Pipeline cybersecurity mitigation actions, contingency planning, and testing.

Dave Bittner: It's Wednesday, August 10, 2022, and you're listening to "Control Loop." In today's OT cybersecurity briefing, the BlackCat ransomware gang hits an energy company in Luxembourg. MOXA issues patches for two vulnerabilities. A look at ransomware gangs and their interest in industrial targets. ICS security advisories. New security legislation passes the U.S. House of Representatives and is set to become law. Some insider threat news. Spain arrests nuclear plant employees. And the human factor in industrial security. Our guest is Bryson Bort from SCYTHE on threat emulation for critical infrastructure, Season Three of "Hack the Plant" with the Atlantic Council, and the ICS village at DEF CON in collaboration with CISA. In the learning lab, Jim Gilsinn, technical leader at Dragos Global Services Team, discusses Security Directive Pipeline-2021-02C, pipeline cybersecurity mitigation actions, contingency planning, and testing with Mark Urban.

Dave Bittner: The BlackCat ransomware privateers, also known as ALPHV and generally regarded as a DarkSide successor or simply as DarkSide rebranded, claimed responsibility for an attack on Creos, a Luxembourg company that operates a major Western European gas pipeline, Bleeping Computer reports. According to the record, the group claims to have stolen 150 gigabytes of data that they say includes contracts, passports, bills and emails. They threatened to leak the data on Monday, but as of the afternoon, no data had been released. Creos's corporate parent, Encevo, said late last week that it was continuing to investigate the incident, which has affected its customer-facing portals. Like its immediate ancestor DarkSide, responsible for last year's cyberattack against Colonial Pipeline, BlackCat is based in Russia and has shown an interest in targeting Western energy infrastructure. The Luxembourg operation is a major one. Its reach goes far beyond the Grand Duchy. 

Dave Bittner: Industrial networking provider MOXA has patched two serious vulnerabilities in its NPort Ethernet to serial converter devices, SecurityWeek reports. The vulnerabilities could be used to launch denial-of-service attacks against the devices. The flaws were discovered by researchers at nGuard security, who notified the vendor in March. Moxa coordinated with CISA, and CISA published an advisory on July 26. In addition to applying the security patch, CISA offers the following recommendations. First, minimize network exposure for all control system devices and/or systems and ensure they are not accessible from the internet. Second, locate control system networks and remote devices behind firewalls and isolate them from business networks. And third, when remote access is required, use secure methods such as virtual private networks, recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

Dave Bittner: Ransomware continues to present a threat to industrial operations. What are the gangs interested in these days? On Tuesday, August 9, Dragos released its industrial ransomware analysis for the second quarter of 2022. While the threat actors' interests and targeting can shift, the report includes a quick rundown of what the opposition's interests look like now. Some of the threat actors target by sector. Dragos describes three of these. Karakurt has been targeting mainly transportation entities. VICE SOCIETY has been targeting only automotive manufacturing entities. And Lockbit 2.0 is the only group that targeted the pharmaceutical, mining and water treatment sectors. Others show a geographical focus. Moses Staff has only targeted Israel. Black Basta, Ransomhouse, and Everest have only targeted entities in the U.S. and Europe. Quantum and Lorenzo have only targeted North American-based entities. And finally, the threat actors shift. Old ones grow quiescent and new ones start making noise. LAPSUS$, CL0P LEAKS, and Rook were active in the first quarter, but not now. Black Basta, Midas Leaks, Pandora and Ransomhouse have been busy in the second quarter but were nowhere to be seen in the first. In general, ransomware attacks were fewer in the second quarter than they had been in the first. But on the other hand, the more recent attacks were more consequential. 

