The U.S. federal government took another step to ensure the security of the cyber-physical systems used to operate crude oil, natural gas, and petroleum product pipelines and liquefied natural gas (LNG) terminals last week, when it issued a new directive imposing additional cybersecurity requirements for owners and operators of these facilities. This move demonstrates that U.S. government agencies are taking the threat against pipelines very seriously – and may also indicate that cybersecurity requirements will soon be expanded to cover other sectors of the oil and gas industry.
Little known about new requirements
The directive was issued on July 20 by the Transportation Safety Administration (TSA), a division of the Department of Homeland Security (DHS).
In a statement announcing the new requirements, TSA said it had taken this step to ensure that the owners and operators of pipelines designated as critical infrastructure implemented “a number of urgently needed protections” against cyberattacks. It also quoted Secretary of Homeland Security Alejandro Mayorkas as saying that the measure laid the groundwork for effective cooperation between public- and private-sector organizations.
“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Mayorkas said. “Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security. Public-private partnerships are critical to the security of every community across our country, and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”
The statement referenced TSA’s initial security directive to pipeline companies, which was issued in May following a ransomware attack on Georgia-based Colonial Pipeline, the operator of a pipeline network that supplies around 45% of all the petroleum products consumed in the U.S. Northeast. It noted that this initial directive required the companies concerned 1) to report confirmed and potential incidents to CISA, 2) to make a designated cybersecurity coordinator available 24 hours per day and seven days per week, 3) to review current cybersecurity practices, and 4) to identify gaps and remediation measures for the purpose of completing a report and submitting it to TSA and CISA within 30 days.
However, the statement did not say anything specific about the new requirements that TSA was imposing under the second directive. Information is limited because of security considerations. This omission was not an accident or oversight; it was intentional.
Industrial Cyber’s virtual roundtable – industry stalwarts reaction to the new directive.
Ruth Clemens, the assistant press secretary of DHS’ public affairs division, cited security considerations as the reason for the lack of detail. “The security directive is designated as Sensitive Security Information (SSI) and, as a result, its distribution is limited to those with a need to know,” she explained to Industrial Cyber. She also indicated that TSA had divulged the necessary information to all of the owners and operators of facilities designated as critical infrastructure.
Mary Guzman, CEO and founder of Crown Jewel Insurance, a provider of risk management services for trade secret assets, pointed out that TSA and its parent organization DHS had compelling reasons to remain opaque about the details of the new directive. “There is a very good reason why they would not and should not disclose publicly what the requirements are,” she told Industrial Cyber. “That would be analogous to letting the offense of the opposing team in a football game have your defensive playbook prior to the game. Hackers will go around what they know you are doing to defeat them.”
Saumitra Das, CTO and co-founder of Blue Hexagon, a provider of deep learning-powered cybersecurity solutions, expressed a similar opinion. “It could be because they do not want to inform attackers about the exact nature of steps being focused on in the directive and not help them reevaluate their attack toolkits,” he told Industrial Cyber.
Brian Dunphy, vice president of product management at Claroty, a leading provider of industrial cybersecurity solutions, took a similar stance. “Operational security measures like this are typically intended to limit the attackers from knowing what defensive measures are being put in place,” he informed Industrial Cyber.
These seem like reasonable assumptions. For one thing, the U.S. government and the oil and gas industry are both eager to avoid a repeat of the extensive disruption that followed the cyberattack on the Colonial Pipeline in May. For another, the upswing in cyberattacks on critical infrastructure facilities has affected pipeline owners and operators along with more obvious targets, such as utilities and banks.
Indeed, pipelines were already attractive targets for malicious actors even before they were designated as critical infrastructure. It’s worth noting that the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed last week – on July 20, the same day that the TSA directive was issued – that no less than 23 gas pipeline operators had been affected by spearphishing and intrusion campaigns between 2011 and 2013.
In short, TSA appears to have decided to remain mum about the details of the new requirements because officials in Washington are taking the threat of cyberattacks on pipelines very seriously indeed.
Reading between the lines
That said, it is possible to infer some of the things that the agency might want pipeline owners and operators to do.
