On June 27th, Department of Homeland Security (DHS) Cybersecurity Gap Assessments are due to the Transportation Security Administration (TSA). For impacted organizations that have not implemented proper change controls, this means a huge risk as failure to comply will result in daily fines, audit findings, and potential public relations nightmares.
SunView Software has been partnering with the energy, banking, and healthcare industries for nearly 20 years in providing Change Management geared around regulatory compliance. Our long history of supporting compliance-driven organizations makes us a natural match when selecting a partner for these new guidelines and requirements.
This month, we will be delving deeply into how you can meet your objectives in Securing Industrial Control Systems, properly manage Change Controls (blackout dates, conflicting changes, high risk changes, etc.), and seamlessly integrate with Monitoring and Alerting solutions (like Tripwire).
We will take a few moments to explain how we got where we are, and then dive deeper to explain how choosing an experienced compliance partner is the best way to close the Cybersecurity gaps you may discover during your assessment.
On February 12, 2013, former President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which charged the National Institute of Standards and Technology (NIST) to create a framework for reducing risk to critical infrastructure. Within that same order, the Department of Homeland Security (DHS) was assigned to help critical infrastructure companies better understand and utilize this framework.
Unfortunately, up until the ransomware attack on the Colonial Pipeline Company that occurred on May 7, 2021, Section 7: “Pipeline Cyber Asset Security Measures” of the TSA Pipeline Security Guidelines was considered “voluntary” by most companies. The voluntary nature of Section 7 resulted in shortfalls in hiring staff with cybersecurity experience, failure to provide existing team members with additional training, and resistance to the organizational and cultural changes required to adopt most new technologies. While it may appear easy to lay blame on a specific person or group, the harsh reality is that most of corporate America operates under time and budget constraints that often lead to similar (although usually not as crippling) effects.
The DarkSide shut down Colonial Pipeline’s Information Technology (IT) and industrial Operational Technology (OT) systems using a two-pronged cyberattack. First, the group stole data from the company. Then, it launched a ransomware attack that encrypted critical files in the IT environment. By gaining control of Colonial Pipeline’s IT systems, the executive management team was encouraged/ (i.e., forced) to shut down the production side (OT) of the business to prevent further exposure. Although the IT system only manages the flow of digital information (in the form of read-only data), the hackers were able to gain influence over the OT side that manages the operation of physical processes and the machinery used to carry them out.
In the Spring of 2019, ARC Advisory Group teamed up with Kaspersky to conduct a survey on the state of cybersecurity of Industrial Control Systems (ICS), as well as the priorities, concerns, and challenges it brings for industrial organizations. According to the results, 70% of the 282 industrial organizations that participated in the survey considered a cyberattack on their OT and/or Industrial Control Systems (ICS) infrastructure to be likely. Despite these findings, many of the respondents—who work in oil, gas, and chemical industries—have not defined their own approach to implementing OT/ICS cybersecurity.[1] Of the companies surveyed, more than 80% stated that OT cybersecurity is a high priority, but only 31% had implemented an incident response program.
To understand how secure they are, 67% of the companies surveyed carry out regular cybersecurity assessments. In general, companies strive to prevent cyber-incidents and minimize their impact, as this is more cost-effective than re-commissioning systems following a successful cyberattack. More than two-thirds (70%) said they expect to receive higher budgets for security audits and incident response in the future. Thanks to the availability of the IEC 62443 series of security standards developed by the International Electrotechnical Commission (IEC), companies can implement best practices using standardized methodology to audit and verify their industrial networks.
The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs). The committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
Published on February 27, 2019, a relatively new standard in the series: ISA-62443-4-2, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components, and software applications. The standard, which is based on the IACS system security requirements of ISA/IEC 62443‑3-3, System Security Requirements and Security Levels, specifies security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.
On May 26, 2021, the Department of Homeland Security (DHS) announced a new directive, which now requires U.S. pipeline companies to comply with cybersecurity regulations or pay fines starting at $7,000 per day. This new directive also requires pipeline owners and operators to report any cyber incidents to the federal government and have a cybersecurity expert on staff to work with authorities in the event of another attack like the one that hit Colonial Pipeline.
President Biden’s six-page Security Directive, which took effect on May 28, 2021, applies to owners and operators of hazardous liquids and natural gas pipelines, in addition to natural gas facilities that have been deemed part of our nation’s “critical” infrastructure that must be protected from cyberthreats including, but not limited to, ransomware.
Cybersecurity compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of sources including Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Cybersecurity and Infrastructure Security Agency (CISA), and many other organizations.
Many oil and gas companies have not invested much in infrastructure security, nor paid enough attention to updating outdated or legacy technology. This presents a major problem by inviting hacking of legacy systems as well as supervisory control and data acquisition (SCADA) technology and human-machine interfaces (HMI). U.S. energy plants are now under near-constant threat from malware such as the cyberattack on Colonial Pipeline.
Although President Biden’s Security Directive has been announced, the details of the order are still evolving. Cybersecurity compliance in the natural gas and oil industry means creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information stored, processed, or transferred. But cybersecurity compliance is not easy—nor are the requirements clear. There are dozens of acronyms and hundreds of controls that can become overwhelming at times—if a company is not perfectly situated to manage the changes as they happen. Compliance requirements vary and can be imposed by law, regulatory bodies, and even private industry groups. SunView Software is actively monitoring the state of the industry as well as keeping up with new guidelines and requirements as they are published.
Biden’s Security Directive applies to owners and operators of facilities or pipelines that handle any hazardous liquid, natural gas pipelines, or any liquefied natural gas facility notified by Transportation Security Administration (TSA) that their pipeline system or facility is considered critical. In addition to new guidance on incident response and notification requirements, the Directive requires four very time-sensitive and vital actions. A summary of these actions is provided in the table below.
Table 1 – Cybersecurity Requirements for Pipeline Owners and Operators | |
Due Date | Action Required |
Immediately | Provide written confirmation of receipt of the Security Directive to the TSA |
June 4 | Designate a primary and at least one alternate cybersecurity coordinator. These individuals must be at the corporate level. They will be required to be available to TSA and CISA 24/7 to address cyber best practices and provide coordination in the event of any incident. |
June 27 | Conduct a gap assessment to assess current practices and immediately disseminate the information and measures in this Security Directive to corporate senior management, security management representatives, and any personnel responsible for implementing the provisions in this Security Directive. Provide a prompt briefing regarding the Security Directive to all such individuals. |
Ongoing | Address cybersecurity risks for both information and operational technology systems and infrastructure. Any gaps identified shall have remediation measures enacted to address those gaps and a timeframe for implementing the measures shall be provided. |
This new regulation requires that designated pipeline security companies report cybersecurity incidents to the CISA no later than 12 hours after a cybersecurity incident is identified. The TSA estimates that about 100 companies in the U.S. would fall under the directive’s mandates.
To learn more about how ChangeGear helps companies meet their compliance and monitoring needs you can visit our Resource Center to review details regarding NERC CIP, Change and Compliance for Government, and Asset Management.
[1] Menze, Thomas. The State of Industrial Cybersecurity. ARC Advisory Group and Kasperky, July 2019, https://ics.kaspersky.com/media/2019_Kaspersky_ARC_ICS_report.pdf. Accessed 28 May 2021.
Posted under: