First, subscribe to my newsletter, The Wavelength, if you want all the content on my blog delivered to your inbox four times a week.
There have long been indicators the pipeline industry’s cybersecurity was under policed and vulnerable.
Ransomware may push Section 230 and other tech topics from the headlines. The White House and agencies are moving to address what is now obviously a major threat to United States (U.S.) critical cyber infrastructure. Moreover, the U.S. has identified the criminal culprit but does not see a direct link to Russia.
The Biden Administration’s focus on the Colonial Pipeline ransomware attack is helping the company get its systems sorted so the fuel can flow and the economy will not be affected. However, the United States (U.S.) government appears to accept the status quo in that private companies that control critical infrastructure are largely left their own devices in securing their systems. None of the White House’s utterances suggest any proposed changes to the current model. Nonetheless, the confused jurisdiction over pipelines and one agency’s minimal cybersecurity oversight may be addressed.
However, there is a lengthy history of the U.S. government neglecting the cybersecurity of pipelines with the agency charged with this responsibility admitting recently it lacks the workforce and technical capabilities to oversee the sector. It is not clear how the administration and Congress will address this situation, but to the extent there is action, it will almost certainly come in the form of more funding as opposed to more authority.
On 11 May, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a Joint Cybersecurity Advisory (CSA) “on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.” The day before CISA and the FBI issued the joint CSA, the FBI confirmed what media outlets had been reporting: DarkSide was responsible for the ransomware. On 9 May, the Associated Press was quoting “two people close to the investigation” who claimed “[t]he cyberextortion attempt that has forced the shutdown of a vital U.S. pipeline was carried out by a criminal gang known as DarkSide that cultivates a Robin Hood image of stealing from corporations and giving a cut to charity.”
Not much is known publicly about DarkSide except that the organization seems to be based in Eastern Europe or more likely Russia given that it has conspicuously not attacked Russia, Ukraine, or Kazakhstan. The organization may be allied or affiliated with Moscow, or it may be that the Russian Federation looks the other way on their activities. However, there are no indications thus far that DarkSide acted at the behest of the Putin regime. Nonetheless, the organization has posted on its website data from more than 80 companies in Europe and the U.S. that opted not to pay the demanded ransom after their systems had been infected. However, it may have been a mistake or miscalculation that DarkSide’s ransomware was used against a major U.S. target, for as a security expert opined: “[i]t’s not good for business for them when the U.S. government becomes involved, when the FBI becomes involved.”
The Biden Administration seems to think the organization has ties to Russia but is not operating at the behest of the government. President Joe Biden remarked at a 10 May press conference:
And so far, there is no evidence based on — from our intelligence people that Russia is involved. Although there is evidence that the actors — ransomware — is in Russia. They have some responsibility to deal with this.
Biden also said he would bring up the matter with Russian President Vladimir Putin when they meet for a summit, possibly this summer. Presumably, should the U.S. government find sufficient Russian involvement or complicity, further sanctions could be levied on Moscow. What is more likely is the U.S. Departments of Justice and Treasury will act using their authority to indict and sanction members of DarkSide.
Biden opened the press conference that was ostensibly on the economy with reassurance that his government is focused on the Colonial Pipeline ransomware attack, taking a range of actions to manage and mitigate its effects. He conceded that much of the U.S. critical infrastructure is in private hands, leaving his administration only the power of persuasion to better protect critical infrastructure:
My administration is also committed to safeguarding our critical infrastructure, which — much of which is privately owned and managed, like Colonial. Private entities are making their own determination on cybersecurity.
So to jumpstart greater private-sector investment in cybersecurity, we launched a new public-private initiative in April. It begins with a 100-day sprint to improve cybersecurity in the electric sector, and we’ll follow that with similar initiatives in natural gas pipelines, water, and other sectors.
In addition to companies stepping up, we need to invest to safeguard our critical infrastructure. That’s one of the many things my American Jobs Plan is designed to do.
In the last above quoted sentence, Biden, of course, tied the current crisis to his infrastructure proposal, the American Jobs Plan, even though none of the publicly available materials outright call for funding to address cybersecurity. However, in a $2 trillion package, and based on what has been made public, it is easy to imagine funding being steered to key agencies to address cybersecurity and technological gaps.
And, Biden is not the only administration official saying ransomware is now a top priority. On 9 May, Secretary of Commerce Gina Raimondo remarked during a television interview:
This is what businesses now have to worry about, and I will be working very closely with [Secretary of Homeland Security] Ali (sic) Mayorkas on this. It’s a top priority for the administration. Unfortunately, these sorts of attacks are becoming more frequent. They’re here to stay and we have to work in partnership with businesses to secure- secure networks, to defend ourselves against these attacks.