Mark Carrigan, senior VP of Global Sales Excellence at Hexagon PPM, a provider of business software design solutions, noted that industry best practices were always a good starting point. “As is often the case with an initial directive from a US federal agency, the requirements lack detail on expectations to comply,” he told Industrial Cyber. “That said, the new requirements to ‘implement a cybersecurity contingency and recovery plan and conduct a cybersecurity architecture design review’ are well-understood aspects of a security strategy, and owner/operators should look to well-documented industry best practices from NIST and other agencies to direct their efforts.”
Das, for his part, said he expected TSA to ask pipeline companies to go beyond the baseline. “While the ‘best practices’ have not yet been made public, we think there is a discussion going on about what those should be,” he told Industrial Cyber. “I believe the nature of the requirements should not be the usual known things like zero trust, vulnerability management, multi-factor authentication, et cetera, because everyone knows about those, but they don’t always get fully implemented and attacks are still happening. What’s important is to require immediate investment in tools and technology that focuses on detection and response as well as visibility into north-south and east-west traffic flows.”
Other sectors of the oil and gas industry may face new requirements soon
In any event, the new directive indicates that U.S. government agencies are taking the threat against pipelines very seriously – and may also presage the expansion of cybersecurity requirements to cover other sectors of the oil and gas industry in the near future.
Carrigan stressed this point, noting that TSA had issued its second directive against a backdrop of rising concern in Washington about cyberattacks on industry and critical infrastructure. “While the TSA and DHS directive is focused on the pipeline industry, there is little doubt that eventually, the US government will widen the scope for cybersecurity requirements to cover a broader range of critical infrastructure,” he said. “The 100-day sprint, as well as the executive order released earlier this year, are clear indicators that the US government is planning additional regulations to improve the nation’s cybersecurity posture.”
Bryson Bort, the CEO of Scythe, the builder of a next-generation attack-emulation platform, spoke similarly. “I would expect that the entire supply chain will eventually be in scope since the impacts are cascading,” he told Industrial Cyber.
Dunphy also mentioned the need to secure supply chains and pointed out that new requirements might be imposed by several different federal agencies. “Based on recent incidents, we are seeing a flurry of initiatives from the Department of Energy, NIST, TSA, et cetera, that are intended to increase the protection of critical infrastructures – and Claroty has seen an increase in interest from these industries seeking help to protect their industrial infrastructures,” he told Industrial Cyber. “Due to the focus and scope limitations of different agencies, we should expect a variety of directives from different agencies to their specific industries. At the end of the day, any disruption of the supply chain has the potential result in an outage, so protecting the infrastructure end to end is the only way forward.”
Das also referred to end-to-end protection, saying he expected the expansion of cybersecurity requirements to affect upstream exploration and production operations, as well as downstream refining and distribution activities – though perhaps not retail fuel sales and marketing. “It is likely the government will focus on other pieces of the O&G supply chain that can lead to direct consequences for Americans. Refining, distribution, and others are more likely; marketing less so,” he commented.
Guzman, meanwhile, suggested that Washington would eventually need to do more than draw up additional cybersecurity directives. When asked by Industrial Cyber whether she expected the scope of security requirements to expand to cover other sectors of the oil and gas industry, she replied: “I would certainly hope so, as otherwise, this is like putting a Band-Aid on a deep knife wound. Not only do we need to address the threat to the entire fuel supply chain, but all other critical infrastructure industries as well. The telecom, utilities, transportation, healthcare, food supply, and financial services sectors are equally critical to our economy and our physical safety.”
More regulations – and more red tape
Despite these expectations, U.S. government agencies have yet to make a statement as to whether the other sectors of the oil and gas industry might soon face new cybersecurity requirements. Clemens declined to reply to the questions that Industrial Cyber submitted on this topic, and TSA did not respond to any inquiries.
Assuming that additional directives and requirements are forthcoming, though, they may have unintended consequences for the oil and gas industry. As Dunphy explained: “While well intended, these measures will slow down the collaboration and action between the companies being targeted and the rest of the security industry that they need help from. Based on the past 20 years, open standards and security requirements combined with a clear call to action will yield faster and better security – what’s needed right now.”