At a glance.
- CSAC members announced.
- Curbing illicit cryptocurrency transactions.
- Comment on proposed pipeline security standards.
CISA announces members of new advisory committee.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released the names and biographies of the first twenty-three members of the Cybersecurity Advisory Committee (CSAC). The mission of the committee, composed of top US cybersecurity experts, is to “advise, consult with, report, and make recommendations to CISA on the development, refinement, and implementation of policies, programs, planning, and training pertaining to CISA’s cybersecurity mission.” The members have experience in various critical infrastructure sectors, each bringing a unique perspective, and subcommittees will be established to address specific issues like information exchange and risk management. Though twenty-three members have been selected at this time, CISA director Jen Easterly has the authority to appoint up to thirty-five members to the committee.
OFAC’s efforts to curb illicit cryptocurrency transactions.
Security Intelligence reports that the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued its first sanction on a virtual currency exchange, the SUEX cryptocurrency marketplace. The SUEX platform was found to be frequented by ransomware hackers, with 40% of its transactions involving cybercriminals. “Some virtual currency exchanges are exploited by malicious actors, but others, as is the case with SUEX, facilitate illicit activities for their own illicit gains,” OFAC explained.
The move is just one step in a wider effort to improve the security of cryptocurrency and disrupt criminal activities linked to virtual currency. In pursuit of this goal, OFAC also updated an advisory under a crypto-security sanctions program regarding its designation of malicious digital attackers, highlighting the Treasury Department’s power to impose penalties based strictly on liability, regardless of whether the individual is aware they have broken the law.
On October 5 Senator Elizabeth Warren and Representative Deborah Ross introduced the Ransom Disclosure Act, which would require victims of ransomware attacks to disclose any ransom payments within forty-eight hours, important because ransomware payments are typically requested in bitcoin. The Treasury Departments’ Financial Crimes Enforcement Network analyzed nearly two hundred virtual currency addresses used for ransomware payments in 2021 and found $5.2 billion worth of bitcoin transactions tied to ransomware, many of which were linked to notorious ransomware gang REvil/Sodinokibi.
Comment on proposed cyber standards for pipelines.
Eric Byres, P.Eng, ISA Fellow and CTO at aDolus Technology Inc., wrote that "With bad press comes bad regulations." He has a poor view of TSA's regulatory track record. He in particular draws attention to the way a successful attack on a business system leads to what he regards as misplaced regulation of operational technology systems:
“The government agency currently regulating pipelines, the Transportation Security Administration, or TSA, has not performed well when it comes to cyber security. Consider the Colonial Pipeline incident. On May 7th a ransomware attack shut down the largest fuel pipeline in America. This led to fuel shortages across the Eastern US. Panic buying ensued, filling stations started running out of fuel and the President declared a state of emergency. Politicians and security experts denounced the poor state of OT security and the need to isolate the OT systems from the internet and IT systems.
"Except the OT system wasn’t attacked. A billing and scheduling system on the IT network was the victim. 'The company... proactively disconnected certain [operational technology] systems to ensure the systems’ safety' the FBI and CISA jointly reported.
"The fact that this wasn’t an attack on an OT system didn’t stop the TSA from quickly issuing two sets of new cybersecurity “directives” (aka regulations) for owners and operators of TSA-designated "critical" pipelines.
"The first TSA security directive (SD-01) was a reasonable document that “requires critical pipeline owners and operators to (1) report confirmed and potential cybersecurity incidents to CISA; (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and, (4) identify any gaps and related remediation measures to address cyber-related risks”. That all makes good security sense whether you are protecting an IT system or an OT system.
"The second TSA security directive (SD-02) is a different story. It is a prescriptive laundry list of cyber security activities that the pipeline operators have to follow regardless of whether or not these activities will reduce the risk of serious cyber events. It has been widely criticized by industry security experts and associations - in the words of the American Gas Association; “in the actual requirements, there is little consideration for prioritization”. For example, there are incredibly onerous rules around vulnerability patching that do not consider the severity of a vulnerability or allow companies to deploy alternative measures to mitigate the risk. This runs completely counter to current best practices in OT vulnerability management. It fails to align with other US government frameworks and regulations, particularly NIST's CyberSecurityFramework (CSF). Seriously, TSA failed to consult with the companies that operate the pipelines and understand the issues on the ground. They've failed to create a timely mechanism for pipelines to resolve questions regarding the deployment of SD-02.
"A more collaborative approach to critical infrastructure cyber security, such as the one used in the North American power industry, would be a major step forward.”