It is telling the Biden Administration’s response is doubling or tripling down on the approach the three previous administrations have pursued. There is no hint that the White House could ask Congress to give it more power to issue binding cybersecurity standards, the say way the regulators that oversee the U.S. electric grid can. Moreover, the Administration is not even making noise about cleaning up jurisdictional lines of oversight over the pipeline industry.
The U.S. government’s hands are tied with respect to ransomware generally and to cyber-attacks of pipelines. U.S. agency jurisdiction over oil and gas pipelines is spilt between the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) and the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) with the latter being charged with the security of pipelines even though its main focus and the area that receives most of its resources is aviation security.
Additionally, it has been clear for some time that the pipeline sector was lightly overseen and quite possibly vulnerable to nation-states, terrorists, or criminals waging a cyber-attack. In December 2018, the Government Accountability Office (GAO) detailed the TSA’s challenges in overseeing pipeline cybersecurity and concluded:
- To help ensure the safety of our pipelines throughout the nation, it is important for TSA to address weaknesses in the management of its pipeline security program. TSA’s Pipeline Security Branch revised its security guidelines in March 2018 to, among other things, reflect the dynamic threat environment and incorporate NIST’s Cybersecurity Framework cybersecurity principles and practices. However, without a documented process defining how frequently TSA is to review and, if deemed necessary, revise its guidelines, TSA cannot ensure that its guidelines reflect the latest known standards and best practices for physical and cybersecurity, or address the persistent and dynamic security threat environment currently facing the nation’s pipeline system. Further, without clearly defined criteria for determining pipeline facilities’ criticality, TSA cannot ensure that pipeline operators are applying guidance uniformly and that all of the critical facilities across the pipeline sector have been identified; or that their vulnerabilities have been identified and addressed.
- TSA could improve its ability to conduct pipeline security reviews and the means that it uses to prioritize which pipeline systems to review based on their relative risk ranking. Establishing a strategic workforce plan could help TSA ensure that it has identified the necessary skills, competencies, and staffing allocations that the Pipeline Security Branch needs to carry out its responsibilities, including conducting security reviews of critical pipeline companies and facilities, as well as their cybersecurity posture. Better considering threat, vulnerability, and consequence elements in its risk assessment and incorporating an independent, external peer review in its process would provide more assurance that the Pipeline Security Branch ranks relative risk among pipeline systems using comprehensive and accurate data and methods.
- TSA could also improve its ability to assess the extent to which the Pipeline Security Branch has met its goals. Taking steps to ensure that the pipeline security program performance measures exhibit key attributes of successful performance measures could allow TSA to better assess the program’s effectiveness at reducing pipeline physical and cybersecurity risks. Without current, complete, and accurate information, it is difficult for TSA to evaluate the performance of the pipeline security program. By monitoring and recording the status of CSR recommendations, developing written documentation of its data entry and verification procedures and electronic safeguards, and improving the quality of its pipeline security program data, TSA could better ensure it has the information necessary to effectively monitor pipeline operators’ progress in improving their security posture, and evaluate its pipeline security program’s effectiveness in reducing security risks to pipelines. Until TSA monitors and records the status of these reviews’ recommendations, it will be hindered in its efforts to determine whether its recommendations are leading to significant reduction in risk
The GAO seems to be describing an agency lacking a full understanding of the industry it is overseeing and all the threats facing the industry.
Before the GAO issued its report in 2018, TSA published guidance to help the owners and operators of pipelines with its “Pipeline Security Guidelines,” and the agency stated:
The security measures in this guidance provide the basis for TSA’s Pipeline Security Program Corporate Security Reviews and Critical Facility Security Reviews. This document is guidance and does not impose requirements on any person or company. The term “should” means that TSA recommends the actions described. Nothing in this document shall supersede Federal statutory or regulatory requirements.
Note TSA stressed that the guidance document “does not impose requirements on any person or company,” meaning pipeline operators would be free to disregard its recommendations and best practices, in whole or part, without much in the way of penalty.
Moreover, TSA knew it lacked the resources to police the cybersecurity of pipelines and let Congress know, too. In its detailed budget justification documents for FY 2021, TSA explained:
- Cybersecurity is a high priority across the DHS and within TSA. In 2018, DHS developed a Department-wide cybersecurity strategy and accompanying implementation plan, and TSA also developed an agency-level strategy and plan, both of which focus on key priorities and initiatives, mission objectives, and plans of action and milestones. In a Department-led effort focusing on non-Federal external-facing cybersecurity initiatives, TSA reviewed its baseline efforts within Operations, Analysis, and Situational Awareness; Engagement and Training; and Enabling Capabilities.
