and of individual companies.
"The update also gives owners and operators important flexibility to leverage various industry standards they already use—such as the NIST Cybersecurity Framework and the ISA/IEC 62443 series. The focus on continuous monitoring and performing exercises, as well as the approval to use compensating controls, represent major improvements for all pipeline owners and operators.
"Given the increased audit language and reporting requirements in the updated regulation, we hope that TSA continues to align such requirements with other regulatory frameworks to reduce the burden on critical infrastructure owners and operators that are subject to multiple regulatory authorities. We also hope that TSA continues to engage with private sector and industry experts as they update and revise the Security Directives moving forward. Operators are the experts in their own systems and contribute valuable input that allows for the best possible security outcomes from the regulatory process, putting oil and gas companies in a better position to address the evolving and intensified threat of cyberattacks and to improve resilience throughout our nation’s infrastructure."
(Added, 9:45 PM ET, July 27th, 2023.)
Darron Makrokanis, Chief Revenue Officer of Xage Security, approves of Federal efforts to increase pipeline security. "It is encouraging to see the U.S. government’s continued efforts to strengthen the nation's critical pipelines against cyberattacks. There is a precedent for TSA directives leading to improved cyber security outcomes. From our close working relationships with organizations across the various TSA-regulated industries, we at Xage have firsthand knowledge that TSA security directives, like the one today, have led to operators taking action to improve their cyber hardening and to achieve TSA compliance." Makrokanis also thinks it's a good sign that TSA is establishing performance requirements. "It’s promising to see TSA using its regulatory authority to issue security directives mandating cybersecurity performance requirements rather than simply issuing advice and guidance. This is not surprising given the ongoing risks the energy sector is facing from cyberattacks. We also look forward to more efforts from the United States Government to take similar steps in other critical infrastructure sectors as outlined in the recent National Cybersecurity Strategy Implementation Plan. It's critical to the safety of our nation and our national security that we continue to take proactive steps in securing all 16 critical infrastructure sectors as outlined by DHS CISA."
SEC to adopt new rules for cyberincident reporting and use of AI by trading platforms.
As we noted yesterday, the US Securities and Exchange Commission voted to adopt a new rule, proposed last year, requiring publicly traded companies to expand and standardize their cybersecurity management and disclosure rules. In a statement SEC Commissioner Jaime Lizárraga notes that until now the SEC lacked disclosure requirements that explicitly refer to cybersecurity risks, governance or incident reporting. He explains that the new measure will “provide investors with more timely, standardized, and informative disclosures, which will reduce market mispricing and information asymmetries.” Commissioner Caroline A. Crenshaw explains why public disclosure about the cyber threats impacting a company is so important. “Among other reasons, breaches can (and do) result in loss of revenue, customers, and business opportunities. Those harms may be realized or they may be ongoing in the form of lost sensitive information, remediation costs, and losses in shareholder value.”
As the Washington Post notes, the new rule has been criticized by Republicans and industry for being too broad. Melissa MacGregor, the Securities Industry and Financial Markets Association’s deputy general counsel and corporate secretary, claims the rule “mandates public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity specialist agencies.” Harley Geiger, a counsel at the Center for Cybersecurity Policy and Law, agrees that requiring companies to disclose an incident within just four days could expose companies to additional risk. In that time “the company may or may not have expelled the attacker and patched the vulnerability or the vector that caused the incident in the first place,” Geiger told CyberScoop.
The Post also reports that the SEC also voted to propose new rules limiting how online brokerages use artificial intelligence to motivate customers. The Commission has found that investment platforms employ various tactics like graphics and behavioral prompts to make trading more fun and encourage customers to engage in riskier trading that might go against the customer’s interests. SEC Chair Gary Gensler said, “Artificial intelligence has complexity. But you have a basic, high-level strategic question: Are you optimizing just for investors, or are you optimizing also for the robo-advisor brokerage app? That’s a straight-up conflict.” In this proposal, investment firms would be required to identify these potential conflicts of interest and eliminate them.
As the Wall Street Journal writes, the SEC’s two Republican commissioners voted against the proposal. Opponents of the measure argue it will make it more difficult for individuals to invest, and Republican commissioner Mark Uyeda said the proposal was too broad. Public comment will be accepted for sixty days before the mosmission votes on the proposal.
