In April 2021, the Transportation Security Administration (TSA) updated its TSA Pipeline Security Guidelines. The Colonial Pipeline ransomware attack means more attention will be paid to the cybersecurity posture of the oil and natural gas (ONG) industry. Understanding the changes to the TSA Pipeline Security Guidelines shows how Attack, Detect, and Response (ADR) can enhance security.
Section 5 outlines a series of considerations that pipeline operators should take into account when designating a pipeline critical facility.
The considerations include whether something is a pipeline critical facility:
Additionally, pipeline operators need to consider the following documentation:
Finally, Section 5 includes a chart with specific criteria and guidance for designating pipeline critical facilities. However, the seventh criteria applies to all three. Under the heading, “significantly disrupt pipeline system operations for an extended period of time,” critical infrastructure needs to consider:
This term dates back to the 2018 update. However, in light of recent attacks to critical infrastructure, defining critical cyber assets becomes more important.
Under 7.2 “Pipeline Cyber Assets Classification,” pipeline cyber assets should be evaluated and classified as follows:
For critical pipeline cyber assets, operators need to use enhanced security measures.
“Enhanced security measures'' require more than basic security controls. Organizations need a sense of what that looks like and its potential impact.
Section 7.3 lists baseline and enhanced security measures across five control families:
Within those five categories, the TSA outlines thirty baseline controls aligning with traditional enterprise IT security, as well as twelve enhanced security measures across four control families:
Identify
Protect
Detect
Respond
OT environments are different from enterprise IT environments. Enhanced security measures like conducting incident response exercises pose unique challenges to OT environments.
However, conducting security assessments on critical infrastructure can be problematic. The goal of an incident response exercise or third-party assessment is to determine whether the OT environment can be undermined. Ransomware attacks against these fragile environments are successful because measuring risk and locating entryways is difficult.
With ADR, critical pipeline operators can engage in threat modeling and incident response exercises without worrying that they will compromise availability.
With ADR, ONG and other organizations with OT environments can run emulations without worrying about system impact. An ADR solution is a user-mode program. This means that despite using real world TTPs, it lacks the necessary system privileges to be destructive.
For example, a ransomware attack on a beachhead product, a human machine interface, could cause a system outage. These systems are highly interconnected. Compromising one beachhead product ultimately leads to a full system outage. ADR gives you a way to run threat models against these risky devices without causing a system-wide outage.
Functionally, an ADR solution that emulates a ransomware attack works like this:
From the technical perspective, the program does this:
Fundamentally, this approach preserves the current state, running the attack emulation in parallel to the system the organization is testing. By preserving the current state, even if the emulation would have an impact, the platform ensures continued system availability.
ADR allows security teams to build threat models based on tactics, techniques, and procedures (TTPs) found in the wild. Simulations give you a way to track a predefined attack path. This means that once you run them, they’ve mostly done their job.
ADR emulations give you the ability to create unique paths. With these paths, you can track your controls’ effectiveness and your tools’ detection capabilities. This means that you can see how well your controls stand up against new methodologies.
A foundational requirement underlying the TSA Pipeline Security Guidelines is ongoing risk monitoring and assessment. This process gives you a way to validate controls beyond the annual penetration test and third-party assessments.
The ONG industry needs to continuously test controls and fine tune security products protecting critical pipeline facilities and critical cyber assets. Securing the enterprise IT environment offers one level of validation. Running these same threat modeling processes against OT environments gives you a way to secure the entire infrastructure.
With SCYTHE, ONG organizations can meet security and compliance requirements by creating a holistic approach to risk management. With our platform, you can stand up a campaign in minutes, aligning it with real-world TTPs. This capability allows you to build threat intelligence into your continuous system testing and validation processes.
Threat actors looking to disrupt critical infrastructure will continue to attack fragile or sensitive OT devices. As ONG organizations look to secure beachhead products, they need security solutions that give them control over and visibility into vulnerabilities. With SCYTHE’s ADR solution, they can validate their technologies and processes for enhanced security.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.