On May 27th, the United States Department of Homeland Security announced its initial regulatory response to the Colonial Pipeline ransomware attack. As the Security Directive highlighted, this is only the first step in what is likely to be a much more robust set of regulatory changes to improve the cyber security of the nation’s critical pipeline infrastructure.
This first directive has significant implications for pipeline operators. Not only does it require disclosure and reporting of incidents, but importantly makes what was a set of voluntary cyber security measures mandatory and auditable. This begins what will likely become a more rigorous compliance regime for pipeline operators.
What is in the May 27th Security Directive?
DHS and CISA released the Pipeline Security Directive. “The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
The order has three components.
1. Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA)
This requires that pipeline companies build an incident response capability, which is included in the recommended cyber security elements of the original DHS may 2018 security release. This order adds the requirement to share any cyber incidents with CISA
2. Designate a Cybersecurity Coordinator to be available 24X7
3. Review current cybersecurity practices and identify any gaps as well as related remediation measures and report those to TSA within 30 days
This final directive relates back to the March 2018 (updated in April 2021) Pipeline Security Guidelines — which were only recommendations. This directive implies they will now become mandatory. This is likely the most significant part of the order as it begins a regime of more compliance requirements. These recommendations are a relatively comprehensive list of security controls and will likely require significant effort for many pipeline operators to achieve.
Perhaps most importantly, the directive makes clear that this is the first step in what is likely to be a more extensive set of requirements over the coming months.
How to review the current pipeline cybersecurity practices?
As mentioned, TSA released a set of security guidelines in 2018 and then updated in April of this year. These guidelines will form the basis of any review for pipeline operator. So, the first question is: what are the cyber security controls included in the current TSA pipeline recommendations?
TSA constructs its recommendations into the same categories as the NIST Cybersecurity Framework of Identify-Protect-Detect-Respond-Recover. TSA then narrowed the traditional NIST components to a more targeted set of controls that are relevant for converged cyber-physical systems such as pipelines. We won’t try to speculate here and now as to how this list may expand in any future regulatory orders. The current list of controls will already be a challenge for many pipelines to achieve efficiently and effectively.
The list of controls is included below. As can be seen, they include both procedural and technical requirements. They do not distinguish between IT and OT systems. But the implication is that the guidelines should apply to both, with any necessary adjustments for the OT environment.
|Baseline Security Measures||Enhanced Security Measures|
|Establish and document policies and procedures for assessing and maintaining configuration information, for tracking changes made to the pipeline cyber assets, and for patching/upgrading operating systems and applications. Ensure that the changes do not adversely impact existing cybersecurity controls.||Employ mechanisms to maintain accurate inventory and to detect unauthorized components.|
|Develop and maintain a comprehensive set of|
network/system architecture diagrams or other
documentation, including nodes, interfaces,
remote and third party connections, and
|Review network connections periodically,
including remote and third party connections.
Develop a detailed inventory for every
|Review and assess pipeline cyber asset classification as critical or non-critical at least every 12 months.|
|Ensure that any change that adds control operations to a non-critical pipeline cyber asset results in the system being recognized as a critical pipeline cyber asset and enhanced security measures being applied.|
|Establish and distribute cybersecurity policies, plans, processes and supporting procedures commensurate with the current regulatory, risk, legal and operational environment.|
|Review and assess all cybersecurity policies,|
plans, processes, and supporting procedures
regularly, not to exceed 36 months, or when
there is a significant organizational or
technological change. Update as necessary.
|Review and assess all cybersecurity policies,
plans, processes, and supporting procedures
regularly, not to exceed 12 months, or when
there is a significant organizational change.
Update as necessary.
|Risk Management Strategy|
|Develop an operational framework to ensure coordination, communication and accountability for information security on and between the control systems and enterprise networks.|
|Establish a process to identify and evaluate vulnerabilities and compensating security controls.||Ensure threat and vulnerability information received from information sharing forums and sources are made available to those responsible for assessing and determining the appropriate course of action.|
|Establish and enforce unique accounts for each individual user and administrator, establish security requirements for certain types of privileged accounts, and prohibit the sharing of these accounts.|
In instances where systems do not support unique user accounts, then implement appropriate compensating security controls (e.g., physical controls).
|Restrict user physical access to control systems and control networks through the use of appropriate controls. Employ more stringent identity and access management practices (e.g., authenticators, password- construct, access control).|
|Ensure that user accounts are modified, deleted, or de-activated expeditiously for personnel who no longer require access or are no longer employed by the company.|
|Establish and enforce access control policies for|
local and remote users. Procedures and controls
should be in place for approving and enforcing
policy for remote and third-party connections.
