On July 20, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the Transportation Security Administration (TSA) sent a directive to the owner/operators of critical pipelines in the United States clarifying and further defining the initial directive sent back at the end of May. This new directive was not released publicly, but from our sources, the directive contains significant new regulatory requirements for pipeline operators.
The future of these regulations will require active protection and demonstrable operational technology (OT) systems management than prior advisories. Recent ransomware threats have created a groundswell of global political will to address these risks. This is certainly most significant in the United States where the Colonial Pipeline ransomware attack had a tremendous impact on the population of the East Coast.
The latest TSA pipeline security directive is not the first OT cybersecurity compliance requirement, but it is a sign of the direction of things to come.
The new regulatory environment
The initial pipeline security directive was a very quick reaction that reinforced the suggestions that TSA already provided to pipeline operators around regular internal assessments and added requirements around naming a responsible individual and reporting of incidents. The second pipeline security directive takes a different tone. Instead of reporting and producing assessment requirements, TSA is following a model that is becoming the norm: specific requirements of protections and remediating actions.
Almost 15 years ago, the United States introduced the NERC CIP regulatory regime for the bulk electric system. NERC CIP is a very regimented approach with specific set of controls that can be mapped to other control models such as NIST 800-53 and CIS Top 20 (now 18). It is a prescriptive and auditable standard in that it requires utilities to take certain actions, track certain data and maintain specific standards. Auditable in that NERC regularly audits the compliance with the prescribed controls and can penalize (fine) entities that fail to achieve consistent compliance.
The new TSA pipeline security directive is certainly prescriptive by requiring a set of security controls across an operator’s infrastructure. It is unclear at this point whether these controls will become auditable, as well. But given the initial indications, it is likely this will come down the road.
What should pipeline operators do now? And how should other industrial operators begin to get ready for similar regulatory requirements?
Assign dedicated leadership for OT systems management
For 20-plus years, information technology (IT) has conducted robust systems management – vulnerability assessment, patch management, configuration management, user & account control, log management, etc. However, in OT these “systems management” functions are often missing for a variety of reasons, such as lack of resources, complex legacy hardware and software environments, multiple original equipment manufacturer (OEM) systems and distributed assets. All these compliance components require OT systems management, or the ability to identify all your assets, manage network connections, monitor missing patches, ensure configurations remain in compliance with secure standards, etc. To do this requires leadership dedicated to managing these components. This is different from the “designated cybersecurity coordinator” that the TSA’s initial security directive required. This function goes beyond coordinating to truly leading the elements of cybersecurity management the regulations require.
Monitor and track pipeline security compliance globally
Some of the biggest challenges in achieving OT security compliance in these more prescriptive regimes are resource constraints and cost. As the number of controls grows – user and account management, patching every X days, etc.- the resources required can grow rapidly, especially in distributed environments. One of the keys to success is establishing a platform early on that enables centralized visibility across all endpoints and networks across all operational locations. This visibility needs to provide detailed asset-level information, including 100% of all software deployed, patch status, full configuration status, users and accounts including local users, etc. In many cases, this information does not exist at all or is contained in spreadsheets at each site. It is critical to the long-term sustainability of the compliance program that the organization centralizes this information for monitoring and reporting. Without it, the costs escalate quickly, and the compliance lags.
Enable efficient local actions
For compliance, monitoring is not enough. You must take actions to maintain patch levels, users and account security. Many OT security approaches have relied on passive monitoring of network traffic. Unfortunately for compliance, this is not sufficient. The tools and technologies have to enable actions. However, the key to a positive outcome is to automate actions without causing undue risk to the operating environment. Successful compliance organizations have deployed platforms where the key security actions can be designed centrally – e.g., what patches are approved by the OEM, which ones are critical or security related, what devices should be patched and in what order. Then those are distributed to the local operations. But, importantly, the final execution of those actions – whether it be a patch deployment or a user/account removal, etc. – is controlled by the operator closest to the process to ensure the action does not disrupt operations.
The Colonial Pipeline, JBS Meats, SolarWinds, and other cyber-related events in 2021 have changed the game on the requirements for OT cybersecurity. The TSA pipeline security directive is the first step in what we see as a significant change to the regulatory regimes around the world. These will require much greater active management of OT systems to maintain compliance with items such as patching, user and account access management, log management, etc. The good news is that many operational entities are already deploying models like the one we describe here, and the resulting insight as well as increased efficiencies in monitoring and remediation within OT are creating order of magnitude improvements in a relatively short time.