In our last installment, we explored the escalation of threats to U.S. water facilities. Follow our whole Energy series for insights into trends across infrastructure, cyber threats, and regulations as electric, oil & gas, and water facilities are developing a very familiar pattern.
When it comes to regulations, you can expect a degree of push-back from participating organizations. There are two schools of thought on how to deal with this in the cybersecurity world. 1) Regulating bodies can define principals instead of practices, such as issuing a requirement to take “reasonable measures to protect data”, leaving interpretation up to individual organizations (and the courts when it’s litigated). 2) You can define very specific regulations that tell participating organizations exactly what kinds of policies, technologies, and practices they need to implement. This is called prescriptive regulation, and most CISOs find it much easier to implement. The reason for this is not because they don’t have preferred ways of doing things, but because it’s very hard to get your board to approve the kind of budget a CISO needs without very specific requirements. CISOs carry the burden of needing to protect their organizations’ integrity and business continuity, but often with less budget than they need. So, you would think that after TSA announced a second set of escalated cybersecurity requirements for key pipelines and liquified natural gas (LNG) companies, CISOs would welcome this. Why is it causing so many waves?
To understand who is upset and why, we need to understand the reporting tree and timeline for how we got here. There are so many agencies and acronyms involved, it would be easy to get lost in the weeds. Now, the key players–
Landscape of Agencies: DHS, TSA, and CISA
The Department of Homeland Security (DHS) has been responsible for public security since November 25, 2002. Their involvement in protecting pipelines from attackers is logical, as they are core infrastructure for our nation’s economy and communities. Most of us think of the Transportation Security Administration (TSA) as the people who work to prevent terrorist attacks in airports and planes across the U.S. So, their connection to pipelines needs to be understood in this way – transportation depends on fuel. Fuel depends on pipelines. Therefore, TSA was tasked by DHS with ensuring pipeline security, as part of the transportation supply chain. Given their hyper focus on physical security in airports and on planes, it seems that pipelines and LNG may have taken a back seat in importance. A lesser-known body, the Cybersecurity and Infrastructure Security Agency (CISA), was formed in 2018 and is followed primarily by those who work in cybersecurity. Their role is to be informed of and understand all cyber attacks coming and going around the globe that could impact U.S. citizens, otherwise known as “threat intelligence”. CISA issues public warnings that include an overview description of attack types, likely vectors, and indicators of compromise (IOCs). IT-Security professionals use this information to actively hunt for potential threats in their environment, so they can minimize any potential damage. In best case scenarios, they can take measures to get ahead of and prevent the attack. DHS oversees both TSA and CISA.
The First Pipeline Security Directives
According to the TSA website, the agency has traditionally directed Oil & Gas companies to “the Pipeline Security Information Circular, issued on September 5, 2002, by the Department of Transportation's (DOT) Office of Pipeline Safety as the primary Federal guideline for industry security.” For their part, CISA built a local application that is housed on the DHS website and is a tool pipelines can use as a self-assessment of their security posture. So, the information has been available. Until this past summer, however, there was no Ransomware Readiness Assessment (RRA) available in that tool. TSA is technically tasked with overseeing implementation and security for Oil & Gas, but CISA provides the mindshare.
How It Actually Went
It would seem that very little was done to ensure that Oil & Gas companies were complying with guidelines. Anytime you have loose guidance sans regular communication and proper oversight, you leave room for disaster. Organizations assume that because they are doing “something”, it’s probably enough, until someone tells them they are required to do more. As the oversight body, TSA had access to threat intelligence, and their role in U.S. security is to ensure that measures are in-place to catch and prevent attacks on
As is fairly typical in these situations, however, the system seemed to be working until it became obvious that it wasn’t. Industry stakeholders were taking steps to protect key assets. TSA felt they had a handle on things, because nothing significant had gone wrong yet. Certainly, cybersecurity professionals tried to sound the alarm in years past, but without clear and public insight from TSA into exactly how serious the cybersecurity threat was, and a list of accompanying requirements, Oil & Gas professionals assumed they were doing enough.
