The new third version of the US TSA Security Directive Pipeline 2021-02C (SDP-2021-02C) is generally less specific than the first two versions, which is both good and bad.
Good: more general phrasing of requirements means operators can re-use existing cybersecurity investments to achieve security goals, instead of re-inventing their wheels the TSA way.
Bad: some of the security goals have been weakened, meaning the next time there is a serious pipeline incident, those weaker requirements will very likely be made stronger, triggering yet another round of expensive, emergency re-organization.
In this blog post we look at what is likely to change in the future and explore some “future-proofing” ideas for security programs.
A tip for reading the TSA documents: while the original SDP-2021-02 was confidential, a redacted version acquired via the US Freedom of Information act was published by the Washington Post. The TSA’s second version SDP-2021-02B appears to differ minimally from the original. The new 2021-02C has a lot of changes, but thankfully provides a useful Appendix. The Appendix maps the original 02B requirements into the corresponding new 02C requirements.
Abundance of Caution
When the IT network at Colonial Pipeline were impaired by ransomware, the pipeline was shut down in an “abundance of caution” and not because the OT network was in fact impaired by the ransomware. In the original TSA (02B.II.B.2.b) requirement, pipelines were to continue at necessary capacity even if IT systems are compromised. The corresponding new (02C.III.B.4) requirement, control systems must only be able to be isolated when the IT system is sufficiently compromised. “Isolated” is not the same as “running.” The next time a successfully isolated pipeline control system is shut down for an unacceptable length of time during an IT incident, we should expect the regulators of the day to update these requirements yet again.
A tip to owners and operators: a Unidirectional Security Gateways deployed as the sole pipeline IT/OT interface provides the benefits of permanent “isolation” (in TSA terms), while still enabling OT data to flow out to IT systems for business automation systems. With a gateway in place, even if the IT network is compromised by ransomware or some other threat actor, no attacks can flow back into physical operations to put those safety-critical operations at risk.
IT Dependencies
When the correct and continuous operation of OT systems and the pipeline depend on IT systems, then compromising the IT systems risks shutting down the pipeline. The TSA’s original (02B.II.B.2.b.i) and (ii) requirements demanded that IT/OT interdependencies be identified and addressed, so that IT compromise would not shut down the pipeline. The new requirements (02C.III.B) say that preventing disruption to OT as a goal, but the new (B.1.1) and (b) demand only that dependencies be documented and that measures be in place to isolate OT from IT in an emergency (02C.III.D.4). Again, the next time that a successfully isolated pipeline control system is shut down because critical IT services were compromised, we should expect new, stricter regulations to be imposed.
A tip to owners and operators: a Unidirectional Security Gateways deployed as the sole pipeline IT/OT interface makes IT dependencies crystal clear. If we want to keep the pipeline running through an IT outage, then really those IT systems that are critical to minute-by-minute operation of the pipeline should be managed and protected the same way that OT systems are managed protected. In fact, it will often make sense to duplicate critical IT systems in the OT environment – systems such as Active Directory and Anti-Virus servers. Such duplication behind an IT/OT Unidirectional Gateway is both more secure than having OT depend on IT services and is often less expensive than trying to apply OT management disciplines to these very important IT resources.
Attacks Targeting OT
The third way that modern ransomware and other attacks can impact physical operations is when they target OT systems directly. This is not what happened at Colonial, but attack tools and techniques continue to become more sophisticated. This kind of breach seems inevitable, sooner or later. When it happens, what will the regulator do? We have already seen the answer…
A tip to owners and operators: a Unidirectional Security Gateway deployed as the sole pipeline IT/OT interface is not physically able to propagate any attack from IT to OT networks. This is because all cyber-sabotage attacks are information. If no information can pass from IT back into OT networks through the gateway, no attacks can propagate either.
Conclusions
All cyber-sabotage attacks are information, and they will always be information. The only way a control system can change from an uncompromised to a compromised state is if attack information somehow enters the system. Sophisticated operators use the Secure Operations Technology methodology to physically control the flow of information and attacks into industrial systems. This is why national critical infrastructure regulations and best-practice guidance are increasingly demanding or strongly recommending unidirectional protections.
To unidirectionally-protected sites, it does not matter how sophisticated ransomware or even nation-state attacks become in the future. To a large extent, it does not matter how demanding new security requirements become either, as pipeline incidents inevitably continue. A future-proof security program anticipates the evolving threat environment rather than reacts time and again (in dismay) to new emergency directives.
Looking Deeper
For deeper insights into how Waterfall’s Unidirectional Gateways can improve security and reduce compliance costs, request a free copy of my latest book Secure Operations Technology.