|Monitor physical and remote user access to
critical pipeline cyber assets.
|Ensure appropriate segregation of duties is in place. In instances where this is not feasible, apply appropriate compensating security controls.|
|Change all default passwords for new software, hardware, etc., upon installation. In instances where changing default passwords is not technically feasible (e.g., a control system with a hard-coded password), implement appropriate compensating security controls (e.g., administrative controls).||Employ mechanisms to support the management of accounts.|
|Baseline Security Measures||Enhanced Security Measures|
|Awareness and Training|
|Ensure that all persons requiring access to the organization’s pipeline cyber assets receive cybersecurity awareness training.||Provide role-based security training on recognizing and reporting potential indicators of system compromise prior to obtaining access to the critical pipeline cyber assets.|
|Establish and execute a cyber-threat awareness program for employees. This program should include practical exercises/testing.|
|Data Security & Information Protection|
|Establish and implement policies and procedures to ensure data protection measures are in place, including identifying critical data and establishing classification of different types of data, establishing specific handling procedures, and protections and disposal.|
|Segregate and protect the pipeline cyber assets from enterprise networks and the internet using physical separation, firewalls and other protections.|
|Regularly validate that technical controls comply with the organization’s cybersecurity policies, plans and procedures, and report results to senior management.|
|Implement technical or procedural controls to restrict the use of pipeline cyber assets for only approved activities.|
|Detect||Anomalies and Events|
|Implement processes to generate alerts and log cybersecurity events in response to anomalous activity. Review the logs and respond to alerts in a timely manner.|
|Security Continuous Monitoring|
|Monitor for unauthorized access or the introduction of malicious code or communications.|
|Conduct cyber vulnerability assessments as described in your risk assessment process||Utilize independent assessors to conduct pipeline cyber security assessments.|
|Establish technical or procedural controls for cyber intrusion monitoring and detection.|
|Perform regular testing of intrusion and malware detection processes and procedures.|
|Establish policies and procedures for cybersecurity incident handling, analysis and reporting, including assignment of the specific roles/tasks to individuals and teams.||Conduct cybersecurity incident response exercises periodically.|
|Establish and maintain a cyber-incident response capability.||Establish and maintain a process that supports 24 hours a day cyber incident response.|
|Respond||Report significant cyber incidents to senior management; appropriate federal, state, local, tribal, and territorial (SLTT) entities; and applicable ISAC(s).||Pipeline operators should follow the notification criteria in Appendix B|
|Ensure the organization’s response plans and procedures include mitigation measures to help prevent further impacts.|
|Establish a plan for the recovery and reconstitution of pipeline cyber assets within a|
timeframe to align with the organization’s safety and business continuity objectives.
|Review the organization's cyber recovery plan annually. Update as necessary.|
The first step against this is to conduct an assessment against these guidelines. Our experience is the best means for this is a technology-enabled assessment that allows the operator to get visibility into the actual assets, networks and information of the environment. This approach can be accomplished quickly, but importantly provides not only the gaps and roadmap but also the capability to begin remediation immediately rather than to wait for several months to implement tools and technology to remediate. (For more info, please see our Tech-enabled vulnerability assessment document )
Steps to achieve pipeline security compliance with the DHS recommendations.
Beyond the assessment, the question becomes how to make progress in overall security maturity. Many operators have not taken programmatic cyber security measures over the past 3 years since the original recommendations came out. Others have taken some steps such as segmenting IT from OT or implementing intrusion detection and/or creating employee cyber security awareness programs. Few will have a comprehensive approach to the controls listed above. Therefore, how should operators go about addressing compliance with these new requirements?
1. Begin at the beginning with a robust asset inventory.
All of the controls included in the list are grounded in the foundation of a robust asset inventory. That inventory is much more than knowing what hardware devices are on your network. It becomes the source of truth for a large portion of the rest of the requirements: software inventory, patch status, status of antivirus signatures, configuration settings and compliance with secure settings, etc. One of the things we often here from potential clients when we first talk with them is that they use a network monitoring tool to get asset visibility. However, the “visibility” gained doesn’t provide the depth of inventory of software, users, accounts, patch status, etc required by these compliance standards.
