On May 27, 2021, the United States Department of Homeland Security announced its initial regulatory response to the Colonial Pipeline ransomware attack. As the Security Directive highlighted, this is only the first step in what is likely to be a much more robust set of regulatory changes to improve the cyber security of the nation’s critical pipeline infrastructure.
This first directive has significant implications for pipeline operators. Not only does it require disclosure and reporting of incidents, but importantly makes what was a set of voluntary cyber security measures mandatory and auditable. This is just the beginning of a more rigorous compliance regime for pipeline operators.
On July 20th, 2021, CISA and TSA sent a directive to the owner/operators of critical pipelines in the United States clarifying and further defining the initial directive from May 2021. This new directive was not released publicly, but from our sources, the directive contains significant new requirements for pipeline operators.
These initiatives confirm our initial perspective shared in a webinar on the coming wave of OT cyber security regulation, that the future of these regulations will require much greater active protection and demonstrable OT systems management than prior advisories did. Our view is that recent ransomware and other threat actors created a groundswell of global political will to address these risks. This is certainly most significant in the United States where the Colonial Pipeline ransomware attack had a tremendous impact on the population of the east coast. However, this trend is also increasing in other geographies. From Chile to Abu Dhabi, from Singapore to the United Kingdom, countries are designing new regulations and tightening current directives to ensure their critical infrastructure can be protected from foreign or local threat actors.
What is the TSA pipeline security directive?
DHS and CISA released the Pipeline Security Directive. “The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
The May 2021 pipeline security directive was a very quick reaction that essentially reinforced the suggestions that TSA already had provided to pipeline operators around regular internal assessments and added requirements around naming a responsible individual and reporting incidents. The July 2021 pipeline security directive takes a different tone – Instead of simply reporting and assessment requirements, TSA is following a model that we see becoming the norm: specific requirements of protections and remediating actions.
Almost 15 years ago, the United States introduced the NERC CIP regulatory regime for the bulk electric system. NERC CIP is a very regimented approach with a specific set of controls that can be mapped to other control models such as NIST 800-53, CIS Top 20 (now 18), etc. It is a prescriptive and auditable standard. Prescriptive in that it requires utilities to take certain actions, track certain data, and maintain specific standards. Auditable in that NERC regularly audits the compliance with the prescribed controls and can penalize (fine) entities that fail to achieve consistent compliance.
The new TSA pipeline security directive is certainly prescriptive by requiring a set of security controls across an operator’s infrastructure. It is unclear at this point whether these controls will become auditable as well. But given the initial indications, it is likely this will come down the road.
The order has three components.
1. Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA)
This requires that pipeline companies build an incident response capability, which is included in the recommended cyber security elements of the original DHS may 2018 security release. This order adds the requirement to share any cyber incidents with CISA
2. Designate a Cybersecurity Coordinator to be available 24X7
3. Review current cybersecurity practices and identify any gaps as well as related remediation measures and report those to TSA within 30 days
This final directive relates back to the March 2018 (updated in April 2021) Pipeline Security Guidelines — which were only recommendations. This directive implies they will now become mandatory. This is likely the most significant part of the order as it begins a regime of more compliance requirements. These recommendations are a relatively comprehensive list of security controls and will likely require significant effort for many pipeline operators to achieve.
Perhaps most importantly, the directive makes clear that this is the first step in what is likely to be a more extensive set of requirements over the coming months.
How to review the current pipeline cybersecurity practices
As mentioned, TSA released a set of security guidelines in 2018 and then updated them in April 2021. These guidelines will form the basis of any review for pipeline operator. So, the first question is: what are the cyber security controls included in the current TSA pipeline recommendations?
TSA constructs its recommendations into the same categories as the NIST Cybersecurity Framework of Identify-Protect-Detect-Respond-Recover. TSA then narrowed the traditional NIST components to a more targeted set of controls that are relevant for converged cyber-physical systems such as pipelines. We won’t try to speculate here and now as to how this list may expand in any future regulatory orders. The current list of controls will already be a challenge for many pipelines to achieve efficiently and effectively.
