In the United States, CISA identifies 16 critical infrastructure sectors considered vital to our economy and way of life. Energy is one of the critical sectors and is quite literally the lifeline that every other sector depends on. The energy sector is made up of the electric and oil and natural gas subsectors. While the electric subsector has for over a decade had minimum mandatory cybersecurity requirements, there have been understandable challenges in implementing similar standards for the oil and natural gas subsector.
TSA Releases Updated Pipeline Security Directive
Recently, the Transportation Security Administration (TSA), the sector specific agency for pipeline security, examined their previous security standards and updated them to provide additional requirements specific to understanding the industrial cyber risks, operating environments, and incident response capabilities at each pipeline owner/operator. The new guidelines are built on several industry standards and guidelines, including the NIST Cybersecurity Framework, API 1164 (the third edition of which is currently under development by the American Petroleum Institute), ISA/IEC 62443, and NIST SP 800-82. Accompanying the updated Pipeline Security Guidelines was a TSA Security Directive outlining additional requirements for pipeline operators for their overall cybersecurity program. These updates and changes fall into the following categories:
- Creation of the Cybersecurity Coordinator role: Similar to other regulations, like NERC CIP, the new guidelines require a single senior role for cybersecurity. Unlike other regulations, this role has an availability requirement of “24 hours a day, seven days a week,” with at least one alternate Cybersecurity Coordinator designated. This role is to be the primary point of contact with TSA and the Cybersecurity Infrastructure Security Agency (CISA).
- Asset management and criticality: The Pipeline Security Guidelines identify “Baseline and Enhanced” security measures based on a cyber asset identification scheme, complete with recurring tasks, a complete corporate security plan, and specific requirements for industrial control systems.
- Cyber risk, vulnerability, and gap assessments: Both the Security Directive and the Guidelines require a series of assessments, including understanding the overall cyber risk across the organization, identifying potential associated vulnerabilities, and developing remediation plans for any identified gaps.
- Incident response and reporting: Asset owners and operators now have a 12-hour window to report a cyber and/or physical incident impacting their IT and OT systems to CISA. Any incident report must have a minimum set of information, including:
- IP addresses,
- Domain names,
- Compromised accounts,
- Impact on IT/OT systems and operations,
- Response activities, and,
- Incident types include unauthorized access, discovery of malicious software, DoS, physical attacks, and anything else that “has the potential to cause operational disruption”.
All of these changes imply a mature level of understanding across a pipeline OT network and associated cyber assets. The initial lift for asset owners and operators had a 30-day deadline, requiring completion by June 27. New roles, assessments, and a fundamental shift in incident response will leave even the most sophisticated ICS security team scrambling, let alone after a single month of activity. But for many, this is just the beginning. As the dust settles, and the newly dubbed Cybersecurity Coordinator pours over various reports and action plans, one question remains:
Now What? Assessing Your Pipeline Cybersecurity Gaps
Change and maturity take time. Rome was not built in a day (or even 30 days), and neither will your security program be. It is a continuous cycle of improvement. But now that these organizations have gone through a gauntlet of action-oriented tasks, it’s the perfect time to assess where things stand and build a sustainable roadmap for pipeline cybersecurity. Having worked with countless industrial organizations over the years, Dragos knows from experience that answering the following questions will help:
1. How mature are we, and how mature do we want to be?
One of the references across the Security Directive and associated Guidelines is the US Department of Energy’s Cybersecurity Framework Implementation Guidance. A key element of this document outlines the use of maturity models, like the C2M2, to establish a current profile and a target profile to achieve over a set time period. Now that asset owners and operators have performed a series of assessments, it would be the perfect time to establish an action plan for a sustainable cybersecurity program, using a “crawl, walk, run” approach as we see in maturity models. Be honest about your current capabilities and what resources will be required to hit your desired state for cybersecurity.
2. What threats do we face, and what real-world events have taken place?
One relatively mature practice involves understanding the threats you face as an organization and actively monitoring and managing those threats based on their known capabilities. However, you can start here with our threat perspective for oil and natural gas operations. It provides additional context to why cybersecurity is important for safe and reliable energy by examining what Activity Groups seek to damage or harm critical infrastructure.
3. Can we respond to a really bad day?
Each asset owner and operator now has a list of “crown jewels,” ranked assets, and some security gaps. But do you know what a cyber incident would look like in your operational environment? Have you tested your incident response plan, including the new reporting requirements? How about the role of the Cybersecurity Coordinator and communications both internally and externally? Tabletop exercises can help shed light on practical (and actionable) next steps for your cybersecurity program, while further rooting the experience in reality. Pick a ransomware event, or a targeted attack from a sophisticated Activity Group, and run through a series of “what ifs” with your IT, OT, engineering, and executive teams. The results will be enlightening.
4. Do we have Asset Visibility in our OT environment?
Operationalizing your OT program requires understanding your environments and their status. This awareness goes beyond maintaining current asset inventories, network drawings, or configurations. Asset visibility means that you know what systems are on your networks, what their vulnerabilities are, who they are communicating to, and if there are suspect changes or adversarial behaviors observed in those communications. Having this level of information at your fingertips requires automation through monitoring OT networks and hosts. To learn more about the importance of the topic, you can begin with the Dragos whitepaper: 10 Ways Asset Visibility Builds the Foundation for OT Cybersecurity.
The TSA Pipeline Security Guideline update and the TSA Security Directive are just the tip of the cybersecurity-iceberg. With a set of recurring activities that must occur and a keen eye on oil and natural gas operations, cybersecurity can no longer be isolated from the corporation and other enterprise-wide risks. We can no longer rely on “airgaps” based on how our industry must do business. Instead, understanding and managing these interconnected systems has to be baked into the DNA of our operations, and this is just the start.
Hopefully, answering the questions above will help asset owners and operators further refine the activities they face after the 30-day deadline from TSA to create mature and sustainable cybersecurity programs. Some additional resources that may be useful include:
- DISC-SANS ICS Virtual Conference’s ICS Crucible: Forging Programmatic Armor and Weapons
- Dragos’s blog post exploring the Colonial Pipeline cyber attack with recommended actions for industry
- Dragos’s blog (and associated whitepaper) on industrial cyber risk
Cybersecurity is a journey, not a destination. Even with a significant push, like the one pipeline owners and operators and owners just experienced, this is just one step on that larger journey.
Ready to put your insights into action?
Take the next steps and contact our team today.