2. Think Global-Act Local.
Compliance with the DHS controls is only partially a “security” challenge. For the most part, it is an operational or labor challenge. When asked for the biggest barrier to securing cyber physical systems, IT and OT leaders list availability of talent as the number one challenge – significantly more than budgets or technology or any other barrier. We have been helping customers with compliance for NERC CIP or other controls regimes for almost 15 years. Efficiency of approach separates the successful ones from the less successful.
To achieve these controls, therefore, requires an approach we call “think global-act local”. This approach centralizes the key data, analysis and reporting across all assets and all security controls in a single enterprise database. This is necessary given the limited number of security knowledgeable resources within organizations. But these controls don’t only call for information and monitoring. They require actions such as patching, user and account management, configuration hardening, etc. These actions, in sensitive OT environments, can cause operational disruptions. Therefore, the approach must enable “act local” when security actions need to be taken. This requires personnel that understand the process and it’s sensitivities to be certain actions are executed in alignment with process. This “think global-act local” approach enables efficiency and operational resilience required in cyber physical systems.
3. Focus on OT Systems Management skill development
Still one of the questions we are asked most often is “where do we find the right people for IT-OT cyber security? “ It is critical not to be distracted by the “shiny object” of fancy cyber security “artificial intelligence“, “machine learning” and/or the fancy names used by cyber security researchers like “fancy bear” and “xenotime” etc. The key to achieving improved security maturity and compliance with the controls is OT systems management (OTSM). OTSM is a set of practices similar to those on the IT side. Patch management, vulnerability management, configuration management, user and account management, etc. In fact, according to the Cyberseek database from NIST, over 75% of the jobs in cyber security are systems management jobs, rather than fancy advanced analytics or threat hunting. The good news is these skills are more available AND they can be developed more easily within an operational organization. Furthermore, these skills can be automated more effectively.
4. Automate, Automate, Automate
Per the above, many of these tasks can be automated. To achieve maturity with these controls efficiently will require automation. Tools (such as Verve or others) can enable these security tasks to be automated. Practically no organization can afford to achieve security requirements manually.
How does Verve help increase pipeline security?
Verve has been working with pipeline operational technology for over a quarter-century. We have developed solutions, combining our unique security management software platform along with expert Verve design-for-defense solutions. Verve provides a comprehensive solution to support our clients leveraging our almost 30 years of operations controls experience. Our team can help provide assessments of the requirements to determine the gaps present as well as develop the appropriate roadmap to close these gaps. We leverage the Verve Security Center which gathers a comprehensive “360-degree” risk score that includes all of the elements of the TSA guidelines. Therefore, the assessment enables a single view and reporting of status and gaps. Most importantly, however, the Verve platform enables operators to immediately pivot from that assessment to remediating actions, instead of a long gap between assess and remediate. Verve enables a “closed-loop” approach to demonstrate maturity improvement within 30 days.
The Verve Security Center platform brings together these security elements into a single platform to drive management efficiency. If an organization has invested in prior tools, Verve integrates with dozens of tools to provide a single pane of glass for analysis and reporting.
As stated above. This all starts with the foundation of a robust inventory, but from there Verve enables all of the other security requirements.
Verve Security Management Platform
As importantly, Verve enables closed-loop actions to reduce the mean time-to-remediation of security risks, accelerating time-to-compliance but also making the whole process more efficient.
The Verve platform provides a range of advantages for addressing the IT-OT security risks in pipeline networks.
|DEEP ASSET VISIBILITY WITH NO HARDWARE||- No need to expensive spans/taps. Lower cost deployment
- Go directly to asset to gain deeper view, not just what is on the wire
|BETTER RISK MANAGEMENT||- 360-degree risk score fo asset (patch, vulnerabilities, users/accounts, A/V status, etc.)
- Enables trade-offs of best risk remediation
|RAPID RESPONSE REMEDIATION WITH INTEGRATED ACTIONS||- Integrated patch, configuration, software, user, and other remediation actions
- Faster mean-time-to-remediation
|LOWER LABOR COSTS||- Centralize analysis of all endpoints (and integrate with enterprise IT), but enable local control over actions
- Lower TCO with more efficient analysis
|OPERATIONALLY SAFE & EFFICIENT||- Built-in ICS safeguards and operational benefits such as improved network system reliability
- Ensure greater uptime as by-product
What’s next for Cyber Security and Pipeline Operators
May 27th 2021 marked the beginning of what will be a significantly greater regulatory regime for pipeline operators. The initial set of recommendations that are now requirements will require a new approach from many pipeline operators to achieve. Verve stands ready to help our nation’s infrastructure operators increase their cyber security maturity and readiness with our combination of software and services.