- TSA identified minimal baseline resources currently dedicated to the high-priority mission space, allowing for very limited risk and threat analysis, engagement, training, and development efforts across the various transportation modes. For example, in most instances, the baseline personnel identified are not fully dedicated to, nor are they experts on, external-facing cybersecurity initiatives, taking on responsibilities on an as-needed basis. Specifically, TSA has three intelligence analysts focused on cybersecurity threats; two employees who focus on cybersecurity industry engagement and regulatory policy analysis as collateral duties, for a total of one FTE; and one employee focused on cybersecurity policy coordination across the TSA enterprise, along with DHS and the National Security Council.
- TSA received one-time funding in FY 2020 Enacted in the amount of $8.4 million in support of cybersecurity pipeline field assessments. This funding will provide TSA the ability to contract for cyber security assessments on pipeline sector networks. With the $8.4M, Corporate Security Reviews (CSRs), which include a corporate cybersecurity assessment, are planned to be conducted on 86 pipeline companies who operate the top 200 pipeline systems in the Nation. TSA has also partnered with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Risk Management Center to conduct Validated Architecture Design Review (VADR) cybersecurity assessments at critical pipeline companies. The funding provided will allow TSA to conduct additional cybersecurity assessments in FY 2020, analyze the results of those assessments, and provide guidance on best practices and mitigation measures to pipeline stakeholders. This $8.4M is non-recurring. In FY 2021, TSA requires an additional 26 positions, 15 FTE, and $4.1M to implement a Cyber Security program for all transportation modes. These changes result in the FY 2021 request reflecting additional staffing requirements against a decreased program change amount.
- In order to establish a baseline capability and bolster efforts to address known cyber risks and vulnerabilities, and in accordance with DHS and TSA strategies, TSA is requesting resources in FY 2021 to establish dedicated positions and provide resources to focus on improving its security posture in the external-facing cybersecurity mission space. To meet the specific objectives in the DHS Cyber Implementation Plan, TSA will leverage CISA guidance and assessments to conduct further mode-specific research and identify mechanisms to obtain current Transportation Sector stakeholder cybersecurity measures; determine gaps in these measures; and work with the National Risk Management Center and other DHS Components to develop a prioritized list of cyber risks to Transportation Systems Sector (TSS) stakeholders (Aviation & Surface Transportation). TSA, in coordination with CISA, launched the Pipeline Cybersecurity Initiative with the goal of building upon the expanded cyber security measures in the recently updated Pipeline Security Guidelines and to minimize the consequences of an attack or disruption. TSA will utilize the additional resources to build resilience to prevent, respond, and recover from a cybersecurity-related incident within the Pipeline Sector. Additionally, TSA will launch a policy initiative to incorporate cyber standards into Standard Security Programs, requiring regulated parties to meet these standards where Aviation Sector systems would be at risk and the impact of a cyber-disruption to the sector would be significant.
In the above excerpt, TSA admitted it has “minimal baseline resources currently dedicated to the high-priority mission space,” which, it should be noted, includes aviation and mass transit cybersecurity. Therefore, those areas may be as vulnerable as at least Colonial Pipeline’s networks appear to have been. But to be fair, perhaps Colonial’s competitors take cybersecurity very seriously and repelled DarkSide’s attempts to sic its ransomware on them. At this point, this is not clear. But what is evident is that TSA recognized it lacked proper resources for cybersecurity oversight.
TSA asked for a bit more than $4 million for FY 2021 for a cybersecurity program to follow the $8.4 million Congress gave the agency in FY 2021 for these programs. TSA noted these latter funds were to be used for Corporate Security Reviews (CSR) of “pipeline sector networks” “to be conducted on 86 pipeline companies who operate the top 200 pipeline systems in the Nation.” There has been no public indication these reviews occurred or what they turned up. Nonetheless, TSA would only “provide guidance on best practices and mitigation measures to pipeline stakeholders” based on the CSRs.
In any event, in the FY 2021 omnibus, Congress granted TSA’s request for funding “to continue field assessments to identify pipeline cybersecurity gaps” with $4.25 million in funding.
