The US Transportation Security Administration (TSA) Tuesday issued a directive requiring oil pipeline operators to implement specific measures to protect against ransomware and other threats to their business and operational technology (OT) networks.

The directive is the TSA's second for oil pipeline operators in the last two months and is a sign of the heightened concerns over critical cyber vulnerabilities in US oil and gas infrastructure following the crippling ransomware attack on Colonial Pipeline in May. That attack — attributed to a Russia-linked group called DarkSide — shut down some 5,500 miles of pipeline and caused temporary oil shortages across large parts of the US eastern and southern coasts.

The new directive from the TSA also appears linked to growing concerns about the threat to US critical infrastructure from cyber-threat groups backed by the Chinese government. Just this week, the Biden White House publicly accused China's Ministry of State Security (MSS) of using criminal hackers to carry out cyber-espionage campaigns and destructive attacks against US commercial, government, and critical infrastructure targets.

And on Tuesday —timed with the TSA advisory — the US Cybersecurity and Infrastructure Agency (CISA) issued an alert on a Chinese spear-phishing and cyber-intrusion campaign between 2011 and 2013 that targeted 23 US gas pipeline operators. Thirteen of those organizations were compromised, three had near misses, and eight of them experienced an "unknown depth of intrusion," CISA said. Its alert provided technical details and indicators of compromise about the tactics, techniques, and procedures (TTPs) that the Chinese threat actors used in that campaign and mitigation measures against them.

"CISA and FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations," the CISA advisory noted.

The Department of Homeland Security — of which the TSA is a part — did not offer specifics of the new requirements announced this week for pipeline operators. In a statement, the agency described the directive as aimed at "owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas." These entities will now be required to implement specific mitigation measures against ransomware attacks and other known threats to their IT and OT networks. They will also be required to implement a contingency and recovery plan for cyberattacks and conduct a security architecture review. TSA's first directive in May required pipeline operators to report all cyberattacks, bolster incident response capabilities, conduct a threat assessment, and develop a cybersecurity plan based on the results of that review.

The DHS said the latest requirements were drafted based on input from CISA about cyber threats to the pipeline industry and the technical measures for countering them.

Old TTPs Still Effective

CISA meanwhile described its advisory today as a reminder of the TTPs that Chinese threat actors had used in their 2011–2013 campaign to break into oil pipeline companies. The agency said it had provided information on the indicators of compromise only for "historical awareness" purposes. But "the TTPs remain relevant to help network defenders protect against intrusions," CISA said.

According to CISA, China government-backed threat actors carried out the 2011–2013 attacks with the specific purpose of gaining and maintaining access on business and OT networks belonging to pipeline operators and owners. The goal was not intellectual property theft or financial gain. Rather, the motive was to maintain a presence on these networks for future cyberattack purposes.

The attackers used sophisticated spear-phishing and other social engineering tactics to try and extract valuable information — including details about security settings and configurations — from asset owners and operators. In one attack, a threat actor posed as an employee for a large computer security firm and repeatedly called individuals in the network engineering department to get information about the pipeline operator's security practices. In several instances, the attackers successfully obtained and exfiltrated information such as personnel lists, login credentials, dial-up access information, system manuals, and data on industrial control and SCADA systems. Often "China was successful in accessing the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies," CISA said.

Jonathan Couch, senior vice president of strategy at ThreatQuotient, worked an incident response with an oil and gas pipeline operator at the time of the Chinese campaign. "We found that the Chinese had been in the network since 2007 and had updated their malware in 2009, 2011, and then finally again in 2013," Couch says. "We joked at the time that they were like Windows Update with their malware — sending out a new copy whenever something new was available."

Chinese actors present an extremely dangerous threat to pipeline operators and other critical infrastructure operator, he says. The adversary knows how to get into OT networks and making their jobs easier is the outdated nature of the technology in many of the targeted organizations. As one example, he points to a reference in the CISA alert about the continued prevalence of dial-up modems in the energy sector that often provide direct access to OT networks. "Most operators have updated their networks so dial-up isn't used as much," Couch says. "But they replaced it with Internet-accessible technologies like remote desktop protocol (RDP)," which are easy to exploit, he says.

Ron Brash, director of cybersecurity insights at security company Verve, says CISA's alert this week about a Chinese campaign from years ago suggests that little has changed since then. "From an attacker’s perspective — why would I try another completely new strategy or set of tooling if the last one worked, and the world really hasn’t gotten much better?" he says.

As the Colonial Pipeline shutdown showed, US oil and natural gas pipelines are not prepared to deal with modern threats such as ransomware. Brash adds: "Most operators do not have enough visibility into these environments, much less tooling to deal with a threat."