Developing a Cybersecurity Plan of Action: Lessons Learned From Our Pipeline Customers
In light of the recent high-profile cyber attacks on U.S. critical infrastructure, the Biden Administration continues to take steps to safeguard this infrastructure from growing, persistent, and sophisticated cyber threats. Recently, the Administration released a 100-day initiative to improve cybersecurity across hazardous liquid and natural gas pipelines. The initiative complements the Department of Homeland Security Transportation Security Administration’s (TSA) recently released security directives that require pipeline owners and operators to implement a number of urgently needed cybersecurity protections in their IT and OT environments.
Dragos has been working closely with our pipeline customers to assess their OT cybersecurity programs, and two questions are consistently being asked that are worth sharing to better enable both the pipeline and broader ICS security community.
These two questions are:
- How do we validate that we have the right security architecture? And, then validate that our security posture won’t degrade?
- How do we maintain a strong incident response plan that isn’t just paper, but reflects real-world situations?
We take a deep dive into answering these questions below.
How to Validate Your OT Security Architecture
Having (and enhancing) visibility of your OT cybersecurity architecture is the first step in assessing the cybersecurity of your environment. As the saying goes, you can’t defend what you don’t know about. Our recent blog post on conducting architecture reviews to address the initial TSA guidelines offers a good perspective of where to focus efforts. Dragos architecture assessments focus on crown jewel analysis, program review, topology review, and building a collection management framework.
- Crown Jewel Analysis (CJA). Our CJA is focused on understanding the most critical assets as it relates to your facilities’ industrial processes – essentially a system of systems analysis to understand what a really bad day may look like, and identify key network dependencies that could be abused by an attacker or malicious software. Learn more about our CJA approach for pipeline customers.
- Program review. Our program review step focuses largely on incident response plans, threat and vulnerability management policies, asset inventory procedures, and on gaps in both documentation and enforcement.
- Topology review. Our topology review is based on design documents and then validating those documents. We do this by comparing the designs to network traffic collected by Dragos Platform to validate zones, their assets, their conduits, and firewall ruleset.
- Collection Management Framework (CMF). Finally, our last step is to take the information collected across the site(s) to understand the visibility across devices and their logs and data artifacts. This identifies dependencies in incident response plans to support a range of procedures from containment/isolation of hosts to forensics collection to network behaviors such as blocked DNS beaconing. The CMF offers validation that the architecture offers the right data to properly detect and investigate an incident in your OT environment.
How to Maintain a Realistic, Resilient Incident Response Plan
As noted above, the program review portion of the architecture assessment does include, and often focuses on, the incident response plan (IRP). While responding to intrusions, we have been able to review hundreds of IRPs over the years. This experience has allowed the Dragos Professional Services team to understand what works and doesn’t work. OT often has many stakeholders, so understanding and defining these stakeholders into roles and responsibilities is often oversimplified. Planning helps cohesion, but ultimately the IRP is just a plan.
Depending on the framework, playbooks or known procedures also exist for particular scenarios and should take into account the CMF. Dragos response efforts are consistently challenged with not having the necessary logging and artifacts to do their investigations and the CMF analysis offers a validation step of where the data gaps may exist. (The Dragos Platform can build visibility and capability in collection, but it doesn’t solve all scenarios.)
The Dragos methodology is starting to come into view. We now have identified our most critical assets in the Crown Jewels Analysis and understand what logs and data we are collecting on the hosts and with our security tools. Now we need to test it. Dragos builds our tabletop exercises to be customized scenarios where the teams are slowly walked through an attack sequence where they use their plans to detect, analyze, contain, respond, and recover. This offers asset owners a chance to gain an understanding of a realistic attack across many teams and prove out their plan itself.
The good news is that the asks Dragos is receiving from the pipeline industry are not new, they are not unique, and they are very answerable. Many of our customers are under-invested in both cybersecurity resources and technology, and doing these assessments can help with short-term tactical needs but also feed into a much more comprehensive 3-5 year security risk program.
While the Dragos Professional Services teams are positioned to help an asset owner know where they are today and give recommendations for short- and long-term plans, we ultimately need software that is mission-focused to help scale industrial cybersecurity programs.
For critical infrastructure, mission-focused solutions must help:
- identify zone-to-zone traffic communications (conduits),
- manage your assets and their vulnerability lifecycles,
- trigger and investigate threats,
- find misconfigurations, etc.
The technology should be passive and safe to use across any environment, but also must have the capability to align to or support the sharing of insights and detections with the federal government and other trusted organizations, such as information sharing and analysis organizations (ISAOs) and information sharing and analysis centers (ISACs), while preserving an organization’s right to privacy.
These mission-focused solutions must recognize that the asset owner’s data is their own and the best way to secure it is to never allow it to leave the asset owner’s facilities, offer strong anonymized data, use industry-standard formats, or frameworks such as MITRE ATT&CK for ICS. The Dragos Platform and our opt-in collective-defense solution, Neighborhood Keeper, were built with all of this in mind.
ICS Pipeline Initiative Functional Reference Guide Now Available
To help natural gas transmission pipeline owners and operators evaluate industrial control system (ICS) cybersecurity technology solutions that support the national security of critical natural gas transmission pipelines, the Oil and Natural Gas Subsector Coordinating Council (ONG-SCC) has released the ICS Pipeline Initiative Functional Reference Guide on the ONG-SCC website.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.