The list of controls is included below. As can be seen, they include both procedural and technical requirements. They do not distinguish between IT and OT systems. But the implication is that the guidelines should apply to both, with any necessary adjustments for the OT environment.
| ||Baseline Security Measures||Enhanced Security Measures|
|Establish and document policies and procedures for assessing and maintaining configuration information, for tracking changes made to the pipeline cyber assets, and for patching/upgrading operating systems and applications. Ensure that the changes do not adversely impact existing cybersecurity controls.||Employ mechanisms to maintain accurate inventory and to detect unauthorized components.|
|Develop and maintain a comprehensive set of|
network/system architecture diagrams or other
documentation, including nodes, interfaces,
remote and third party connections, and
|Review network connections periodically,|
including remote and third party connections.
Develop a detailed inventory for every
|Review and assess pipeline cyber asset classification as critical or non-critical at least every 12 months.|
|Ensure that any change that adds control operations to a non-critical pipeline cyber asset results in the system being recognized as a critical pipeline cyber asset and enhanced security measures being applied.|
|Establish and distribute cybersecurity policies, plans, processes and supporting procedures commensurate with the current regulatory, risk, legal and operational environment.|
|Review and assess all cybersecurity policies,|
plans, processes, and supporting procedures
regularly, not to exceed 36 months, or when
there is a significant organizational or
technological change. Update as necessary.
|Review and assess all cybersecurity policies,|
plans, processes, and supporting procedures
regularly, not to exceed 12 months, or when
there is a significant organizational change.
Update as necessary.
|Risk Management Strategy|
|Develop an operational framework to ensure coordination, communication and accountability for information security on and between the control systems and enterprise networks.|
|Establish a process to identify and evaluate vulnerabilities and compensating security controls.||Ensure threat and vulnerability information received from information sharing forums and sources are made available to those responsible for assessing and determining the appropriate course of action.|
|Establish and enforce unique accounts for each individual user and administrator, establish security requirements for certain types of privileged accounts, and prohibit the sharing of these accounts.|
In instances where systems do not support unique user accounts, then implement appropriate compensating security controls (e.g., physical controls).
|Restrict user physical access to control systems and control networks through the use of appropriate controls. Employ more stringent identity and access management practices (e.g., authenticators, password- construct, access control).|
|Ensure that user accounts are modified, deleted, or de-activated expeditiously for personnel who no longer require access or are no longer employed by the company.|
|Establish and enforce access control policies for|
local and remote users. Procedures and controls
should be in place for approving and enforcing
policy for remote and third-party connections.
|Monitor physical and remote user access to|
critical pipeline cyber assets.
|Ensure appropriate segregation of duties is in place. In instances where this is not feasible, apply appropriate compensating security controls.|
|Change all default passwords for new software, hardware, etc., upon installation. In instances where changing default passwords is not technically feasible (e.g., a control system with a hard-coded password), implement appropriate compensating security controls (e.g., administrative controls).||Employ mechanisms to support the management of accounts.|
|Baseline Security Measures||Enhanced Security Measures|
|Awareness and Training|
|Ensure that all persons requiring access to the organization’s pipeline cyber assets receive cybersecurity awareness training.||Provide role-based security training on recognizing and reporting potential indicators of system compromise prior to obtaining access to the critical pipeline cyber assets.|
|Establish and execute a cyber-threat awareness program for employees. This program should include practical exercises/testing.|
|Data Security & Information Protection|
|Establish and implement policies and procedures to ensure data protection measures are in place, including identifying critical data and establishing classification of different types of data, establishing specific handling procedures, and protections and disposal.|
|Segregate and protect the pipeline cyber assets from enterprise networks and the internet using physical separation, firewalls and other protections.|
|Regularly validate that technical controls comply with the organization’s cybersecurity policies, plans and procedures, and report results to senior management.|
|Implement technical or procedural controls to restrict the use of pipeline cyber assets for only approved activities.|
|Detect||Anomalies and Events|
|Implement processes to generate alerts and log cybersecurity events in response to anomalous activity. Review the logs and respond to alerts in a timely manner.|
|Security Continuous Monitoring|
|Monitor for unauthorized access or the introduction of malicious code or communications.|
|Conduct cyber vulnerability assessments as described in your risk assessment process||Utilize independent assessors to conduct pipeline cyber security assessments.|
|Establish technical or procedural controls for cyber intrusion monitoring and detection.|
|Perform regular testing of intrusion and malware detection processes and procedures.|
|Establish policies and procedures for cybersecurity incident handling, analysis and reporting, including assignment of the specific roles/tasks to individuals and teams.||Conduct cybersecurity incident response exercises periodically.|
|Establish and maintain a cyber-incident response capability.||Establish and maintain a process that supports 24 hours a day cyber incident response.|
|Respond||Report significant cyber incidents to senior management; appropriate federal, state, local, tribal, and territorial (SLTT) entities; and applicable ISAC(s).||Pipeline operators should follow the notification criteria in Appendix B|
|Ensure the organization’s response plans and procedures include mitigation measures to help prevent further impacts.|
|Establish a plan for the recovery and reconstitution of pipeline cyber assets within a|
timeframe to align with the organization’s safety and business continuity objectives.