Dave Bittner: Dragos closes its report with a prediction, saying, due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence that new ransomware groups will appear in the next quarter, whether as new or reformed ones. Dragos assesses with moderate confidence that ransomware with destructive capability will continue to target OT operations given the continuous political tension between Russia and Western countries. CISA has issued 13 new ICS advisories since we last spoke with you. These affect systems produced by Rockwell, Mitsubishi, Delta Electronics, Honeywell and Moxa. If you're interested in the details, check them out at cisa.gov/uscert/ics/advisories. They're all there. And they're all worth at least a quick once over. Security Week reports that the U.S. House of Representatives passed two cybersecurity bills this week, both of them with implications for industrial security. First, the RANSOMWARE Act. The acronym is short for Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies. The bill itself is an update of the SAFE WEB Act of 2006, giving the Federal Trade Commission the authority to share evidence with foreign law enforcement agencies to aid investigations of cybercrime. The amendments will require the FTC to report on cross-border complaints involving cyberthreats, specifically calling out attacks carried out by Russia, China, North Korea and Iran. The second measure is the Energy Cybersecurity University Leadership Act. This will require the Department of Energy to establish an Energy Cybersecurity University Leadership Program in which graduate students and postdoctoral researchers would receive financial assistance to take courses that integrate cybersecurity and energy infrastructure. Spanish police have arrested two nuclear power plant employees accused of attempting to manipulate Spain's radioactivity alert network between March and June of 2021. HackRead quotes, "the investigation team identified that the intrusion was performed in two stages. 

Dave Bittner: First, the suspects gained unauthorized control of the DGPCE’s computer system to delete a web application that managed the RAR system. During the second stage, they targeted over 300 out of 800 sensors over three months. This caused connectivity failures between the sensors and the control centers. Eventually, their radioactivity levels detection capacity was considerably reduced. It is alleged that the hackers operated via a Madrid-based public hospitality network." Interference with accurate sensor feeds is particularly disturbing. And access via a public hospitality network is astonishing. Those were malicious insiders at the nuclear plant in Spain, of course. But there are also well-intentioned but wayward insiders who pose a different kind of threat. SCADAfence has released the results of a survey finding that 79% of OT experts believe human error is the greatest risk for compromise to OT systems. Eighty-three percent of those surveyed believe there is a significant shortage of trained OT workers, with not enough new workers being trained to meet the growing demand. Additionally, 69% believe this shortage puts organizations at higher risk than ever before. Here, the remedy isn't punitive, but rather supportive. 

Dave Bittner: We know, we know - personnel, can't live with them, can't live without them. But seriously, if the staff is undertrained and overworked, you can expect bad things to happen. Take care of the people who take care of you. 

Dave Bittner: Bryson Bort is founder of attack emulation platform developer SCYTHE and co-founder of the ICS Village at DEF CON. I spoke with him at the recent SANS ICS Security Summit in Orlando. So let's start off with just some sort of background, high-level stuff on you. When you're out and about and, you know, you're at a cocktail party or something and you're meeting someone for the first time, how do you explain what it is you do for a living? 

Bryson Bort: Well, to start with, I usually just stare at them awkwardly. And I hope that that's enough. But then they typically press for more information. 

Dave Bittner: Yeah. 

Bryson Bort: Well, so my full-time job is the CEO of SCYTHE. 

Dave Bittner: Right. 

Bryson Bort: We spawned it out of GRIMM after a large organization came to us in 2016, asked us to build a one-off implant. I've never been asked to do that commercially before. I thought that was a really interesting request. And I had not been looking to start a product company. I'd never been looking to start a product - just doing what we did at GRIMM, which was delivering high-end services that really made a difference in the world, and suddenly, here was this opportunity. And I knew that's what I wanted to do. And so when I talk about, what do I do now? It really kind of depends on who you're talking to, right? And I think this is an important point that we struggle with in this industry because we're so fond of our own echo chamber. And we throw out acronyms. We throw out ideas. And we just presume almost everybody's going to automatically understand that. And so that's one of the things that you really distill when you build a product is being able to simplify what that is to an audience that gets it as best as possible. So in short, when I describe what I do, besides as the CEO - mostly being Dr. Phil to... 

Dave Bittner: (Laughter). 

Bryson Bort: ...Everybody... 

Dave Bittner: Right. 

Bryson Bort: ...In the company... 

Dave Bittner: Right. 

Bryson Bort: ...Is we're there to bring the realistic threats in, right? Mike Tyson says that everybody's got a plan until they get punched in the face. 

Dave Bittner: Yeah. 

Bryson Bort: So let's practice sparring with a real boxing partner instead of shadowboxing with ourselves. And that's what the platform does. That's what we do at SCYTHE. 

Dave Bittner: OK. Well, let's walk through that together. I mean, when we're talking about threat emulation in the ICS world, from a practical point of view, how does that play out? 

