After experiencing the Colonial Pipeline attack, Americans have a heightened awareness that infrastructure operations, including pipelines, water treatment plants and other operational technology (OT)-based organizations that control the critical flow of liquids and bring stability to our day-to-day activities, are being targeted by cyberattacks. The nation is waking up to how dependent we are on our fragile infrastructure. Even short-term disruptions have given us a glimpse into the potential economic impact interruptions can have on the US.
In response, the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) have amplified their focus on cybersecurity requirements. Twice in the last 45 days, these agencies have released directives for critical pipeline providers.
The first directive from TSA was publicly released, and a second directive from DHS with very specific requirements and timelines recently was sent to a subset of the most critical 3,000 pipeline providers. No one, including the pipeline providers, would argue that the directives include unusually strict requirements or that they significantly exceed basic best practices. However, directive timelines impose serious budget and resource requirements on many of the pipeline providers.
The common question is, why? Is there some known new threat? Well, you don’t need to be a National Security Agency or DHS threat intelligence analyst to know this threat has been around since the 1980s. But what has changed is the expansion of the threat surface area and landscape due to the connection of increasingly cyber dependent systems into the OT environments and the greater need for remote access to maintain and monitor systems (some driven by COVID-19 and some simply driven by resource restraints).
In addition, IT and cybersecurity debt created over the years, as budgets were pushed year to year, has left teams stretched thin and struggling to maintain a patchwork of complex systems and applications. And candidly, we need to recognize some complicity in making sure all parties understand the real risk to our nation. If it makes you feel better (which it shouldn’t), most other countries are in similar or even worse situations than the U.S. What we’ve seen in the last year are early indications of a much larger storm of compromises on the horizon.
I was personally impacted by the Colonial Pipeline event, vacationing in North Carolina with the inability to get gas to return to Virginia. Being only a full tank away from home yet doubting I would find the simple commodity of gas vividly reminded me of just how fragile our infrastructure is today.
If you’re a pipeline provider, what should you do, even if you haven’t yet been notified?
- Μake sure you have a plan in place for hitting the initial directives requirements and start setting expectations that the timeline may be accelerated for small and large providers.
- Even before reading the first or second directive, make sure you follow general best practices for critical OT environments, including:
- Segment your OT from corporate infrastructure. Even with extreme financial considerations, tools and systems must be completely separated including identity, network management systems, and cybersecurity systems and management.
- Protect the connections where corporate or access cross into OT (which should rarely occur) with the utmost diligence (i.e., multi-factor authentication, post-level blocking, limited access, minimal service accounts, etc.).
- Make sure you have high-fidelity monitoring with a program that provides continuous improvements.
- Properly manage your password policy and enforce it with technology guardrails.
- Know that bad things happen to good people and companies so always have and practice your incident response plan.
The belief that our nation’s critical infrastructure extends beyond the reach of sophisticated cyberattacks is a significant underestimation of our enemies. The Colonial Pipeline incident clearly demonstrated the impact of threats posed by increasingly sophisticated and resourceful hackers. It also affirmed the importance of accelerating the security maturity of our critical infrastructure, with the help of trusted cybersecurity partners. If pipeline providers take on these cyber challenges today, the nation may look forward to a future where the critical infrastructure is better protected from attack.
For a broader perspective, learn more about key factors contributing to cyberattacks and more recommendations in our blogs: 3 Factors Contributing to Cyberattacks and Recommendations to Protect Your Organization, Critical Infrastructure (CI) Cybersecurity: Is CMMC the Answer?
Chief executive officer | PONDURANCE
Doug has over 30 years of experience as a technology leader and innovator in security with a highly developed background in business development, mergers and acquisitions, operations, engineering, marketing, sales, and executive leadership. In his previous role at RSA as Vice President of Global Services and IT Innovation, he provided leadership support for RSA’s strategic vision and global operational execution, various Dell governance programs, and the mergers and acquisitions exit from Dell to STG.
A former member of the U.S. Air Force, Doug holds a bachelor’s degree in management and marketing from Strayer University.