|Review the organization's cyber recovery plan annually. Update as necessary.|
Steps to achieve pipeline security compliance with the DHS recommendations
Assign leadership for OT systems management
For 20+ years, IT has conducted robust systems management – vulnerability assessment, patch management, configuration management, user & account control, log management, etc. However, in OT these “systems management” functions are often missing for a variety of reasons – lack of resources, complex legacy hardware and software environments, multiple OEM systems, distributed assets, etc. All these compliance components require OT systems management – the ability to identify all of your assets, manage network connections, monitor missing patches, ensure configurations remain in compliance with secure standards, etc.
Before you can begin making progress towards an OT systems management approach, dedicated leadership is required to manage these components. This is different from the “designated cybersecurity coordinator” that the TSA’s initial security directive required. This function goes beyond coordinating to truly leading the elements of cybersecurity management that the regulations require.
Conduct a tech-based OT vulnerability assessment
Conduct an assessment against these guidelines. Our experience is the best means for this is a technology-enabled assessment that allows the operator to gain visibility into the actual assets, networks and information of the environment. This approach can be accomplished quickly, but importantly provides not only the gaps and roadmap but also the capability to begin remediation immediately rather than to wait for several months to implement tools and technology to remediate. (For more info, please see our Tech-enabled vulnerability assessment document.)
Beyond the assessment, the question becomes how to make progress in overall security maturity. Many operators have not taken programmatic cyber security measures over the past 3 years since the original recommendations came out. Others have taken some steps such as segmenting IT from OT or implementing intrusion detection and/or creating employee cyber security awareness programs. Few will have a comprehensive approach to the controls listed above. Therefore, how should operators go about addressing compliance with these new requirements?
Gather a robust asset inventory
All of the controls included in the list are grounded in the foundation of a robust asset inventory. That inventory is much more than knowing what hardware devices are on your network. It becomes the source of truth for a large portion of the rest of the requirements: software inventory, patch status, status of antivirus signatures, configuration settings and compliance with secure settings, etc. One thing we often hear from potential clients is that they use a network monitoring tool to get asset visibility. However, the “visibility” gained doesn’t provide the depth of inventory of software, users, accounts, patch status, etc required by these compliance standards.
Think Global: Act Local
Monitor and track pipeline security compliance on a global scale
One of the biggest challenges in achieving OT security compliance in more prescriptive regimes is resource constraints and cost. As the number of controls grows – user and account management, patching every X days, etc.- the resources needed grow rapidly, especially in distributed environments. One of the keys to success is establishing a platform early on that can enable centralized visibility across all endpoints and networks across all operational locations. This visibility needs to provide detailed asset-level information including: 100% of all software deployed, patch status, full configuration status, users and accounts including local users, etc. In many cases, this information does not exist at all or is contained in spreadsheets at each site. It is critical to the long-term sustainability of the compliance program that the organization centralize this information for monitoring and reporting. Without it, the costs escalate quickly and the compliance lags.
Enable efficient local actions
For compliance, monitoring is not enough. You must take actions to maintain patch levels, users, and account security, etc. Many OT security approaches have relied on passive monitoring of network traffic. Unfortunately for compliance, this is not sufficient. The tools and technologies have to enable actions. However, the key to a positive outcome is to automate actions without causing undue risk to the operating environment. Successful compliance organizations have deployed platforms where the key security actions can be designed centrally – e.g., what patches are approved by the OEM, which ones are critical or security-related, what devices should be patched, and in what order. Then those are distributed to the local operations. But, importantly, the final execution of those actions whether it be a patch deployment or a user/account removal, etc. is controlled by the operator closest to the process to ensure the action does not disrupt operations.
Compliance with the DHS controls is only partially a “security” challenge. For the most part, it is an operational or labor challenge. When asked for the biggest barrier to securing cyber physical systems, IT and OT leaders list availability of talent as the number one challenge – significantly more than budgets or technology or any other barrier. We have been helping customers with compliance for NERC CIP or other controls regimes for almost 15 years. Efficiency of approach separates the successful ones from the less successful.