Bryson Bort: Yeah, it's a great question. And in fact, that's the real core of the talk that Ian Anderson and I are doing at SANS ICS - is looking at what really needs to be considered for an OT risk assessment. And I think the first part is recognizing that IT is a part of that. 2012, Saudi Aramco - 30,000-plus computers in only the IT part of the enterprise paperweights overnight due to that attack. What happened? That affected OT operations. When we look at the most common attack vectors, the most common attack vectors are through IT, right? IT is, by its very nature, the necessity of business operations for an enterprise to run, and it's the thing that's internet-accessible that is available to everything. 

Dave Bittner: Right. 

Bryson Bort: And so when you look at how the structure of the enterprise actually works - and this is a part of what we do with this talk - is the Purdue Model was not really designed for the enterprise architecture of cybersecurity. And as a result, when we look at all those levels, we get this false sense of security of defense and depth because look at all of these levels. 

Dave Bittner: Right. 

Bryson Bort: Does it naturally give you that intuitively? And the reality is, from an attacker perspective, there's only three parts to your enterprise - the IT, which we were just describing, which is the most common attack vector, then beachhead systems, right? That's that DMZ. Those are the high-level control systems that typically speak the same operating systems as an enterprise device, just typically unpatched from two - you know, two generations ago. 

Dave Bittner: Right. 

Bryson Bort: So I run into Windows 7 on an HMI. 

Dave Bittner: (Laughter). 

Bryson Bort: Right? 

Dave Bittner: OK. 

Bryson Bort: And they are accessible into the IT component. So I have the ability to get to it. The same approach that typically worked for me in the IT environment to get there is going to work on that control system. And here's the thing, then. Then that's the final layer, right? All of the more specialized embedded and operational technologies that are doing the physical effects in the world - they're just dumb devices that take their commands from up high, right? They speak these unique protocols. They have unique processor architectures. And it's all of this unintentional obscurity. I guess you could probably say it's intentional because some of these manufacturers intentionally do that to force you to stay with them, right? 

Dave Bittner: Right, right. 

Bryson Bort: But they listen to whatever that higher-level system is telling it to do. And so when I'm conducting a risk assessment, it's really understanding the IT to OT convergence. And then how do I look at what's happening from a control system perspective down? And so I'm looking at access and impact at IT level. At beachhead, I'm looking at access with what I would call simulated impact down to the OT level because I'm not actually going to change something in production because I can't affect what's providing my electricity. I can't affect that system. That is a safety mechanism, right? 

Dave Bittner: Yeah. 

Bryson Bort: But I can see the access to it, which ties to what a realistic campaign would have been. And I can then impute what the impact would have been of that operation. Does that all make sense together? 

Dave Bittner: I think so. But - so when we run an emulation process, you know, we kick things off. We run through from point A to point Z. What do we get on the other side of that? Is this a reporting kind of thing? What does the actual process look like? 

Bryson Bort: Oh, sure. So I use the metaphor of - think of your environment as this big block of marble. Inside that marble is this beautiful statue for you, right? 

Dave Bittner: Right. 

Bryson Bort: And in between you and that statue is the visibility to understand what the hell is even happening on the assets you even know that you have. And then the ability to get the monitoring tuned in enough where the human engagement - right? - the alert actually has value. And that is really f****** hard. 

Dave Bittner: OK. 

Bryson Bort: Right? That's where this stuff is so tricky because it turns out malicious traffic doesn't have a simple, little, evil bit to tell you it's malicious traffic. 

Dave Bittner: Sure. 

Bryson Bort: Right? It's intent more than it is the traffic itself, right? If I'm telling a PLC to open, how do I know the context that that's good or bad? And the PLC certainly doesn't know. It doesn't know its own operational parameters to know that it's triggered bad. That, again, goes back to what those beachhead system's responsibilities are, right? That's what that SIS and those DCSs are supposed to be doing - is doing that themselves. And so what are we getting out of all of this is seeing where is the tech - where's the people side of this? And I cannot emphasize that enough. Too often in this space, we can do the f****** nerd things for the f****** nerd reasons, and we just focus on the technical component. 

Dave Bittner: Right. 

