Continuous monitoring of critical infrastructure absent from cyber executive order

The cybersecurity executive order issued by the Biden administration last week doesn’t require the relevant agencies to increase their visibility into critical infrastructure, a lingering weakness for the federal government, security experts told FedScoop.

When the May 7 ransomware attack on Colonial Pipeline Co. occurred, the Cybersecurity and Infrastructure Security Agency lacked any knowledge of the incident until it was notified by the FBI. While the new executive order gives the Office of Management and Budget 60 days to increase contractual threat and incident information-sharing requirements for service providers of operational technology (OT), both private sector companies and lawmakers expressed concerns following the attack that Department of Homeland Security agencies like CISA and the Transportation Security Administration aren’t doing enough to continuously monitor the cybersecurity of OT for pipelines and other critical infrastructure like the U.S. electric grid.

“Departments and agencies who have the responsibility for overseeing critical infrastructure often rely on information that is voluntarily shared,” Jake Olcott, vice president of government affairs at BitSight, told FedScoop. “And the infrequency of some of this data sharing contributes to a lack of broad situational awareness.”

A national response is needed, apart from the cyber executive order, establishing real-time data collection on the effectiveness of OT security controls, amount of malicious activity within systems and remediation of vulnerabilities at scale for every U.S. critical infrastructure company, Olcott said.

Advocacy group Protect Our Power meanwhile called for $22 billion during the next five years for funding power grid security and short-term vulnerabilities, in particular.

“The [Biden] administration has pledged to make further hardening our nation’s electric grid against cyberattacks a key part of comprehensive infrastructure legislation,” said Jim Cunningham, executive director of Protect Our Power, in a statement. “Timing is now more urgent than ever for the federal government, the utility industry and the states to come together and provide a national solution to address this looming national problem.”

BitSight rates organizations’ security performance by considering factors like malware infections, patching rates and vulnerabilities. The Boston-based cyber company evaluated the 2,000 largest U.S. oil and energy businesses and found 52% were performing below its “excellent” benchmark score of 750 as of April 30.

Those companies “may be at risk” for a hack similar to the one Colonial Pipeline fell prey to, and such incidents will only increase with time, Olcott said.

DHS holds lead authority for protecting critical infrastructure, in accordance with the Homeland Security Act of 2002, and within the department, TSA is the lead federal agency for transportation, hazardous material and pipeline security.

Because Colonial Pipeline shut down about 5,500 miles due to the ransomware attack, resulting in intermittent gas shortages in cities along its East Coast route, TSA is expected to respond.

“TSA will continue to work in close coordination with government and pipeline partners to evaluate the key factors garnered from the cyber incident and determine opportunities to reduce and mitigate risk across the sector,” said a TSA spokesperson.

The agency primarily handles pipeline security by reviewing pipeline operators’ security programs to ensure their cybersecurity measures comply with TSA Pipeline Security Guidelines. But TSA can’t require a private company to take action on its recommendations.

Data on high-risk corporate pipeline systems which underwent security reviews are reported quarterly to meet DHS and OMB performance reporting requirements, but such sensitive information isn’t made public.

Still, TSA’s point-in-time assessments don’t meet the federal need for continuous monitoring of all U.S. pipeline companies, Olcott said.

The Government Accountability Office in 2018 found TSA has “significant weaknesses” in its management of pipeline security and subsequently reviewed its process for updating cyber guidelines.

To date, TSA has completed seven of 10 GAO recommendations, including the complete revision of Section 5 of its Pipeline Security Guidelines regarding the identification of critical facilities. “A lack of clear definitions” caused one-third of the top 100 U.S. pipeline systems to report no such facilities previously, according to GAO.

Meanwhile, CISA’s National Risk Management Center and the Department of Energy also got involved in a 2019 effort to craft recommendations for increasing pipeline cybersecurity in coordination with industry, dubbed the Pipeline Cybersecurity Initiative.

“There’s so many different agencies out there that have partial responsibility for various sectors,” Olcott said. “And it’s led to confusion about roles and responsibilities and who’s supposed to have insight and what insights are available.”

TSA increased pipeline security staffing from six to 34 positions since 2018 across headquarters operations, policy and the field to advance its pipeline cybersecurity mission.

A 20-member Pipeline Security Assessment Team has field offices around the U.S. to conduct TSA’s operator assessments.

“Select PSAT staff have attended comprehensive cybersecurity training through Idaho National Labs in partnership with CISA and are undergoing additional cybersecurity training and certification in support of TSA’s expanding pipeline cybersecurity mission,” said the TSA spokesperson.