At a glance.
- Why CISA thinks ICS attacks are a risk.
- TSA issues new pipeline security guidelines.
- Why US and EU law enforcement agencies are wary of Pegasus.
Grounds in recent history for expecting industrial control systems attacks.
As we’ve seen, the Cybersecurity and Infrastructure Security Agency (CISA) has its sights set on critical infrastructure, calling threats to industrial control systems (ICS) one of “the most significant and growing issues confronting our Nation.” In addition to reporting incidents, the Agency encourages stakeholders to review six relevant alerts and advisories, and to enact the following mitigations:
- “Harden the IT/corporate network”
- “Implement and ensure robust network segmentation between IT and ICS networks”
- “Implement perimeter security between network segments”
- “Maintain an ICS asset inventory”
- “Ensure robust physical security”
- “Regularly test manual controls”
- “Manage the supply chain”
- “Implement regular, frequent data backup”
- “Implement a user training program”
The above measures were initially recommended to combat a 2011-2013 Chinese offensive against twenty-three oil and gas firms, where the goal was refining tactics for disrupting pipelines.
The historical perspective the advisory provides is interesting in that it draws attention to attacks unambiguously attributed to nation-states, specifically China, Iran, and Russia:
- "Joint CISA-FBI Cybersecurity Advisory (CSA): AA21-201A: Gas Pipeline Intrusion Campaign, 2011-2013 Note: CISA released the initial version of this publication to affected stakeholders in 2012." Attributed to China.
- "ICS Joint Security Awareness Report: JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B)." Attributed to Iran.
- "ICS Advisory: ICSA-14-178-01: ICS Focused Malware – Havex." Attributed to Russia.
- "ICS Alert: ICS-ALERT-14-281-01E: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)." Attributed to Russia.
- "ICS Alert: IR-ALERT-H-16-056-01: Cyber-Attack Against Ukrainian Critical Infrastructure." Attributed to Russia.
- "Technical Alert: TA17-163A: CrashOverride Malware." Attributed to Russia.
TSA announces new pipeline security guidelines.
The Transportation Security Administration (TSA) yesterday released another Security Directive, formulated under CISA’s tutelage, that requires critical pipeline owners and operators to devise a disaster plan, run a security architecture assessment, and execute certain mitigations. TSA’s first Directive arrived in May of this year.
Roger Grimes, data driven defense evangelist at KnowBe4, sees the regulations as steps in the right direction, but that probably won't take the industry very far in the direction of security. Cyber conflict is a human problem, like war itself, and not easily solved by technical or regulatory means:
"This is good news. Anything that gets us better secured is a good thing. It will also likely not work. Why? Because it is hard to be perfect and every organization is already trying to do computer security perfectly. Adding another requirement on top of all the other requirements and regulations overtop of what they already know they should be doing is likely not going to result in being significantly more resilient to cyber attacks. It cannot hurt...but it is not likely to be the final nail in the coffin that defeats all malicious hackers and malware.
"Well, what then will it take? For one, we need to make it harder for malicious hackers and malware to hide. Hackers hack and spread malware because they either cannot be traced or cannot be arrested and punished when caught. A malicious hacker is more likely to be struck by lightning, twice, than to get arrested for hacking. We need to significantly secure the internet itself, to make it more secure by default. We will stop more bank robbers when we stop allowing so many banks to be robbed and for all the bank robbers to get away. There are ways to make the internet significantly more secure. I have written on this topic for decades and recently re-submitted plans for how to do so to CISA and other internet security groups. We have the technology. We do not have to re-invent the wheel. We just need the right people in the same room and a true willingness to solve the problem.
"I do not want to undersell how hard it is to get people to agree on anything, much less how to fix the internet. But it is not a technical problem. It is a sociological problem...it is a human problem. One day, some digital 9/11-type event will happen to the internet, and when it does, enough enemies and competitors will come together against a common foe that we actually get the support to push the new technology. The technology is there. We are just waiting for agreement. Until we get a far more secure internet and global agreement on digital crimes, we will fight malicious hackers and malware. One more regulation on an industry is not going to change the problem. How do I know? Because we have had three decades of increased regulation and the problem is only getting worse each year."
Still, a valuable exercise, but not one that will, in Grimes' view, amount to a panacea.
We also heard from Saryu Nayyar, CEO of Gurucul, cautions that last month's attack on Colonial Pipeline won't be the last any more than it was the first:
"As a result, the TSA is mandating protections against pipelines and other types of infrastructure for ransomware and other similar attacks. This directive by the Federal government is long overdue and represents an acknowledgement of the vulnerabilities of our infrastructure to weaknesses in such areas as pipelines, power plants and other utilities, and transmission networks. Although these industrial systems have become increasingly automated, the designers have not given proper attention to protecting their networks from attacks. While no large-scale network is completely safe, infrastructure providers have to do more, including monitoring their networks for unauthorized traffic, and having systems in place to understand and investigate anomalous traffic behavior.”
And Doug Britton, CEO of Haystack Solutions, sees a convergence of cyberspace and kinetic space:
“This is a stark reminder that we are entering a new era where threats are moving from atoms to bits. The digital world is inextricably linked to our physical infrastructure and threats will be an ever-present element of operating in this new normal. It is time to make important and much needed investment in our cyber workforce. A critical element in protecting our infrastructure. We have the tools to find the talent we need, but we need to get them in place before more of these attacks erode trust in critical systems we all rely on.”
Why US and European agencies have tended not to buy Pegasus.
The Washington Post says EU and US officials steer clear of NSO Group’s products, despite the firm’s “best-in-class” status, due to security risks stemming from suspected backchannels to Israeli intelligence. Israel and NSO deny that any such access comes with NSO's lawful intercept tools.