To achieve these controls, therefore, requires an approach we call “Think Global: Act Local”. This approach centralizes the key data, analysis, and reporting across all assets and all security controls in a single enterprise database. This is necessary given the limited number of security knowledgeable resources within organizations. But these controls don’t only call for information and monitoring. They require actions such as patching, user and account management, configuration hardening, etc. These actions, in sensitive OT environments, can cause operational disruptions. Therefore, the approach must enable “act local” when security actions need to be taken. This requires personnel that understand the process and its sensitivities to be certain actions are executed in alignment with the process. This “think global-act local” approach enables the efficiency and operational resilience required in cyber-physical systems.
Focus on OT Systems Management skill development
Still one of the questions we are asked most often is “where do we find the right people for IT-OT cyber security? “ It is critical not to be distracted by the “shiny object” of fancy cyber security “artificial intelligence“, “machine learning” and/or the fancy names used by cyber security researchers like “fancy bear” and “xenotime” etc. The key to achieving improved security maturity and compliance with the controls is OT systems management (OTSM). OTSM is a set of practices similar to those on the IT side. Patch management, vulnerability management, configuration management, user and account management, etc. In fact, according to the Cyberseek database from NIST, over 75% of the jobs in cyber security are systems management jobs, rather than fancy advanced analytics or threat hunting. The good news is these skills are more available AND they can be developed more easily within an operational organization. Furthermore, these skills can be automated more effectively.
Per the above, many of these tasks can be automated. To achieve maturity with these controls efficiently will require automation. Tools (such as Verve or others) enable these security tasks to be automated. Practically no organization can afford to achieve security requirements manually.
Improve pipeline security
Verve has worked with pipeline operational technology for over a quarter-century. We have developed solutions, combining our unique security management software platform along with expert Verve design-for-defense solutions. Verve provides a comprehensive solution to support our clients leveraging our almost 30 years of operations controls experience. Our team provides assessments of the requirements to determine the gaps present as well as develop the appropriate roadmap to close these gaps. We leverage the Verve Security Center which gathers a comprehensive “360-degree” risk score that includes all of the elements of the TSA guidelines. Therefore, the assessment enables a single view and reporting of status and gaps. Most importantly, the Verve platform enables operators to immediately pivot from that assessment to remediating actions, instead of a long gap between assessing and remediating. Verve enables a “closed-loop” approach to demonstrate maturity improvement within 30 days.
The Verve Security Center platform brings together these security elements into a single platform to drive management efficiency. If an organization has invested in prior tools, Verve integrates with dozens of tools to provide a single pane of glass for analysis and reporting.
As stated above. This all starts with the foundation of a robust inventory, but from there Verve enables all of the other security requirements.
Verve Security Management Platform
Verve enables closed-loop actions to reduce the mean time-to-remediation of security risks, accelerating time-to-compliance but also making the whole process more efficient.
The Verve platform provides a range of advantages for addressing the IT-OT security risks in pipeline networks.
|DEEP ASSET VISIBILITY WITH NO HARDWARE||- No need to expensive spans/taps. Lower cost deployment|
- Go directly to asset to gain deeper view, not just what is on the wire
|BETTER RISK MANAGEMENT||- 360-degree risk score fo asset (patch, vulnerabilities, users/accounts, A/V status, etc.)|
- Enables trade-offs of best risk remediation
|RAPID RESPONSE REMEDIATION WITH INTEGRATED ACTIONS||- Integrated patch, configuration, software, user, and other remediation actions|
- Faster mean-time-to-remediation
|LOWER LABOR COSTS||- Centralize analysis of all endpoints (and integrate with enterprise IT), but enable local control over actions|
- Lower TCO with more efficient analysis
|OPERATIONALLY SAFE & EFFICIENT||- Built-in ICS safeguards and operational benefits such as improved network system reliability|
- Ensure greater uptime as by-product
What’s next for cyber security and pipeline operators
May 27th, 2021 marked the beginning of what will be a significantly greater regulatory regime for pipeline operators. The initial set of recommendations that are now requirements will force a new approach from many pipeline operators to achieve – including greater active management of OT systems to maintain compliance with items such as patching, user & account access management, log management, etc. Many operational entities are already deploying models like OTSM and have increased efficiencies in monitoring and remediation within OT in a relatively short time.