Further demonstrating the fractured oversight of pipeline cybersecurity, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has an initiative to help pipeline operators and owners secure their systems. CISA, “through the National Risk Management Center (NRMC), is managing the Pipeline Cybersecurity Initiative (PCI), by leveraging expertise from government and private partners to identify and address cybersecurity risks to enhance the security and resiliency of the Nation’s pipeline infrastructure.” CISA explained:
In October 2018, the U.S. DHS created the PCI and charged CISA with addressing cybersecurity risks to the Nation’s pipeline infrastructure—with a focus on oil and natural gas (ONG) pipelines. CISA is working to help pipeline owners and operators prepare for, respond to, and mitigate significant cyber events. Three primary functions of the PCI include:
- Assessing the cybersecurity posture and preparedness of pipeline companies to identify significant vulnerabilities that increase the risk to key systems and reliable operations;
- Analyzing assessment findings to develop risk mitigation strategies and informational tools that companies may use to address the identified risks; and
- Engaging with interagency partners and industry stakeholders to share information, raise awareness of critical issues, and inform pipeline cybersecurity activities.
Across these three functions, CISA is working with stakeholders—the TSA, National Laboratories, and federal and industry partners—to foster stronger relationships with pipeline owners and operators. This holistic collaboration provides a platform to share information and expertise on pipeline vulnerabilities and risks and coordinate the development of actionable risk mitigation strategies and security measures.
In a press release from October 2018, then National Protection and Programs Directorate (NPPD) (CISA’s forerunner) Under Secretary Christopher Krebs stated:
This meeting was a key milestone in the partnership between the federal government and the oil and natural gas industry, as we launched the pipeline cybersecurity initiative that partners DHS NPPD cybersecurity resources, DOE’s energy sector expertise, with TSA’s regular and ongoing assessments of pipeline security to get a broader understanding of the risks the sector faces. Collaborative efforts like this allow us to better understand the threat landscape and direct more targeted and prioritized risk management activities. We look forward to continuing these important meetings with the other critical infrastructure sectors across the country.
Krebs’ statement from two and a half years ago suggests a key agency that lacks basic knowledge about the cyber posture of the pipeline sector. Perhaps that has changed, but in an 11 May hearing, the acting CISA head revealed the agency learned of the attack from the Federal Bureau of Investigation and not Colonial Pipeline.
To no great surprise, some stakeholders in Congress have proposed, or reproposed, legislation to address cyber standards in the pipeline industry and other energy sectors. The House Energy and Commerce Committee noted four bipartisan bills it is reintroducing:
- Reintroduced yesterday, the Pipeline and LNG Facility Cybersecurity Preparedness Act, led by Fred Upton (R-MI) and Bobby Rush (D-IL), will strengthen the Department of Energy’s ability to respond to physical and cybersecurity threats to our nation’s pipelines and LNG facilities;
- Reintroduced yesterday, the Energy Emergency Leadership Act, led by Bobby Rush (D-IL) and Tim Walberg (R-MI), will help elevate energy emergency and cybersecurity responsibilities as a core function for the Department of Energy;
- Reintroduced April 30, the Cyber Sense Act and the Enhancing Grid Security through Public-Private Partnerships Act, led by Bob Latta (R-OH) and Jerry McNerney (D-CA), will bolster U.S. electric infrastructure by encouraging coordination between the Department of Energy and electric utilities;
- Reintroduced April 30, the Enhancing Grid Security through Public Private Partnerships Act, led by Jerry McNerney (D-CA) and Bob Latta (R-OH), directs the Secretary of Energy, in consultation with States, other Federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cyber security of electric utilities.
Finally, as noted earlier, Congress have given authority to regulators to establish and oversee mandatory cybersecurity standards. For example, the Energy Policy Act of 2005 (Energy Policy Act) gave the Federal Energy Regulatory Commission (FERC) such power, and as they explained:
The North American Electric Reliability Corporation (NERC), which FERC has certified as the nation’s Electric Reliability Organization, developed Critical Infrastructure Protection (CIP) cyber security reliability standards. On January 18, 2008, the Commission issued Order No. 706, the Final Rule approving the CIP reliability standards, while concurrently directing NERC to develop significant modifications addressing specific concerns.
Additionally, the electric industry is incorporating information technology (IT) systems into its operations – commonly referred to as smart grid – as part of nationwide efforts to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of service. To address this concern, the Energy Independence and Security Act of 2007 (EISA) gave FERC and the National Institute of Standards and Technology (NIST) responsibilities related to coordinating the development and adoption of smart grid guidelines and standards.
However, FERC cannot propose cybersecurity standards and can only evaluate those NERC has drafted, including sending them back to be redrafted.
Congress also bestowed authority on the Secretary of Energy in the “Fixing America’s Surface Transportation Act” (the FAST Act) (P.L. 114-94) to issue binding orders to electric utilities during grid security emergencies, which includes cyber attacks. In 2018, the Department of Energy issued final regulations on how this system would operate. If similar authority existed with respect to pipelines, the U.S. government would have been able to step in more forcefully.
At present, neither the Biden Administration nor Members in Congress are calling for similar authority to be given an agency in the U.S. government.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.