The First Step in a New OT Cyber Security Regulatory Era

A week ago, Verve hosted a webinar on the topic of the coming wave of OT cyber security regulation and how organizations can both get a head start as well as achieve compliance efficiently. Well, we didn’t have to wait long for the first shoe to drop. On July 20th, CISA and TSA sent a directive to the owner/operators of critical pipelines in the United States clarifying and further defining the initial directive sent back at the end of May. This new directive was not released publicly, but from our sources, the directive contains significant new requirements for pipeline operators.

We are not here to share the details of the directive – operators themselves will have those details. But these initiatives confirm our initial perspective shared in our webinar, that the future of these regulations will require much greater active protection and demonstrable OT systems management than prior “advisories” did. Our view is that recent ransomware and other threat actions over the past 6 months has created a groundswell of global political will to address these risks. This is certainly most significant in the United States where the Colonial Pipeline ransomware attack had a tremendous impact on the population of the east coast.  However, this trend is also increasing in other geographies.  From Chile to Abu Dhabi, from Singapore to the United Kingdom, countries are designing new regulation and tightening current directives to ensure their critical infrastructure can be protected from foreign or local threat actors.

The July 20th TSA pipeline security directive is not the first OT cybersecurity compliance requirement, but it is a sign of the direction of things to come.  

The May pipeline security directive was a very quick reaction that essentially reinforced the suggestions that TSA already had provided to pipeline operators around regular internal assessments and added requirements around naming a responsible individual and reporting of incidents. The July pipeline security directive takes a different tone – more like the one we believed would happen in our webinar. Instead of simply reporting and assessment requirements, TSA is following a model that we see becoming the norm: specific requirements of protections and remediating actions.

Almost 15 years ago, the United States introduced the NERC CIP regulatory regime for the bulk electric system. NERC CIP is a very regimented approach with specific set of controls that can be mapped to other control models such as NIST 800-53, CIS Top 20 (now 18), etc. It is a prescriptive and auditable standard. Prescriptive in that it requires utilities to take certain actions, track certain data, and maintain specific standards. Auditable in that NERC regularly audits the compliance with the prescribed controls and can penalize (fine) entities that fail to achieve consistent compliance. 

The new TSA pipeline security directive is certainly prescriptive by requiring a set of security controls across an operator’s infrastructure. It is unclear at this point whether these controls will become auditable as well. But given the initial indications, it is likely this will come down the road.

What should pipeline operators do now?

And how should other industrial operators begin today to get ready for similar requirements?

1. Assign dedicated leadership for OT Systems Management

For 20+ years, IT has conducted robust systems management – vulnerability assessment, patch management, configuration management, user & account control, log management, etc. However, in OT these “systems management” functions are often missing for a variety of reasons – lack of resources, complex legacy hardware and software environments, multiple OEM systems, distributed assets, etc.  All these compliance components require OT systems management – the ability to identify all of your assets, manage network connections, monitor missing patches, ensure configurations remain in compliance with secure standards, etc.  And to do this requires leadership dedicated to managing these components. This is different from the “designated cybersecurity coordinator” that the TSA’s initial security directive required. This function goes beyond coordinating to truly leading the elements of cybersecurity management that the regulations require. 

2. Monitor and track pipeline security compliance globally

One of the biggest challenges we have seen in achieving OT security compliance in these more prescriptive regimes is resource constraints and cost. As the number of controls grows – user and account management, patching every X days, etc.- the resources required can grow rapidly especially in distributed environments. One of the keys to success is establishing a platform early on that can enable centralized visibility across all endpoints and networks across all operational locations. This visibility needs to provide detailed asset-level information including: 100% of all software deployed, patch status, full configuration status, users and accounts including local users, etc. In many cases, this information does not exist at all or is contained in spreadsheets at each site. It is critical to the long-term sustainability of the compliance program that the organization centralize this information for monitoring and reporting. Without it, the costs escalate quickly and the compliance lags. 

3. Enable efficient local actions

For compliance, monitoring is not enough. You must take actions to maintain patch levels, users, and account security, etc. Many OT security approaches have relied on passive monitoring of network traffic. Unfortunately for compliance, this is not sufficient. The tools and technologies have to enable actions.  However, the key to a positive outcome is to automate actions without causing undue risk to the operating environment.  Successful compliance organizations have deployed platforms where the key security actions can be designed centrally – e.g., what patches are approved by the OEM, which ones are critical or security-related, what devices should be patched, and in what order. Then those are distributed to the local operations. But, importantly, the final execution of those actions whether it be a patch deployment or a user/account removal, etc. is controlled by the operator closest to the process to ensure the action does not disrupt operations. 

The Colonial Pipeline, JBS Meats, SolarWinds, and other events in the past 6 months has changed the game on the requirements for OT cyber security. The TSA pipeline security directive of July 20th is the first step in what we see as a significant change to the regulatory regimes around the world.  These will require much greater active management of OT systems to maintain compliance with items such as patching, user & account access management, log management, etc. The good news is that many operational entities are already deploying models like the one we describe here and the resulting insight as well as increased efficiencies in monitoring and remediation within OT are creating order of magnitude improvements in a relatively short time.

OT System Management Whitepaper

Download our whitepaper to learn more about the benefits of an OTSM approach.

OT Systems Management Whitepaper

Related Resources

Blog

Colonial Pipeline Attack: Lessons Learned for Ransomware Protection

How to leverage lessons learned from the Colonial Pipeline ransomware attack to prepare for cyber-related threats in oil & gas.

Learn More
Blog

TSA Pipeline Cyber Security Directive is a Strong First Step

Following the Colonial Pipeline ransomware attack, DHS and CISA have released a new Security Directive for critical pipeline operators.

Learn More
Blog

How to Prevent Ransomware in 2021

Learn how to reduce the risk of a ransomware attack by leveraging your current cyber security tools, technology and investments and improving recovery.

Learn More