Achieve TSA Compliance in Days, Not Years - Without Downtime!

Download VISUAL SUMMARY

TSA Requirements

Colonial Pipeline changed everything for mid-stream oil and gas companies.  Shortly after that devastating cyber attack that crippled the entire Eastern Seaboard for 5 days, TSA issued a regulatory mandate (SD-O2C) that was updated on July 27, 2023 that includes fines for up to $14,950 per incident per day for non-compliance.  Risk and Compliance Managers need to make sure a cybersecurity implementation plan has been created and submitted to TSA for approval, an incident response plan is in place and a cybersecurity assessment program has been submitted for approval.

The Cybersecurity Implementation Plan Must Have These 4 Elements:

Network Segmentation - Implementing network segmentation policies and controls to ensure that Operational Technology (OT) systems can continue to safely operate in the event that an Information Technology (IT) system has been compromised and vice versa

Secure Remote Access - Implementing secure access control measures that prevents unauthorized access

Patch Risk Reduction - Reduce the risk of exploitation of unpatched systems by patching and updating operating systems, applications, drivers, firmware in a timely, risk-based methodology

Continuous Monitoring - Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations

Accomplishing those 4 objectives can be difficult in any environment, but in OT environments, like those that you rely on, it can be almost impossible because HMI’s, SCADA servers, Data Historians, RTU’s, etc. are simply not running up-to-date, modern operating systems. In addition, meeting these requirements can be extremely costly in terms of personnel and downtime.

The Good News Is  There Is an Effective Answer With BlastShield That Specifically Addresses OT Systems:

Table showing how BlastShield meets the TSA requirements
Network Segmentation Illustration

Network Segmentation

Alternative Solutions

Expensive Firewalls

Complex Configurations

Ongoing Maintenance

BlastShield

BlastShield delivers seamless segmentation without the need for expensive firewalls.

Drag-and-drop simplicity eliminates complex rule conflicts

No ongoing downtime for installation.

One reason OT environments aren’t easily segmented is that, in most cases, HMI’s, SCADA servers, Data Historians, RTU’s, etc. are simply not running up-to-date, modern operating systems.  They are typically running Windows 7, Windows 2000, Windows XP, Windows 98, 95, etc.  You simply can’t load an agent on these devices, so the only viable mechanism to segment an OT network is by adding firewalls.  Adding firewalls are expensive and invariably set up firewall rule conflicts that are extremely difficult to maintain as pipeline needs evolve.  And, it’s not only the cost of buying and installing these firewalls, but the cost of having to hire staff to manage them on an ongoing basis.   BlastShield can deliver segmentation in OT at one-third or less the cost of firewalls and eliminate the need to hire these hard to find network specialists because the solution is drag and drop simple.

Below Are a List of Alternatives for Network Segmentation:

Graph showing alternatives for network segmentation.

*OT focused peer-to-peer, software defined perimeter

Remote Access Illustration

Remote Access

Alternative Solutions

Extensive Analysis

High Replacement Costs

BlastShield

BlastShield makes devices virtually undiscoverable, providing protection against unpatched system vulnerabilities.

Reduces reliance on patch availability for compliance.

Vendors, partners and employees need access to their respective devices and systems.  Remote access allows all parties to manage those systems without incurring expensive travel costs.  Once remote access has been enabled for some, it can be an obvious insertion point for adversaries.  The requirement is to institute remote access in a way that prevents unauthorized access. There are many ways to achieve remote access, but only BlastShield gives the granular control to minimize the risk of unauthorized access.

Secure Remote Access Alternative for OT Environments

Graph showing alternatives for OT environments
Patch Risk Reduction Illustration

Patch Risk Reduction

Alternative Solutions

Vulnerable VPNs

Limited Access Control

BlastShield

BlastShield enforces zero-trust policies for secure remote access.

Granular access control minimizes unauthorized access risks.

Another particularly challenging hurdle for risk managers to deal with is the requirement to reduce risk associated with unpatched systems.  In Enterprise IT environments, this is fairly straightforward. In OT environments like midstream oil and gas, those legacy operating systems create another problem. Those operating systems are unsupported, so any vulnerabilities that get discovered can be exploited with impunity. BlastShield makes all of your devices undiscoverable to adversaries.  If a hacker runs a network scan, they will see absolutely nothing.  By contrast, your security teams will have perfect visibility into each attempted network request, the number of bytes of data transferred, and a log of who did what when, from where.  This is asymmetric visibility.  So if a patch isn’t or won’t be available, as is commonly the case, your environment is protected and in compliance.

Graph showing alternatives to accomplish patch risk reduction
Continuous Monitoring Illustration

Continuous Monitoring

Many companies have scanning tools that can identify critical systems and perform continuous monitoring. Using a SIEM or SOAR tool, of which there are many, can handle the continuous monitoring requirement.  Claroty, Nozomi, Dragos, etc. can deliver this functionality for OT environments out of the box. Staffing the SOC or outsourcing to an MSSP can be the last remaining step to deliver incidence response on top of the monitoring which is important for reacting to the highest priority anomalies.

BlastShield Is the “Easy Path” to TSA Compliance!

BlastShield provides 3 out of the 4 compliance requirements in one easy-to-deploy, easy-to-use package that eliminates the need to hire extra staff and saves you money. Finally, many compliance and risk managers report through the CFO organization which is responsible for insurance.  Cyber insurance has gotten almost prohibitively expensive with premiums going up over 100% in the last year.  BlastShield also checks the boxes cyber insurance carriers want to see, leading to reduced premiums or, in some cases, being able to get insurance instead of being denied.  Compliance with the TSA SD02D can be challenging, given the unique OT requirements that are not addressed by the major IT solutions.  Segmentation and patching in OT are particularly problematic. BlastShield can make it easy and cost effective to address three out of the four requirements (and two that really can’t be addressed in any other cost effective way).  On top of the compliance, BlastShield also saves money spent on personnel, other more expensive products, and reduced insurance premiums.

Schedule a Demo: https://go.blastwave.com/schedule-a-demo

Start a Free Trial: https://www.blastwave.com/free-trial

TSA Compliance Solutions Brief Image

Download the Solutions Brief!

Getting started with BlastShield is easy and free.

Getting started with BlastShield is easy and free. Follow the three steps below and get up and running fast.

Create a Free Trial
Account

Download the BlastShield Authenticator & Client

Make Your Host Invisible
In Minutes

Start a Free Trial