Following the Colonial Pipeline hack — one of the highest-profile attacks against US critical infrastructure to date — in 2021, the Department of Homeland Security's Transportation Security Administration (TSA) released two unprecedented Security Directives, requiring owners and operators of gas and liquid pipelines to implement strict new protections against cyberattacks.
On July 21, the TSA released an update to these directives, doubling down on its efforts to ensure better protection for energy infrastructure nationwide. In particular, it has emphasized the need for access control, credential management, and the use of "compensating controls" to allow pipeline operators to embrace the latest innovations in how they protect critical systems.
While the update represents another step toward better protection for the oil and gas industry, it's important to understand that the guidelines alone aren't the only factors influencing the security postures of critical infrastructure. Pipeline operators have already been acting; in our work with some of the largest TSA-regulated energy companies in North America, we've witnessed a fundamental, positive shift in their approaches to cybersecurity, especially over the past year.
Three Cybersecurity Motivators
Three major factors beyond government pressure stand out as being key motivations behind the acceleration of operators' adoption plans.
1. Today's threat landscape is progressively worsening. Regulations don't happen in a vacuum. Today, our threat landscape has grown more dangerous than ever. In the past two years, we've seen countless cyberattacks on critical infrastructure, including hacks on meat processor JBS and the water treatment facility in Oldsmar, Fla. Furthermore, attackers are increasingly targeting the companies that make up the backbone of the United States' supply chain and society at large: oil and gas pipelines, manufacturing plants, food processors, water suppliers, and more.
These threats are only going to grow in severity. This is due in large part to the growth of ransomware-as-a-service (RaaS), heightened collaboration between RaaS and other cybercriminal groups such as access brokers, and a troubling uptick in Russian and other state-sponsored cyber threats targeting US critical infrastructure. Government regulations aside, no operator that we've come across has been able to ignore these growing risks — or wants to try their luck against these hackers without adequate protective measures.
2. Digitization is exposing new and dangerous vulnerabilities. While attacks increase, the digitization of operations is bringing new vulnerabilities to light. On-site equipment such as programmable logic controllers (PLCs), SCADA systems, distributed control systems, and Internet of Things (IoT) devices are increasingly being accessed remotely, creating a porous perimeter that hackers can easily penetrate. This trend was only exacerbated as businesses pivoted to remote work during the pandemic. Now, operators are dealing with a significantly expanded attack surface.
Several components of the TSA's new guidelines reinforce what we already knew to be true: specifically, the importance of recognizing and mitigating these digitization-driven vulnerabilities. The requirements reaffirm the need to control the interconnection of operational technology (OT), IT, and even cloud by securing the digital conduits that connect the different zones and applications. The new TSA guidelines also deepen the requirements for "compensating measures" to protect access to critical systems, many of which have limited built-in security. These protections are so important to prevent an attacker being able to progress from zone to zone, or system to system, in the event of an initial network breach.
3. Better security is no longer just defensive; it's also the catalyst for greater digital transformation. Beyond the necessity of protecting against attacks, operators have begun to realize that an advanced security strategy is capable of catalyzing an accelerated digital transformation — and this has catapulted them into implementing better protective measures.
It's widely understood that a zero-trust security architecture, as defined by the National Institute of Standards in Technology (NIST), is the best approach for protecting operations from threats. The heart of this strategy requires every asset, machine, or data source to have its own identity, with interactions between them being controlled by policy authorizations. Once such a model is achieved, benefits beyond airtight security immediately become clear.
For instance, critical infrastructure cybersecurity leaders reportedly cite, in a study commissioned by Xage (registration required), improved user experience, more efficient operations, and the ability to save time or money as top benefits to adopting zero trust. What's more, with every element of the operation digitized and secured, teams can share sensitive data with one another quickly and easily, and partners can tap into appropriate data sources to better collaborate and drive new types of value across the supply chain. The result is not only defense, but also greater efficiency, collaboration, and business innovation.
Regulations Are Important, but They're Not a Silver Bullet
The TSA's original Security Directives, coupled with the recent updates, represent a crucial catalyst in helping operators implement better protective measures; still, they're not the only factors driving progress. A worsening threat landscape, increased digitization, and the long-term positive effects of modern security strategies are all pushing critical infrastructure operators to do better. We're pleased to see the new requirements reaffirm what we know to be best practices for security, and we're confident that critical infrastructure protection will continue moving in the right direction.