American Oil and Gas Reporter - August 2021 - 77

Cybersecurity Still Looming Large
WASHINGTON-Citing an ongoing
cybersecurity threat to pipeline systems,
the U.S. Department of Homeland Security's
Transportation Security Administration
has issued a second security directive
that requires owners and operators
of TSA-designated critical pipelines that
transport hazardous liquids and natural
gas to implement a number of protections
against cyberattacks.
Around the same time that it announced
the new order, another DHS
agency also indicated that Chinese hackers
had targeted and breached U.S.
pipelines during the previous decade, a
report that warned midstream operators
to watch for cyberintrusions.
" The lives and livelihoods of the American
people depend on our collective
ability to protect our nation's critical infrastructure
from evolving threats, " emphasizes
Secretary of Homeland Security
Alejandro N. Mayorkas.
Symbolism Or Substance?
According to DHS, TSA's latest security
directive is the second one pertaining
to pipelines that has been released in
2021, and builds on an initial security directive
TSA issued in May 2021 following
the May 7 ransomware attack on the
Colonial Pipeline. That May security directive
requires critical pipeline owners
and operators to:
· Report confirmed and potential cybersecurity
incidents to CISA;
· Designate a cybersecurity coordinator
to be available 24 hours a day,
seven days a week;
· Review current practices; and
· Identify any gaps and related remediation
measures to address cyber-related
risks and report the results to TSA
and CISA within 30 days. (AOGR, June
2021, pg 29).
The department says its Cybersecurity
and Infrastructure Security Agency has
advised TSA on pipeline cybersecurity
threats, as well as technical countermeasures
to prevent those them, during the
development of this second security directive.
This security directive requires
TSA-designated critical pipelines to implement
specific mitigation measures to
protect against ransomware attacks and
other known threats to information technology
and operational technology systems,
develop and implement a cybersecurity
contingency and recovery plan,
and conduct a cybersecurity architecture
design review.
" Through this security directive, DHS
can better ensure the pipeline sector takes
the steps necessary to safeguard their operations
from rising cyberthreats, and
better protect our national and economic
security, " Mayorkas holds. " Public-private
partnerships are critical to the security of
every community across our country and
DHS will continue working closely with
our private sector partners to support
their operations and increase their cybersecurity
resilience. "
Unfortunately, some experts warn, although
the desire to improve security is
sound, DHS' latest move seems to provide
more symbolism than substance. That is
precisely the reaction of KnowBe4 security
specialist Roger Grimes, whose experience
includes more than three decades as a
computer security consultant, instructor,
and author of 10 books and more than
1,000 magazine articles on computer security.
According
to Grimes, the fact that
three decades of progressively tighter
regulation have been accompanied by a
progressively worsening problem suggests
another security directive is unlikely to
stem the tide of cyberthreats. " Anything
that gets us better secured is a good
thing. It will also likely not work, " he
assesses. " Why? Because it is hard to
be perfect and every organization is already
trying to do computer security
perfectly. Adding another requirement
on top of all the other requirements and
regulations overtop of what they already
know they should be doing is likely not
going to result in being significantly
more resilient to cyberattacks. It cannot
hurt, but it is not likely to be the final
nail in the coffin that defeats all malicious
hackers and malware. "
The best prevention, he suggests, is
to make it harder for malicious hackers
and malware to hide. " Hackers hack and
spread malware because they either cannot
be traced or cannot be arrested and punished
when caught, " he considers. " A
malicious hacker is more likely to be
struck by lightning, twice, than to get
arrested for hacking. We need to significantly
secure the Internet itself, to make
it more secure by default. We will stop
more bank robbers when we stop allowing
so many banks to be robbed and for all
the bank robbers to get away. There are
ways to make the Internet significantly
more secure. "
Chinese Intrusions
Meanwhile, CISA and the Federal Bureau
of Investigation issued a joint advisory
on July 20 that detailed a spearphishing
and intrusion campaign targeting U.S.
oil and gas pipeline companies that was
conducted by state-sponsored Chinese
actors that occurred from December 2011
to 2013.
According to CISA's report, it worked
with the FBI to provide incident response
and remediation support to victims of
the campaign. " Overall, the U.S. government
identified and tracked 23 U.S. natural
gas pipeline operators targeted from 2011
to 2013 in this spearphishing and intrusion
campaign, " it says. " Of the known targeted
entities, 13 were confirmed compromises,
three were near misses, and seven had an
unknown depth of intrusion. "
CISA goes on to indicate that the federal
government has attributed this activity
to Chinese state-sponsored actors. " CISA
and the FBI assess that these actors were
specifically targeting U.S. pipeline infrastructure
for the purpose of holding U.S.
pipeline infrastructure at risk, " the agency
says. " Additionally, CISA and the FBI
assess that this activity was ultimately
intended to help China develop cyberattack
capabilities against U.S. pipelines to physically
damage pipelines or disrupt pipeline
operations. "
The advisory provides information on
this campaign, including tactics, techniques
and procedures. The alert can be found
at https://us-cert.cisa.gov/ncas/alerts/aa21201a.
" CISA
and the FBI urge owners and
operators of energy sector and other
critical infrastructure networks to adopt
a heightened state of awareness and implement
the recommendations listed in
the mitigations section of this advisory,
which include implementing network segmentation
between IT and industrial control
system/operational technology networks, "
CISA says. " These mitigations
will improve a critical infrastructure entity's
defensive cyberposture and functional
resilience by reducing the risk of compromise
or severe operational degradation
if the system is compromised by malicious
cyber actors, including but not limited to
actors associated with the campaign described
in this advisory. "
More information on Chinese malicious
cyber activity can be found at uscert.cisa.gov/china.
Coming
In September
The latest in oil and gas issues.
AUGUST 2021 77
❒
https://us-cert.cisa.gov/ncas/alerts/aa21-201a https://us-cert.cisa.gov/ncas/alerts/aa21-201a https://us-cert.cisa.gov/china https://us-cert.cisa.gov/china
American Oil and Gas Reporter - August 2021

Table of Contents for the Digital Edition of American Oil and Gas Reporter - August 2021
