Acknowledging that the traditional voluntary approach to cybersecurity in critical industries was not working, the US government has issued emergency rules to strengthen the cybersecurity of the nation’s most important energy pipelines.
But industry officials and some analysts argue implementing the rules could hamper pipeline reliability, reports the Washington Post. The rules are designed to spur pipeline companies to bolster their defences, evaluate their cybersecurity and ensure they can continue to operate even if their business networks are hacked.
Commenting on this, Chris Grove, technology evangelist at Nozomi Networks, said:
"Cybersecurity, much less industrial cybersecurity, is a complicated and fluid topic. The recent TSA Security Directive Pipeline-2021-02 attempts to tackle one of the most challenging aspects of industrial cybersecurity – protecting sensitive, critical infrastructure against threats/APTs with nation-state capabilities. Whether a nation-state actor or a Ransomware gang is attempting to affect pipeline operations, the threat to society is enormous.
“Preventing enemies of societies from commandeering critical infrastructure is a basic function of security, from the national/political level, all the way down to the network levels. The Pipeline Security Directive attempts, from a high level, to make a positive impact at the lower, physical, real-world equipment.
“To summarise the Directive:
- First, operators must identify, categorise, and mitigate the risks of compromise identified as 'critical'.
- Second, operators are required to create Contingency/Response Plans.
- Third, operators must test the effectiveness of their cybersecurity practices through an annual design review.
“The 16 page Directorate later goes deeper into specific recommendations around hardening the systems, such as using MFA, implementing network segmentation, isolating OT levels, and several others. The directorate follows suit of many other attempts to secure operational technologies by providing a blend of prevention, detection, and resiliency. However, when the recommendations overlap with Operational Technology, they don't actually apply.
Even patching systems, MFA, allows OT operators a way out. In other areas, it doesn't, like weekly virus scanning of OT systems.
“The Directorate is high-level and non-specific enough that it doesn't appear to be directed at pipelines, but more about OT or Critical infrastructure in general. many operators, particularly those that pursued NERC-CIP, will be well positioned, probably superseding the requirements in the Directive. There are a couple of areas which may cause some concern for operators. As an example, on Page 9- Part 3, to break storage and identity stores between IT and OT is a huge challenge for converged environments. Also on page 9, C.1.a mandates prompt removal from the network and disabling of drives any infected equipment, something that's not always possible in an OT environment.
To put this Directive in context, it would have had no impact on the Colonial Pipeline incident, as the operator had security at a higher level than what the Directive aims for."
Read the latest issue of World Pipelines magazine for pipeline news, project stories, industry insight and technical articles.
This special issue of World Pipelines provides an overview of the North American midstream oil and gas industry, covering a range of topics from pipeline compliance and cyber security to machinery and welding. Special features include a regional report focused on the cross-border movement of energy products between the US, Canada and Mexico, as well as an insight into how Young Pipeliners International is supporting the industry’s incoming talent.
Read the article online at: https://www.worldpipelines.com/regulations-and-standards/07102021/nozomi-networks-comments-on-recent-tsa-pipeline-security-directive/