TSA Pipeline Cyber Security Directive is a Strong First Step

Following the ransomware attack on the Colonial Pipeline, DHS and CISA have released a new Security Directive for critical pipeline operators. More are likely to follow.

On May 27th, the United States Department of Homeland Security announced its initial regulatory response to the Colonial Pipeline ransomware attack. As the Security Directive highlighted, this is only the first step in what is likely to be a much more robust set of regulatory changes to improve the cyber security of the nation’s critical pipeline infrastructure.

This first directive has significant implications for pipeline operators. Not only does it require disclosure and reporting of incidents, but importantly makes what was a set of voluntary cyber security measures mandatory and auditable. This begins what will likely become a more rigorous compliance regime for pipeline operators.

What is in the May 27th Security Directive?

The order has three components.

1. Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA)

2. Designate a Cybersecurity Coordinator to be available 24X7

3. Review current cybersecurity practices and identify any gaps as well as related remediation measures and report those to TSA within 30 days

Perhaps most importantly, the directive makes clear that this is the first step in what is likely to be a more extensive set of requirements over the coming months.

How to review the current pipeline cybersecurity practices?

TSA constructs its recommendations into the same categories as the NIST Cybersecurity Framework of Identify-Protect-Detect-Respond-Recover. TSA then narrowed the traditional NIST components to a more targeted set of controls that are relevant for converged cyber-physical systems such as pipelines. We won’t try to speculate here and now as to how this list may expand in any future regulatory orders. The current list of controls will already be a challenge for many pipelines to achieve efficiently and effectively.

The list of controls is included below. As can be seen, they include both procedural and technical requirements. They do not distinguish between IT and OT systems. But the implication is that the guidelines should apply to both, with any necessary adjustments for the OT environment.

The first step against this is to conduct an assessment against these guidelines. Our experience is the best means for this is a technology-enabled assessment that allows the operator to get visibility into the actual assets, networks and information of the environment. This approach can be accomplished quickly, but importantly provides not only the gaps and roadmap but also the capability to begin remediation immediately rather than to wait for several months to implement tools and technology to remediate. (For more info, please see our Tech-enabled vulnerability assessment document )

Steps to achieve pipeline security compliance with the DHS recommendations.

1. Begin at the beginning with a robust asset inventory.

2. Think Global-Act Local.

To achieve these controls, therefore, requires an approach we call “think global-act local”. This approach centralizes the key data, analysis and reporting across all assets and all security controls in a single enterprise database. This is necessary given the limited number of security knowledgeable resources within organizations. But these controls don’t only call for information and monitoring. They require actions such as patching, user and account management, configuration hardening, etc. These actions, in sensitive OT environments, can cause operational disruptions. Therefore, the approach must enable “act local” when security actions need to be taken. This requires personnel that understand the process and it’s sensitivities to be certain actions are executed in alignment with process. This “think global-act local” approach enables efficiency and operational resilience required in cyber physical systems.

3. Focus on OT Systems Management skill development

4. Automate, Automate, Automate

How does Verve help increase pipeline security?

The Verve Security Center platform brings together these security elements into a single platform to drive management efficiency. If an organization has invested in prior tools, Verve integrates with dozens of tools to provide a single pane of glass for analysis and reporting.

As stated above. This all starts with the foundation of a robust inventory, but from there Verve enables all of the other security requirements.

Verve Security Management Platform

As importantly, Verve enables closed-loop actions to reduce the mean time-to-remediation of security risks, accelerating time-to-compliance but also making the whole process more efficient.

The Verve platform provides a range of advantages for addressing the IT-OT security risks in pipeline networks.

What’s next for Cyber Security and Pipeline Operators

John Livingston

Originally published at https://verveindustrial.com/resources/blog/tsa-pipeline-cyber-security-directive-is-a-strong-first-step/



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store