Cybersecurity experts have been crystal clear in their issuing advice around better protecting our nation's infrastructure. And the message has remained consistent.
Fortunately, the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) issued new regulations in the wake of the crippling ransomware attack on the Colonial Pipeline. The order requires pipeline operators to alert the Cybersecurity and Infrastructure Security Agency of any cybersecurity incident.
Pipeline owners and operators are also required to install a designated coordinator to handle all problems, with the additional need to audit systems within 30 days to make sure everything is in alignment with cybersecurity guidelines.
According to Edgard Capdevielle, CEO of Nozomi Networks, it is encouraged to see the DHS and TSA take action to ensure appropriate security measures for the oil and gas industry. Most critical infrastructure sectors don’t have mandatory cyber standards, and until now that included oil and gas.
“The requirement for mandatory breach reporting will help shine a light on the extent of the problem in this sector. Cybersecurity is a team sport,” says Capdevielle in a statement. “Pipeline operators, security vendors and the government alike need to work together as a community to share threat intelligence and breach data in real time. An open approach to information sharing will play a big part in building a more mature cyber defense.”
The distributed nature of the oil and gas sector makes this extra challenging, explains Capdevielle. “It requires many different forms of connectivity and can be more difficult to secure. These environments are distributed and physically remote,” he says. No two operators are alike in terms of the exact processes and systems they’re using, which makes it harder to establish one set of cybersecurity requirements that will work effectively for all. There will need to be some flexibility and collaboration to make it work.”
Capdevielle adds, “While there's a place for regulated security requirements, we need to be careful not to put all the burden on the victim(s). Tax incentives, and government-funded centers of excellence will help ensure critical infrastructure operators can build and maintain effective cybersecurity programs over time. And it's time to take aggressive steps to hold sophisticated criminal rings and threat actors accountable for their crimes,” he says. “We know from our work with leading oil and gas companies around the world, that those suppliers who invest early in strong cybersecurity programs and resiliency are able to respond faster, and with less financial damage, to ransomware and other cyberattacks, compared to those who wait until an incident occurs to invest in their defense.”
According to Jerome Becquart, COO of Axiad, cybersecurity is no longer a priority for just the IT team and the CIO. “In the oil and gas and other industries, physical infrastructure and operational assets are now highly connected to our global networks, making them vulnerable to the same type of attacks that previously only occurred on cloud-based applications and digital assets,” says Becquart in a statement. “As operations digitalized, many organizations failed to do one thing: prioritize security. This is compounded by the fact that organizations often lagged behind in adapting their processes and still operate with an analog mindset.”
Becquart adds, “It’s critical to reassess and take a more dynamic approach to security: identify what connects to our infrastructure, validate these are legitimate entities, and ensure the right level of access. We need to leverage the identity management best practices we are using in the IT space and extend them to the operational side of our businesses.”
The recent pipeline attack was a watershed moment for oil and natural gas pipeline security regulation. For years, the cybersecurity industry has been warning of a ‘digital Pearl Harbor,’ which has become more prescient as our adversaries look to cause disturbances amongst our critical infrastructure, adds ThycoticCentrify VP Public Sector Bill O’Neill.
“Attacks are no longer just impacting businesses and governments but are disrupting how we function as a society. Yesterday it’s water, today it’s gas, tomorrow it could very well be electricity,” says O’Neill. “The pipeline incident brought the need for public and private sector cooperation on this issue to the forefront, and this latest order from the Biden administration is a promising first step. However, the overall mindset about cybersecurity needs to change at a fundamental level.”
According to O’Neill, critical infrastructure organizations should turn to modern privileged access management (PAM) solutions that leverage identities to reduce the reliance on shared passwords, enforce more granular controls, and stop privileged administrative access abuse, which is what led to the Oldsmar and pipeline attacks.
“Both incidents may have been preventable if their networks used a least privilege approach based on Zero Trust principles to verify who is requesting access, the context of the request, and the risk of the access environment,” says O’Neill. “Promisingly, research this month shows that an impressive 77% of U.S. organizations utilize a Zero Trust approach in their cybersecurity strategy, but there is no doubt still room for improvement. We hope this order lights a fire under critical infrastructure organizations across the U.S., and maybe even the world to modernize their security approaches.”
Neil Jones, cybersecurity evangelist with Egnyte is encouraged to see the formalization of cybersecurity requirements for oil and natural gas pipelines, along with the electrical grid. “As a result of the Colonial Pipeline breach, many Southeastern US states faced frustratingly long lines at gasoline stations for the first time since the 1970's,” says Jones. “Next time, the disruption could be even more severe, with a crippling impact on the US economy. Bottom-line, we need to be mindful of our critical infrastructure - since Stuxnet we've said how vulnerable the U.S. is to potential attacks, but most of our concerns have been dismissed as FUD. Colonial is an inflection point that demands higher security levels and commitment from both the public and private sectors to infrastructure security."
Historically, the overall approach hasn’t been strong enough for containing pipelines. Previously, it contained a lot of soft language such as "pipeline operators should consider the approach outlined," lacking any real emphasis on action. This new change is a positive move from voluntary to mandatory, but it’s still not enough, explains Steve Moore, chief security strategist with Exabeam.
“The prior published guidance, most recently updated in April of 2021, creates many silos of activity, but there’s no requirement for a platform for outcomes. The language reads: ‘Implement processes to generate alerts and log cybersecurity events in response to anomalous activity. Review the logs and respond to alerts in a timely manner.’ They get credit for mentioning anomalous activity, but how is normal to be known,” says Moore.
The new updated order is to include three key changes: Report confirmed and potential cybersecurity incidents to the DHS (CISA), designate a cybersecurity coordinator, to be available 24 hours a day, seven days a week, and review their current practices as well as identify any gaps.
According to Moore, these owners and operators, who mostly lack a cybersecurity coordinator, are supposed to jump from silos of data without a security platform to reporting confirmed and potential incidents. “How should anyone report on a potential incident – and then what’s the response? Hopefully their appendix B on TSA notification criteria is updated to include cybersecurity incidents in the new update,” he says. “Lastly, it’s a little sad that ransomware was the trigger for this action. While important and dangerous, ransomware is simply a product of an upstream failure; a compromise of an endpoint or credential.”
"The next, and more meaningful, phase of cyber regulation - anticipated within weeks - will include escalating penalties for companies that fail to take corrective action, and more proscriptive regulatory requirements, resulting in significantly greater scrutiny of the pipeline industry by government regulators,” says Robert Cattanach, in a statement. Cattanach is a partner at the international law firm Dorsey & Whitney. “Finding the resources to conduct meaningful review of this industry sector, however, will be challenging. TSA historically has not focused on either cybersecurity or pipelines and is expected to rely heavily on CISA for the cyber expertise component; it remains unclear how TSA will develop the necessary expertise to oversee the pipeline industry itself.”