Out-of-Band: a Solution for New TSA Regulations on Pipeline Cybersecurity

November 18, 2021
Billy Moran

Written by Billy Moran

TSA Pipeline Security GuidelinesRecent regulations release by the Transportation Security Administration (TSA) addressing pipeline cyber asset security have many in the energy sector scrambling to identify and lock down their critical operational technologies (OT). These OT systems include control systems like SCADA, process control systems (PCS), distributed control systems (DCS), measurement systems, and telemetry systems.

Collectively called “pipeline cyber assets,” in today’s connected world these systems also often rely on IP networks for efficient transport over miles of pipeline as well as links to datacenters for storage and management applications.

With a background in remote management and infrastructure security for defense and financial networks, Uplogix also helps our energy customers meet the new TSA Rules.

When it comes to managing network infrastructure, Uplogix provides key capabilities that fit into both the Baseline and Enhanced Security Measures in the Guidelines Table 3 for asset control. Using Uplogix as a secure gateway to the management ports of devices like routers, switches, firewalls and servers ensures that only the right people have the right access to gear, and everything they do is documented for audit.

Applying out-of-band management to the TSA Regulations

1. Establish and enforce access control policies for local and remote users. Procedures and controls should be in place for approving and enforcing policy for remote and third-party connections.

Protect / Access Control / Baseline Security Measures
TSA Pipeline Security Guidelines, Pipeline Cyber Asset Security Measures Table 3

Working with existing Authentication Authorization and Accounting systems, Uplogix lets administrators create access groups based on job role, device type, geographic parameters… whatever makes sense for the operation. These groups can also be limited to which devices they see and what commands they can run over the console port. Roles are created in the Uplogix Control Center, for an easy-to-manage, comprehensive view of users, roles, locations, and devices.

 

2. Monitor physical and remote user access to critical pipeline cyber assets.

Protect / Access Control / Enhanced Security Measures
TSA Pipeline Security Guidelines, Pipeline Cyber Asset Security Measures Table 3

From a physical access perspective, Uplogix can alert when a device goes down or if the connection to the management port is disrupted. And with an out-of-band connection over a cellular connection, POTS line or even a satellite link, these alerts aren’t dependent on the primary network.

 

3. Segregate and protect the pipeline cyber assets from enterprise networks and the internet using physical separation, firewalls and other protections.

Protect / Protective Technology / Baseline Security Measures
TSA Pipeline Security Guidelines, Pipeline Cyber Asset Security Measures Table 3

Moving network management traffic off of the production network is one definition of out-of-band management. In another federal guideline, the NSA recommended using out-of-band management to create a framework that improves network security by segmenting management traffic from operational traffic. By ensuring that management traffic only comes from the out-of-band communications path, compromised user devices or malicious network traffic is prevented from impacting network operations and compromising network infrastructure. The TSA is also calling for this type of architecture for managing OT systems.

Most of the regulations for pipelines in the TSA document aren’t any different from other industries facing cybersecurity threats to their networked critical assets – whether that means pipelines or medical devices or financial data. The stages of Identify, Protect, Detect, Respond and Recover in the TSA guidelines come from the NIST Cybersecurity Framework that Uplogix has been supporting for years. Talk with us today to see how Uplogix can improve your network management for operations that are more reliable and secure.

Subscribe to Blog Updates