Oil and gas infrastructure is both among the oldest critical infrastructure and the most important. In the United States, oil and gas pipelines deliver power that keeps cars on the road, hospitals, homes and military infrastructure powered, and life in general moving as normal. The 2.6 million miles of pipelines that crisscross the country, however, were shown to be quite vulnerable to attack after the gigantic May 2021 hack of Colonial Pipeline. Apart from causing temporary gasoline shortages across much of the East Coast, it also uncovered an incredibly lax set of security guidelines and made way for a new regulatory era.
In July of 2021, the Transportation Security Administration (TSA) issued rules defining a minimum of pipeline security, which requires companies to deploy more than three dozen common cybersecurity defenses. These measures include weekly antivirus scans, prompt security patching, strict firewalls to block malware and adoption of multifactor authentication.
What are the TSA Pipeline Security Guidelines?
The TSA Pipeline Security Guidelines are these new, more stringent security measures for companies in the oil and gas sector. This directive includes various measures to enhance the security of these critical pipelines, including the adoption of a more proactive stance against cyber threats that pose a national security threat. The directive requires proper mitigation of attacks, has a focus on ransomware attacks and attacks that target the access of sensitive information and operational technology systems.
What are the highlights of the Pipeline Security Guidelines?
Here are some of the security highlights of the TSA Pipeline Security Guidelines, according to the official DHS website:
- 1. Report confirmed and potential cybersecurity threats to Cybersecurity and Infrastructure Security Agency (CISA).
- 2. Designate a Cybersecurity coordinator to be available 24 hours a day, seven days a week.
- 3. Review current practices.
- 4. Identify gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
How should organizations prepare to meet TSA Pipeline Security Guidelines?
Preparing to meet these guidelines is not an easy process. It requires operators to develop and implement a comprehensive security plan customized to the needs of the company. The TSA outlines some minimum steps to take to meet the guidelines:
- – Identify the primary and alternate security manager or officer responsible for executing and maintaining the plan;
- – Document the company’s security-related policies and procedures, to include, but not limited to, methodologies used and timelines established for conducting criticality assessments, risk assessments, and security vulnerability assessments (SVAs), if applicable;
- – Reference other company plans, policies and procedures such as insider threat, business continuity, incident response and recovery plans;
- – Be reviewed on an annual basis, and updated as required based on findings from assessments, major modifications to the system or any of its facilities, substantial changes to the environment in which it operates, or other significant changes;
- – Be protected from unauthorized access based on company policy; and,
- – Be provided to TSA for review upon request1.
How CounterCraft Helps Meet TSA Pipeline Security Guidelines
The Cybersecurity and Infrastructure Security Agency (CISA) and the Transportation Security Administration (TSA) have defined a series of actions that pipeline operators can take to improve their cybersecurity posture and mitigate their exposure to common risks.
“Overview: The integration of information communication technologies (ICT), such as remote access and internet-connected devices, into pipeline networks improves operational efficiency and safety for pipeline owners and operators. However, integrating ICT into pipeline industrial control systems (ICS) may increase the attack surface nefarious cyber actors can exploit and, as a result, increases the amount of security required to both protect the devices and monitor their network activity.”1
Deception techniques can help in mitigating the risks identified by the CISA and TSA teams. The following shows how CounterCraft can help:
- 1. Boundary Protection
“Boundary protection involves establishing secure sub-networks for critical and operational ICS functions to prevent unauthorized access and communication. Without segmentation, an adversary may have easier and direct access to an ICS environment from the corporate network or through internet-connected devices located in the ICS environment.” 2
The TSA recommends blocking access to traffic that is not explicitly permitted and to segment the OT/ICS environment from the rest of the IT infrastructure. This is good advice. CounterCraft can help by providing a detection mechanism to alert if these safeguards have been breached and to deflect the adversary into an isolated and harmless environment where their activity can be used against them, providing valuable threat intelligence on their objective and the tools they use. Security teams can use this intelligence immediately to modify their security policy to mitigate the risk posed by the potential attack.
- 2. Monitoring
“Monitoring entails the implementation of technologies and procedures to capture, monitor, and review network and host traffic in both IT and OT networks and establish a baseline of expected behavior in order to detect suspicious activity. Without effective monitoring capabilities in an ICS environment, operators may not be able to identify abnormal traffic.” 1
The recommendation to mitigate this risk is to monitor for anomalous traffic or unauthorized logins. However, the question remains: what do you do if you detect something? How do you respond, and what is the timeline for the response? CounterCraft can help by providing immediate and automated responses. Using our ActiveLure technology we can deflect attackers away from production assets into a harmless quarantine. Once isolated we can decide to monitor their activity to identify their objectives, tools and Techniques Tactics and Procedures (TTPs), or we can just kill their connection. Any intelligence collected can be passed automatically to other security systems, such as SOAR platforms to provide a coordinated and effective response across the whole security ecosystem.
- 3. Access Control
“Access control is the process of granting IT or OT system resources only to authorized users, programs, processes, or other systems. Poor access control can expose the organization to unauthorized access of data and programs, fraud, or the shutdown of computer services.” 1
Access control is key to mitigating the risk of intrusion into your OT/ICS networks. Deception is a really good way of identifying if any attempts have been made to compromise the access controls. A common technique is to deploy fake credentials to a deception portal - posing as a gateway into the ICS network. The credentials are unique and pinpoint not only the fact that someone is actively seeking to gain unauthorized access to the OT/ICS network, but also the exact point of compromise.
As you can see, cyber deception can play a key part in hardening oil and gas infrastructure security. For more information on how CounterCraft can help you comply with TSA Pipeline Security Guidelines and other governmental directives, contact us.
2TSA publication “Pipeline Cyber Risk Mitigation”, July 2020