In 2021, in the midst of a ransomware epidemic, Colonial Pipeline suffered a historic cyberattack, which resulted in a week-long gas shortage. The incident highlighted the vulnerability of critical infrastructure to cyberattacks and catalyzed a government response including executive orders and agency directives.
With the benefit of hindsight, we now know that performance-based outcomes are a more effective approach than prescriptive requirements – a lesson that should be applied across critical infrastructure.
In the immediate aftermath of Darkside’s ransomware attack on Colonial, the Department of Homeland Security and the Transportation Security Agency issued a cybersecurity directive that required pipeline owners and operators to report breaches to the Cybersecurity and Infrastructure Security Agency, establish a cybersecurity coordinator available 24/7, review their current practices, identify any gaps and to submit a remediation plan to TSA and CISA within 30 days.
Later, the DHS published a directive that required pipeline owners and operators to implement specific mitigation techniques to protect IT and OT systems from ransomware, as well as developing and implementing a cybersecurity recovery plan and a cybersecurity architecture design review.
These initial directives were widely criticized both for being too vague and for being overly-prescriptive. For example, one mandate required patching vulnerabilities, which is certainly an effective approach to mitigating attacks, but could also be accomplished through network segmentation and access control policies. Furthermore, many of the TSA directives seemed focused on securing IT systems, for example, through the use of antivirus software, which is not always effective on OT networks.
A Focus on Outcomes
In 2022, the TSA re-issued cybersecurity requirements for pipeline owners and operators, focused on performance-based cybersecurity outcomes. These included network segmentation, access control, continuous monitoring and detection and reducing the exploitation risk of unpatched systems.
Network segmentation can significantly limit the lateral movement of attacks – particularly from IT to OT networks. Effective access controls include meticulously managing user permissions, authentication methods and authorizations levels.
Continuous monitoring provides real-time visibility into anomalous activities, unauthorized access attempts and potential threats. A patch management strategy ensures that timely updates to software and hardware components close vulnerabilities that could otherwise be exploited in an attack.
Additionally, pipeline owners and operators were required to establish and execute a TSA-approved Cybersecurity Implementation Plan, to develop and maintain a Cybersecurity Incident Response Plan, and to establish a Cybersecurity Assessment Program.
“We have pivoted over the course of these two years to become, in our view, even more effective in cybersecurity with our partners in the transportation sector,” TSA Administrator David Pekoske acknowledged during a Hack the Capitol conference in May 2023.
What Comes Next?
This year, TSA once again renewed and revised its cybersecurity requirements for pipeline owners and operators. This update requires pipeline owners and operators to submit an updated Cybersecurity Assessment Plan to TSA for review and approval, to annually report the results from previous assessments and to test at least two Cybersecurity Incident Response Plan objectives.
“Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans,” said Pekoske.
One of the most compelling lessons learned through this process is that when TSA switched from prescriptive mandates to performance-based outcomes, some of its most vocal critics were converted to some of its most staunch proponents. The TSA seems to recognize the effectiveness of its revised approach as it considers extending these directives to all of its critical infrastructure sectors.
However, just because the TSA’s revised approach has been well received and implemented by pipeline owners and operators does not mean that the hard work is done. With the most recent requirement of annual testing and reporting, it seems likely that some blind spots or gaps could be illuminated
For instance, it can actually be quite difficult and costly to implement continuous monitoring and detection in complex OT environments. Likewise, the current cybersecurity zeitgeist is shifting toward risk and exposure management – moving beyond vulnerability management. However, considering how willing the TSA has been to revise its directives, it seems likely that they will continue to adjust their course based on the testing and reporting. In fact, the current Administration has begun to implement a combination of regulations and incentives on the critical infrastructure providers with the focus being on stringent reporting requirements.
The incentives are intended to drive critical infrastructure owners to invest in cybersecurity solutions. If things continue to go well, it seems like any critical infrastructure sector could benefit from implementing a cybersecurity plan focused on performance-based outcomes.
Shawn Taylor is Regional Technology Officer at Forescout, a supplier of cybersecurity products and services.