Then the Colonial Pipeline Attack Happened
When a single ransomware attack ended fuel supply to millions of people on the East Coast in May 2021, the whole system came under more scrutiny. Naturally, DHS looked to TSA for answers, and it became public knowledge that TSA had done little to oversee and enforce pipeline cybersecurity controls. DHS then pulled in experts at CISA to advise TSA. The result of that collaboration was the first pipeline and liquified natural gas (LNG) directive of 2021, released in a rush within weeks of the debilitating Colonial Pipeline attack. Included in these compliance measures are a requirement to report cybersecurity incidents to DHS within 12 hours (previously voluntary), the designation of a 24/7/365 cybersecurity coordinator at each pipeline organization to respond to incidents and coordinate with TSA, and the completion/submission of security gap assessments against TSA’s long-standing recommendations. Still, few people were upset.
TSA’s Second Directive Made Waves
There was very little frustration around the first set of requirements, so why was the second one so problematic? It was kept as a private document, rather than being made public. This is not to say that no one saw the document. DHS sent the document directly to owners and operators. The issue here is that every other Oil & Gas organization would like to know what’s in that document, so they can anticipate what’s coming and allocate 2022 budgets accordingly. This is how cybersecurity professionals think – they like to get ahead of regulations and align spending. With the added indication from TSA that its guidelines will also be changing, one can surmise that the new guidelines will probably be aligned with the first Directive, and whatever is in the second Directive.
Further, it takes time to mitigate threats. The current system that we now understand is vulnerable, took decades to build, and infrastructure can’t be reengineered in a few short months. IT-Security professionals need lead time to begin phasing out old systems, modernizing, and rearchitecting from a security-first perspective. Everyone has to work together. As we like to say at TRUE, cybersecurity is a team sport – that includes regulators. Regulators play a very important role in protecting national interests. They bear the responsibility of ensuring that all information reaches stakeholders and quickly, fairly, and accessibly as possible. By not releasing standards that will help everyone in the industry get on the same page, TSA is effectively stunting decision-making for cybersecurity spending next year in pipelines deemed not first-tier priority. CISOs rely on standards and requirements from regulators to help their boards understand why certain measures are needed, because unfortunately, most businesses still see cybersecurity as being project-based, not culture based. So, while it should be budgeted as part of overall IT spending, it’s typically not included in operational expenses. People want that one magic bullet that will make them secure overnight.
Why is Cybersecurity Budget So Hard to Get?
Cybersecurity budget challenges are not unique to this industry. They exist everywhere. However, in an industry that is self-described as “old school”, the focus is still on profitability. Their training is in markets, not the latest developments in information technology and data protection. Cybersecurity can feel obtuse to traditional business people. To get the attention, support, and resulting budget from traditional businesspeople, CISOs and CIOs need to be able to communicate in very clear terms, not hypotheticals. “Regulators are forcing us to do this,” or “If these systems go down, so do our revenue streams.” It’s not at all that boards are unwilling to mitigate risk. It’s that hey haven’t understood the risk. Bridging that knowledge gap in Oil & Gas would be infinitely simpler for CISOs and CIOs if they had concrete regulations to lean on when talking to boards. Bottom line, they need something to go on, and their frustration is understandable.
How Can You Prepare Without a Copy of the Directives?
Talk to a cybersecurity professional who can help you build a Cybersecurity Roadmap. I recommend finding someone who will help you stay focused on NIST 800 standards for that roadmap. NIST 800 standards are fairly universal, and for good reason – because they are effective. Chances are very high that if you use them as your guideline, you are going to knock out a number of security control requirements that will be released from TSA over time.
It would also be wise to take a cue from what is required for electrical grids. It’s a similar concept, and attacks can have many of the same outcomes. Looking at attacks, standards, and developments over the past 5 years, it would seem that all energy providers – electrical, oil & gas, and water facilities – are headed towards a very similar set of standards and requirements. With this in mind, a cybersecurity professional will help you begin prioritizing next steps to update Incident Response policies and procedures, manage access control, inventory your hardware and software, implement security monitoring, improve your patch and vulnerability management program, etc. Again, these measures take time, and they should be undertaken in the order that makes the most sense for your individual organization.
If you would like help assessing your risk and building a Cybersecurity Roadmap, you can talk to us at any time. TRUE will even offer you a complimentary one-hour consultation with a senior member of our Risk Advisory Team.