Bryson Bort: I don't care how good your tools are if the people can't use them. And so it's putting those two together. It's partially insight into what is working, what is not, what do I see, what don't I see and then the ability for people to use those things as they go through a traditional post-breach response, right? How quickly can I detect things and identify that that traffic was anomalous and malicious? How quickly can I get into the details of understanding then, now that I have this, you know, initial smoke, where else is there potential fire? And then, of course, kicking those f***ers out of our network. 

Dave Bittner: Yeah. When you say people, though, are we talking IT people, OT people, and what's the Rosetta stone between them? 

Bryson Bort: Exactly. So both. 

Dave Bittner: Yeah. 

Bryson Bort: And that's a key component - is the two need to be able to do this together. IT can't exist in its own vacuum, and OT can't exist in its own vacuum, but it's natural that they would because they have very different requirements and very different understandings. And again, it's not as simple as just mashing these together and IT saying, hey, I've now got visibility into my SIM of the stuff that's going on in your network, but I don't understand it and don't know what to do with it, and vice versa. So it's really not just as simple as, like, putting the two puzzle pieces together. And that's part of where I recommend doing these kinds of engagements - of course, you know, with a platform like ours, but... 

Dave Bittner: Right. 

Bryson Bort: ...Doing any of these kinds of engagements - however you want to do them - so that, by going through the process, you learn and understand. And there's that cross-functional understanding that's more than just, hey, there's a paper glossary of what these terms mean, but actually getting to see them in practice. 

Dave Bittner: As you and your colleagues are doing these things, are there things that come up over and over again? Are there - is there low-hanging fruit that - right? You see where I'm getting? 

Bryson Bort: Yeah, low-hanging fruit starts with the cultural divide between IT and OT that we've seen. 

Dave Bittner: OK. 

Bryson Bort: Again, talking to the echo chamber, I think a lot of us in the expert realm take for granted that the OT side understands the true impact of cybersecurity in their environment. I don't think that's universal. I think that is still a nascent concept. There are certainly forward-leaning aspects of that. The national headlines over the last two years have also helped push that. 

Dave Bittner: Right. 

Bryson Bort: But put this in the context of - even IT cybersecurity is a relatively new concept, too. So firewalls did not commonly exist until 20 years ago. Hear that statement out loud. Until 20 years ago, it did not occur to us that our network should not just be everyone's network. 

Dave Bittner: Right. 

Bryson Bort: Twenty years ago. Ten years ago, with Target, was the first time that commercial organizations started to be like, wait, there's something to what you nerds have been saying. 

Dave Bittner: (Laughter). 

Bryson Bort: Like, we should have more than AV and firewalls. Like, this is a real market. And that's IT, right? 

Dave Bittner: Yeah. 

Bryson Bort: Now look at OT, which is still further behind on that, and I think it's all very understandable to recognize the playing field we're working at. So that cultural divide, that organizational buy-in, that understanding is still a common area to work on. That is the biggest low-hanging fruit I see time and time again, and we can't forget that and try to focus on these edge security problems, which we experts love to talk about, versus the basics to get even to that - right? - playing on the same checkerboard. In terms of what I see technically? PowerShell, PowerShell, PowerShell. 

Dave Bittner: Yeah. Hmm. 

Bryson Bort: So to translate this for the audience - right? - PowerShell is an organic capability to Microsoft Windows. It is a powerful capability that allows me to do remote management and administration of my systems. Hackers are lazy. I don't want to bring my own special code if I can use your code. And PowerShell is this phenomenal resource to allow me to do literally anything, and it's everywhere that there's Windows. And I think, with a lot of the engagements I've been doing for the past year with different energy asset owners, them truly seeing that impact into their OT environment has been a giant wake-up call. 

Dave Bittner: Hmm. So is it - I mean, is it as simple as - if you absolutely don't need it, please disable PowerShell? 

Bryson Bort: You can't. 

Dave Bittner: Yeah, 'cause it's too baked in. 

Bryson Bort: It's - I mean, the recent exploit - MSDT - that just came out - that actually ties back into PowerShell, too, right? 

Dave Bittner: Right. 

Bryson Bort: These - it's a part of the environment, right? You can look at it from kind of that NERC CIP perspective of, like, I should block anything that I don't need to have. But some of these things - you can't do that. 

Dave Bittner: Yeah. 

Bryson Bort: And even if you do, the fact that there are going to be places where it exists, those are going to be the targets that I'm going to get to. 

