The Implications of DHS-TSA Directive Pipeline 2021-1
The Department of Homeland Security has issued key guidance for oil and gas operations in the wake of recent cyberthreats. Here are three practical ways to disrupt attack paths in your OT infrastructure.
The oil and gas industry heavily depends on automation for a variety of different operations. The symphony of operations required to find, extract, refine, mix, collaborate and ultimately deliver oil and gas all rely on operational technology (OT) infrastructure.
Recent disruptions in critical infrastructure OT environments, including the Colonial Pipeline incident, have underscored the susceptibility of critical infrastructure to cybersecurity vulnerabilities, threats and potential outages.
Other attacks against the oil and gas sector include:
- February 2020 - A cyberattack was launched against a natural gas facility concurrently encrypting both the IT and OT networks and locking access to the human-machine interface (HMI), data historians and polling servers. The pipeline was forced to shut down for two days.
- December 2018 - An Italian oil and gas industry contractor fell victim to a cyberattack that hit servers based in the Middle East, India, Scotland and Italy.
- April 2018 - A cyberattack on a shared data network forced four U.S. natural-gas pipeline operators to temporarily shut down computer communications with their customers.
- August 2017 - A Saudi Arabian oil and natural gas facility was shut down by the Xenotime group of hackers.
The DHS- TSA 2021-1 Pipeline Directive
On May 28, 2021, the U.S. Department of Homeland Security (DHS) - Transportation Security Administration (TSA) issued Security Directive 2021-1 specifically for pipeline operations. While other oil and gas industry standards have previously been enacted (see list below), this directive was issued due to an ongoing security threat to U.S. pipeline operations. It represents an important inflection point in securing critical infrastructure environments that might otherwise be at risk.
Security Directive Pipeline 2021-1 gives guidance to pipeline operators in three key areas:
- Owners and operators of pipeline operations must report security incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
- A cybersecurity coordinator must be assigned and available 24/7 to coordinate security practices, meet specific requirements outlined in the directive and react when incidents occur.
- Oil and gas facilities must assess their current cybersecurity practices and activities to address cyber risks against the TSA's 2018 Pipeline Security Guidelines, identify gaps between their current cybersecurity practices and those listed in the guidelines, and develop remediation plans to fill those gaps.
Key standards relevant to the oil and gas industry
National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF): The pre-eminent framework adopted by companies in all industry sectors. Natural gas and oil companies increasingly orient enterprise-wide programs around NIST CSF.
International Electrotechnical Commission (IEC) 62443. Family of standards for industrial control systems (ICS) security. Widely adopted by the production segment of the natural gas and oil industry. Applicable to any type of natural gas and oil ICS.
API Standard 1164: Content unique to pipelines not covered by the NIST CSF and IEC 62443.
Department of Energy Cybersecurity Capability Maturity Model: Voluntary process using industry-accepted best practices to measure the maturity of an organization's cybersecurity capabilities and strengthen operations.
International Organization for Standardization (ISO) 27000: Leading standard providing requirements for an information security management system (ISMS).
Three Key OT Security Best Practices to Reduce Risk
While the DHS-TSA 2021-1 Directive highlights key needs relevant to oil and gas operators, the biggest challenge for most organizations is how to operationalize the three key components of the directive:
- identifying risk;
- rooting out gaps in security; and
- mitigating incidents when they occur.
Here are three key OT security best practices we believe should be implemented thoroughly and with urgency to secure pipeline operations and keep them resilient.
- Gain visibility and deep insight. The oil and gas industry requires synchronized operations across the entire infrastructure as well as access to credentials by a wide, heterogeneous audience. Active Directory (AD) occupies a key role here and, in the case of Colonial Pipeline, the ransomware attack took advantage of this attack vector. Individuals that utilize AD may include authorized employees, partners, agents and subcontractors. Access requirements may extend beyond the actual plant to offsite and remote drilling locations or pipelines across the globe. Consequently, it is essential to maintain access and configuration control that spans from the main facility to all locations, regardless of how remote or distributed they are. The OT security solution must always have the intelligence of individual devices at all locations, including but not limited to programmable logic controllers (PLCs), HMI controllers, engineering stations, networking equipment, gateways and any other devices critical to regular network operations. Deep knowledge, including visibility into all types of devices, patch levels, firmware versions and backplane information, is essential. It is also critical to account for dormant devices that are not communicating regularly over the network.
- Identify threats. While the OT operations of oil and gas providers were once isolated, today they are connected to IT and are accessible anywhere. This convergence creates an environment that can impact the integrity of oil exploration, extraction, refining and delivery. The elimination of air gapping enables bad actors to penetrate parts of the operations environment from either the IT or the OT side. To identify a variety of suspicious behaviors it is essential to leverage three detection engines:
- Traffic mapping and traffic visualization to identify and alert against communication attempts from external sources, in addition to devices that should not be talking to one another.
- Anomaly detection to pinpoint traffic patterns that are outside of the regular network operation.
- Signature-based detection to identify known threats which are used by attackers.
- Close vulnerabilities faster. Most oil and gas environments contain a mix of older devices typically not found in IT environments. With various patch levels across each device type, it is difficult to maintain an up-to-date patch management program. Because oil and gas environments may not have frequent or long enough maintenance windows, known vulnerabilities may not be patched for an extended time period. It's critical to maintain deep awareness of the state and characteristics of all devices. This includes accurate matching between specific device conditions and the available vulnerability knowledge base that has associated exploits. Because of the dynamic nature of oil and gas environments, this body of knowledge must be kept in sync with newly discovered vulnerabilities. Tenable's Vulnerability Priority Rating (VPR), for example, can provide a triaged list of vulnerabilities from most- to least-serious, based on a variety of factors such as Common Vulnerability Scoring System (CVSS) score, vulnerability severity and exploitability, and much more.
OT cybersecurity is now widely recognized as a core ingredient to ensuring a reliable, efficient and safe critical infrastructure that society relies on. You need full visibility, security and control into all of your operational assets. Best-in-class approaches to OT security are more critical than ever both with respect to complying with existing standards as well as this newly released DHS directive, but also as part of a duty of care to our communities. Constantly changing threat conditions require deep situational awareness in real time, both at the network and devices level. Situational awareness should be updated regularly and kept in sync with newly discovered vulnerabilities, threats and gaps. Any deviation must be captured in real time and documented. Full paper trails, capturing all changes to the environment, are essential. Capturing and maintaining this detailed information can help speed incident response, highlight and prioritize newly discovered vulnerabilities and demonstrate proactive compliance both internally and to the required compliance organizations.
- Read the blog: Colonial Pipeline Ransomware Attack: How to Reduce Risk in OT Environments
- Visit the solutions page: Industrial Cybersecurity to Secure Oil and Gas Operations
- Download the whitepaper: Critical Infrastructure Cybersecurity
Cybersecurity News You Can Use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.