Following the ransomware attack on the Colonial Pipeline, DHS and CISA have released a new Security Directive for critical pipeline operators. More are likely to follow.
On May 27th, the United States Department of Homeland Security announced its initial regulatory response to the Colonial Pipeline ransomware attack. As the Security Directive highlighted, this is only the first step in what is likely to be a much more robust set of regulatory changes to improve the cyber security of the nation’s critical pipeline infrastructure.
This first directive has significant implications for pipeline operators. Not only does it require disclosure and reporting of incidents, but importantly makes what was a set of voluntary cyber security measures mandatory and auditable. This begins what will likely become a more rigorous compliance regime for pipeline operators.
What is in the May 27th Security Directive?
DHS and CISA released the Pipeline Security Directive. “The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
The order has three components.
1. Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA)
This requires that pipeline companies build an incident response capability, which is included in the recommended cyber security elements of the original DHS may 2018 security release. This order adds the requirement to share any cyber incidents with CISA
2. Designate a Cybersecurity Coordinator to be available 24X7
3. Review current cybersecurity practices and identify any gaps as well as related remediation measures and report those to TSA within 30 days
This final directive relates back to the March 2018 (updated in April 2021) Pipeline Security Guidelines — which were only recommendations. This directive implies they will now become mandatory. This is likely the most significant part of the order as it begins a regime of more compliance requirements. These recommendations are a relatively comprehensive list of security controls and will likely require significant effort for many pipeline operators to achieve.
Perhaps most importantly, the directive makes clear that this is the first step in what is likely to be a more extensive set of requirements over the coming months.
How to review the current pipeline cybersecurity practices?
As mentioned, TSA released a set of security guidelines in 2018 and then updated in April of this year. These guidelines will form the basis of any review for pipeline operator. So, the first question is: what are the cyber security controls included in the current TSA pipeline recommendations?
TSA constructs its recommendations into the same categories as the NIST Cybersecurity Framework of Identify-Protect-Detect-Respond-Recover. TSA then narrowed the traditional NIST components to a more targeted set of controls that are relevant for converged cyber-physical systems such as pipelines. We won’t try to speculate here and now as to how this list may expand in any future regulatory orders. The current list of controls will already be a challenge for many pipelines to achieve efficiently and effectively.
The list of controls is included below. As can be seen, they include both procedural and technical requirements. They do not distinguish between IT and OT systems. But the implication is that the guidelines should apply to both, with any necessary adjustments for the OT environment.
The first step against this is to conduct an assessment against these guidelines. Our experience is the best means for this is a technology-enabled assessment that allows the operator to get visibility into the actual assets, networks and information of the environment. This approach can be accomplished quickly, but importantly provides not only the gaps and roadmap but also the capability to begin remediation immediately rather than to wait for several months to implement tools and technology to remediate. (For more info, please see our Tech-enabled vulnerability assessment document )
Steps to achieve pipeline security compliance with the DHS recommendations.
Beyond the assessment, the question becomes how to make progress in overall security maturity. Many operators have not taken programmatic cyber security measures over the past 3 years since the original recommendations came out. Others have taken some steps such as segmenting IT from OT or implementing intrusion detection and/or creating employee cyber security awareness programs. Few will have a comprehensive approach to the controls listed above. Therefore, how should operators go about addressing compliance with these new requirements?
1. Begin at the beginning with a robust asset inventory.
All of the controls included in the list are grounded in the foundation of a robust asset inventory. That inventory is much more than knowing what hardware devices are on your network. It becomes the source of truth for a large portion of the rest of the requirements: software inventory, patch status, status of antivirus signatures, configuration settings and compliance with secure settings, etc. One of the things we often here from potential clients when we first talk with them is that they use a network monitoring tool to get asset visibility. However, the “visibility” gained doesn’t provide the depth of inventory of software, users, accounts, patch status, etc required by these compliance standards.
2. Think Global-Act Local.
Compliance with the DHS controls is only partially a “security” challenge. For the most part, it is an operational or labor challenge. When asked for the biggest barrier to securing cyber physical systems, IT and OT leaders list availability of talent as the number one challenge — significantly more than budgets or technology or any other barrier. We have been helping customers with compliance for NERC CIP or other controls regimes for almost 15 years. Efficiency of approach separates the successful ones from the less successful.
To achieve these controls, therefore, requires an approach we call “think global-act local”. This approach centralizes the key data, analysis and reporting across all assets and all security controls in a single enterprise database. This is necessary given the limited number of security knowledgeable resources within organizations. But these controls don’t only call for information and monitoring. They require actions such as patching, user and account management, configuration hardening, etc. These actions, in sensitive OT environments, can cause operational disruptions. Therefore, the approach must enable “act local” when security actions need to be taken. This requires personnel that understand the process and it’s sensitivities to be certain actions are executed in alignment with process. This “think global-act local” approach enables efficiency and operational resilience required in cyber physical systems.
3. Focus on OT Systems Management skill development
Still one of the questions we are asked most often is “where do we find the right people for IT-OT cyber security? “ It is critical not to be distracted by the “shiny object” of fancy cyber security “artificial intelligence“, “machine learning” and/or the fancy names used by cyber security researchers like “fancy bear” and “xenotime” etc. The key to achieving improved security maturity and compliance with the controls is OT systems management (OTSM). OTSM is a set of practices similar to those on the IT side. Patch management, vulnerability management, configuration management, user and account management, etc. In fact, according to the Cyberseek database from NIST, over 75% of the jobs in cyber security are systems management jobs, rather than fancy advanced analytics or threat hunting. The good news is these skills are more available AND they can be developed more easily within an operational organization. Furthermore, these skills can be automated more effectively.
4. Automate, Automate, Automate
Per the above, many of these tasks can be automated. To achieve maturity with these controls efficiently will require automation. Tools (such as Verve or others) can enable these security tasks to be automated. Practically no organization can afford to achieve security requirements manually.
How does Verve help increase pipeline security?
Verve has been working with pipeline operational technology for over a quarter-century. We have developed solutions, combining our unique security management software platform along with expert Verve design-for-defense solutions. Verve provides a comprehensive solution to support our clients leveraging our almost 30 years of operations controls experience. Our team can help provide assessments of the requirements to determine the gaps present as well as develop the appropriate roadmap to close these gaps. We leverage the Verve Security Center which gathers a comprehensive “360-degree” risk score that includes all of the elements of the TSA guidelines. Therefore, the assessment enables a single view and reporting of status and gaps. Most importantly, however, the Verve platform enables operators to immediately pivot from that assessment to remediating actions, instead of a long gap between assess and remediate. Verve enables a “closed-loop” approach to demonstrate maturity improvement within 30 days.
The Verve Security Center platform brings together these security elements into a single platform to drive management efficiency. If an organization has invested in prior tools, Verve integrates with dozens of tools to provide a single pane of glass for analysis and reporting.
As stated above. This all starts with the foundation of a robust inventory, but from there Verve enables all of the other security requirements.
Verve Security Management Platform
As importantly, Verve enables closed-loop actions to reduce the mean time-to-remediation of security risks, accelerating time-to-compliance but also making the whole process more efficient.
The Verve platform provides a range of advantages for addressing the IT-OT security risks in pipeline networks.
What’s next for Cyber Security and Pipeline Operators
May 27th 2021 marked the beginning of what will be a significantly greater regulatory regime for pipeline operators. The initial set of recommendations that are now requirements will require a new approach from many pipeline operators to achieve. Verve stands ready to help our nation’s infrastructure operators increase their cyber security maturity and readiness with our combination of software and services.