Richard Bird, CSO of Traceable AI, distinguishes between mechanical compliance and genuine coordination. “Rather than exhibiting the courage and coordination required to create something as crucial as a national data privacy law, once again, agencies like the SEC are pushing for faster breach notifications in the hopes that the American people will think the government is addressing the need for stronger cybersecurity. But breach notices are not security -- and never will be." The approach, Bird maintains, is backward-looking and inadequate. "The SEC proves once again that our federal agencies can only view security with a rearview mirror. Breach notices are an outcome, not a protection. The enormous resistance of our federal government to mandate basic security principles as a requirement for doing business in our nation is inexcusable. It is time for it to treat cybersecurity as a proactive measure rather than an afterthought.”
Tyler Farrar, CISO at Exabeam, however, sees the regulations as a move toward transparency. "The ruling certainly signifies a move toward increased transparency and heightened investor protection. A 4-day disclosure period can provide investors with near real-time information, which is crucial." Farrar thinks companies may find that the deadlines the rules impose prove challenging. However, this timeframe may be seen as challenging by companies given that comprehensive investigations of cybersecurity incidents can often extend beyond this period; premature disclosures can spur misinformation or unnecessary alarm. I am hopeful that the stipulation for annual disclosure of cybersecurity risk management practices and executive expertise can be the catalyst for companies to further or finally invest in robust cybersecurity measures and expertise."
Farrar also seems implications for consumers, especially should the rules drive more vendor attention to security. "While these new regulations are indeed designed with investor protection in mind, they may also have indirect implications for consumers. Improved cybersecurity infrastructure and more timely information about breaches can help protect consumers’ data. With the new rules in place, companies may be more incentivized to avoid the reputational damage and potential drop in stock value that could follow a public breach disclosure. This added layer of accountability can thus create a safer environment for consumers’ personal information. Moreover, these rules amplify the importance of accountability at the highest organizational levels. Cybersecurity is not merely an IT concern; it’s a strategic business issue that demands attention from the C-suite and the board. This broadened responsibility can result in a more comprehensive and effective approach to cybersecurity, further protecting consumer data.”
(Added, 9:45 PM ET, July 27th, 2023.)
Eldon Sprickerhoff, Founder & Advisor, eSentire, approves of the approach, and also of the rule-making process. Regulatory bodies commonly say they're interested in stakeholder input; in this case, Sprickerhoff thinks the SEC meant it. "The SEC took the feedback gathered quite seriously over the past 16 months and either removed or softened the most onerous compliance components to enact a more tractable solution. It’s good to see that the rules have finally been adopted. Initially, there were concerns that the proposed timeline to disclose was 48 hours, which in the scope of live incident response was universally acknowledged as decidedly insufficient. In the new ruling, they leave the definition of 'material impact' up to the company itself, but they," that is, the company, "will need to make that definition public. This is important. There’s a fair amount of latitude in determining what is MATERIAL. For example, 'What would a reasonable shareholder consider important in making an investment decision, or would this significantly alter the "total mix" of information made available?' These are BIG questions, especially since so much information is already 'priced in.' The SEC has also walked back their need to disclose cybersecurity expertise among their board members. It will likely be sufficient for CISOs to have consistent high-level data flowing up to board members themselves." Sprickerhoff highlighted the regulations' probable effect on the investment community. "I expect that as they have formalized the 'Four Business Day Disclosure Rule' for public companies, they will enact the same timing later this year for Investment Management firms (for the sake of consistency). It will be very interesting to see how these interpretations filter out into the market and how this applies to private investment management firms (where there isn’t the same amount of public disclosure available to their investors). Investment Management firms are (generally) considerably smaller than most public firms – they wouldn’t necessarily have the same strict board structure. If the SEC is making it easier for the boards of public companies regarding cybersecurity expertise, we can make an inference that they won’t make it more difficult for the smaller (private) companies."
CISA to establish regional election security adviser network.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), announced on Tuesday that the agency plans to create a network of regional election security advisers in preparation for the 2024 presidential election. These ten election security specialists will work with election officials to “build even stronger connective tissue between state and local election officials and…CISA.” As the Record notes, her announcement falls in line with CISA’s recent push for collaboration with local governments, and the agency has already placed coordinators in all fifty states to provide local officials with advice on cyber protections for critical infrastructure. As well, the New Bern Sun Journal explains, election security has been at top of mind since Russia’s attempts to meddle in the 2016 elections. After her announcement, which took place at the summer conference of the National Association of State Election Directors, Easterly stressed that public confidence in the vote is essential. “All of the reasons why people should trust the integrity and security of elections remain the same: the physical security safeguards, the cybersecurity safeguards, all of the defense-in-depth mechanisms, the segmentation, the training that goes on,” Easterly said. “Nothing will change all these safeguards and measures that are put in place to ensure the integrity and resilience of elections.”