The Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) have released new regulations following the crippling ransomware attack on the Colonial Pipeline. The ordinance requires pipeline operators to alert the Cybersecurity and Infrastructure Security Agency of any cybersecurity incident.
Pipeline owners and operators are also required to install a designated coordinator to handle any issues, with the added need to audit systems within 30 days to ensure everything is in compliance with cybersecurity guidelines.
According to Edgard Capdevielle, CEO of Nozomi Networks, he is encouraged to see DHS and TSA taking action to ensure proper security measures for the oil and gas industry. Most critical infrastructure sectors do not have mandatory cyber standards, and so far this has included oil and gas.
“The requirement for mandatory reporting of violations will help highlight the scale of the problem in this sector. Cybersecurity is a team sport, ”Capdevielle said in a statement. “Pipeline operators, security providers, and government need to work together as a community to share real-time threat intelligence and breach data. An open approach to information sharing will play an important role in building a more mature cyber defense. “
The distributed nature of the oil and gas sector makes this challenge additional, explains Capdevielle. “It requires many different forms of connectivity and can be more difficult to secure. These environments are distributed and physically remote, ”he says. No two operators are the same in terms of the exact processes and systems they use, making it more difficult to establish a set of cybersecurity requirements that will work effectively for everyone. It will take some flexibility and collaboration to make this work. “
Capdevielle adds: “While there is a place for regulated safety requirements, we have to be careful not to put the whole burden on the victim (s). Tax incentives and government-funded centers of excellence will help ensure that operators of critical infrastructure can develop and maintain effective cybersecurity programs over time. And it’s time to take aggressive action to hold sophisticated criminal networks and threat actors accountable for their crimes, ”he said. “We know, through our work with leading oil and gas companies around the world, that vendors who invest early in strong cybersecurity and resilience programs are able to respond faster, and with less financial damage, to ransomware and other cyberattacks, compared to those who wait for an incident to occur to invest in their defense. “
According to Jerome Becquart, COO of Axiad, cybersecurity is no longer a priority for only the IT team and the CIO. “In the oil and gas industries and other sectors, physical infrastructure and operational assets are now highly connected to our global networks, making them vulnerable to the same type of attacks that previously only occurred on cloud applications and digital assets, ”Becquart says in a statement. “As operations digitized, many organizations have failed to do one thing: put safety first. This situation is compounded by the fact that organizations have often fallen behind in adapting their processes and still operate with an analog mindset. “
Becquart adds: “It is essential to reassess and adopt a more dynamic approach to security: identify what connects to our infrastructure, validate these are legitimate entities and guarantee the right level of access. We need to leverage the identity management best practices we use in the IT space and extend them to the operational side of our business. “
The recent attack on a pipeline was a watershed moment for regulating the safety of oil and natural gas pipelines. For years, the cybersecurity industry has warned of a “ digital Pearl Harbor, ” which has become more premonitory as our adversaries seek to disrupt our critical infrastructure, adds Bill O’Neill, vice president of the public sector of ThycoticCentrify.
“Attacks no longer just affect businesses and governments, but disrupt the way we operate as a society. Yesterday it’s water, today it’s gas, tomorrow it could very well be electricity, ”says O’Neill. “The pipeline incident has brought to the fore the need for cooperation between the public and private sectors on this issue, and this latest order from the Biden administration is a promising first step. However, the general mindset regarding cybersecurity needs to change at a fundamental level. “
Critical infrastructure organizations should look to modern privileged access management (PAM) solutions that leverage identities to reduce reliance on shared passwords, enforce more granular controls and stop abuse, O’Neill says. privileged administrative access, which led to the Oldsmar. and pipeline attacks.
“Both incidents could have been avoided if their networks used a least privilege approach based on Zero Trust principles to verify who is requesting access, the context of the request and the risk of the access environment,” says O’Neill. “Promisingly, research This month, 77% of U.S. businesses are using a Zero Trust approach in their cybersecurity strategy, but there is arguably room for improvement. We hope this command will ignite critical infrastructure organizations across the United States, and perhaps even around the world to modernize their security approaches. “
Neil Jones, cybersecurity evangelist at Egnyte, is encouraged to see the formalization of cybersecurity requirements for oil and gas pipelines, as well as the power grid. “Due to the ruptured colonial pipeline, many states in the southeastern United States faced frustrating long lines at gas stations for the first time since the 1970s,” Jones says. . “Next time around, the disruption could be even more serious, with a crippling impact on the US economy. Ultimately, we need to be aware of our critical infrastructure – since Stuxnet we’ve been talking about how vulnerable the United States is to potential attacks, but most of our concerns were dismissed as FUD. Colonialism is an inflection point that requires higher levels of security and a commitment from the public and private sectors to infrastructure security. “
Historically, the holistic approach has not been strong enough to contain pipelines. Previously it contained a lot of soft language such as “pipeline operators should consider the approach outlined, “without really focusing on action. This new change is a positive shift from volunteering to obligation, but it’s still not enough, says Steve Moore, chief security strategist. at Exabeam.
“Previously published guidelines, last updated in April 2021, create a lot of silos of activity, but you don’t have to have a platform for results. The language reads: “Implement processes to generate alerts and log cybersecurity events in response to abnormal activity.” Review logs and respond to alerts in a timely manner. They get credit for mentioning abnormal activity, but how normal is it to be known, ”says Moore.
The new updated ordinance is to include three key changes: Report confirmed and potential cybersecurity incidents to DHS (CISA), appoint a cybersecurity coordinator, available 24/7, and review their current practices as well. that identify the gaps.
According to Moore, these owners and operators, who for the most part do not have a cybersecurity coordinator, are expected to move from data silos without a security platform to confirmed reports and potential incidents. “How should someone report a potential incident – and then what is the response?” Hopefully their Annex B on TSA notification criteria will be updated to include cybersecurity incidents in the new update, ”he says. “Finally, it’s a bit sad that the ransomware was the trigger for this action. Although important and dangerous, ransomware is simply the product of an upstream failure; a compromise of an endpoint or credentials. “
“The next, and more significant, phase of cyber regulation – expected in a few weeks – will include increasing penalties for companies that fail to take corrective action, and more proscriptive regulatory requirements, which will bring much closer scrutiny. sector by government regulators. Robert Cattanach said in a statement. Cattanach is a partner at international law firm Dorsey & Whitney. “However, it will be difficult to find the resources to conduct a meaningful review of this sector. industrial. TSA has historically not focused on cybersecurity or pipelines. and should strongly rely on CISA for the cyber-expertise component; it is still unclear how TSA will develop the expertise to oversee the pipeline industry itself.