The Department of Energy is working with industry to craft recommendations in the next several months for increasing cybersecurity around pipeline critical infrastructure.
Private entities and key agencies formed a consortium over concerns industrial control systems (ICS) are increasingly being targeted by nation-states, hacktivists and advanced persistent threats, but such incidents aren’t being discussed.
Companies worry share prices will be impacted or they’ll become the target of even more attacks if they share the information, with the end result being that cyberthreats remain unclear, Jason Haward-Grau, chief information security officer at PAS Global LLC, told FedScoop.
“The first rule of cybersecurity fight club is you do not discuss cybersecurity fight club,” Haward-Grau said.
PAS Global, an ICS cybersecurity and operational technology (OT) company, is part of the consortium offering insight into the significant increase in European Union governmental regulation and oversight of critical infrastructure — given its European clientele. The EU had to wake up to threats faster, after the Ukraine power grid cyberattack in December 2016, with its network and information systems directive, Haward-Grau said.
While President Trump’s executive order on strengthening cybersecurity of critical infrastructure did something similar, the Government Accountability Office found in May that the Transportation Security Administration lacks a process for updating pipeline security guidelines.
TSA currently oversees the physical security and cybersecurity of more than 2.7 million miles of computerized, interstate pipeline systems transporting oil, natural gas and other hazardous products — making them “attractive targets for hackers and terrorists,” GAO reported.
“It is important for TSA to update its policies to reflect cybersecurity threat conditions, and establish a realistic cyber-attack response plan,” Tamara Anderson, a vice president and general counsel at PAS Global, said in a statement. “It’s also appropriate to question whether TSA continues to be the best agency to carry an appointment of responsibility for monitoring and securing our nation’s pipelines.”
That’s because pipelines don’t operate like transportation infrastructure and most running today provide energy in some shape or form, Haward-Grau said.
DOE, not TSA, is leading the consortium’s recommendation effort.
PAS Global developed a passive way to inventory IT and OT systems for its clients. A pipeline operator may only need to secure 500 IT devices, but on the OT side of the security equation there may be as many as 28,500 endpoints where digital meets physical infrastructure, Haward-Grau said.
Aside from being complex, the OT landscape is full of proprietary systems between 18 and 20 years of age on average — compared to IT systems that are replaced every three to five years. Air gapping doesn’t work like it used to, and hackers increasingly understand how ICS works, Haward-Grau said.
In 2014, hackers breached a large, German steel smelting plant when control engineers ordered a pizza from a contaminated website with the same credentials used to access their IT environments. The attackers poked around and, not understanding the OT system, accidentally triggered the shutdown of a blast furnace causing massive damage.
OT relies on independent layers of protection including alarms and a safety system, independent of the ICS, that shuts everything down safely as a last resort. But Triton malware has penetrated even that, Haward-Grau said.
Internet of Things devices are now being co-opted in distributed denial-of-service attacks as OT systems are increasingly digitized and connected to business systems wirelessly to save money. And more reliable fifth-generation wireless infrastructure is being installed across plants without security necessarily being considered.
“There’s a significant opening up of the attack surface,” Haward-Grau said.
The compromise of a target-rich OT environment means it can be ransomed, he added.
Unlike IT, where the priorities are confidentiality and system integrity, OT’s focuses are safety, reliability and resource availability. Design, management, and maintenance of ICS requires cyber skills not being taught to enough IT technicians because it means educating them on those differences, Haward-Grau said.
“There are about 2 million vacancies across the cyber landscape right now,” he said.