Dave Bittner: I see. 

Dave Bittner: Let's talk about the ICS Village at DEFCON - something that you're very involved with. You're one of the founders of it. Can you give us a little preview of what to expect this year? I know you've got something new coming up - an escape room? 

Bryson Bort: Yeah. So the ICS village is a 501(c)(3) nonprofit co-founded with Tom VanNorman, and our goal is to build critical infrastructure to make it accessible all the way to the folks who go, what is a programmable logic controller, to IT folks who don't understand that you are in an industrial control system environment. Where do you think your water and electricity comes from, right? That is a factor in whatever you're doing, let alone the fact that you might have physical security. You might have door locks. You might have HVAC. Those are all industrial control systems. And then the final piece, where we do a lot of work with the exhibits and the capture-the-flags that we build is providing that initial on-ramp so that IT security practitioners can begin to get exposed to hands-on operational technology security and that be a potential career path for them. 

Bryson Bort: So what we've got going on at DEFCON is we are doing the world debut of this complete escape room. So it's an industrial control system environment. There'll be groups that come in, and they have to basically do a combination of multidisciplinary elements. So it's not just, hey, can I do ladder logic, but some things that people do and don't understand to be able to break out. And that's hosted by the Cybersecurity Infrastructure Security Agency, CEE-SAH (ph). 

Dave Bittner: Yep. 

Bryson Bort: Or, sorry, CISS-AH (ph). They... 

Dave Bittner: CISA - that's - they are... 

Bryson Bort: The CISA folks have told me... 

Dave Bittner: They're a bit prickly about that, aren't they (laughter)? 

Bryson Bort: They have. I got lectured at Hack the Capitol for pronouncing it CEE-SAH... 

Dave Bittner: Yeah (laughter). 

Bryson Bort: ...And they were like, Bryson, could you please say CISS-AH? 

Dave Bittner: Yes (laughter). 

Bryson Bort: So if you're listening, CISA, I did it right after those few attempts. 

Dave Bittner: Yeah. Yeah. 

Bryson Bort: So we got that. We'll have a number of different hands-on activities. We'll have a bunch of talks. Some of the things that we're going to be doing different this year is we're going to be having ISAC-themed talks. So some of the different ISACs are going to be bringing their own little, like, subtrack of talks into DEFCON. And the idea behind that is we wanted to highlight them as organizations and a lot of the good work that some of the smaller ISACs don't get to do on their own. And we'll be doing some group tabletop exercises. So for folks that either have never done it or have, you always learn from getting to do these kinds of things with a guided tabletop as a part of it. And then we'll have hands-on PLC stuff and different kinds of things to learn and experiment with. 

Dave Bittner: All right. Well, Bryson Bort, thanks so much for taking the time for us today. 

Bryson Bort: Absolutely. Happy to do it. 

Dave Bittner: In this week's Learning Lab, Jim Gilsinn, technical leader at Dragos Global Services Team, discusses "Security Directive Pipeline-2021-02C: Pipeline Cybersecurity Mitigation Actions, Contingency Planning and Testing" along with Mark Urban. 

Mark Urban: Thanks, Dave. On July 21, we saw the release of the Department of Homeland Security's TSA "Security Directive Pipeline 2021-02C." Now, it's a mouthful that was the latest in a series of initiatives driven by the federal government to increase cybersecurity in sectoral - in sectors, rather, of industrial infrastructure. Now, you can go to get a summary infographic on the new regulations by clicking on the link in the show notes. But to talk about specifics, I'm joined by Jim Gilsinn, part of Dragos Global Services Team that helps our customers build effective security programs. So Jim has spent 20 years in the engineering labs at NIST, seven more years as a consultant, and now he's been with Dragos for three years, focusing on industrial cyber-risk, maturity and standards. Jim, welcome. 

Jim Gilsinn: Thanks. Great to be here. 

Mark Urban: I wanted to step back and get some context, as this is one example of a much broader effort by the U.S. federal government around security for industrial infrastructure. We've seen efforts around electrical utilities, water utilities and this newest one around liquid and gas pipelines. Jim, what do you see is behind these efforts? 

Jim Gilsinn: Well, it's really a recognition of how critical these sectors are and understanding the risks to the industry itself and also the public from it. So say a water system or electric grid fails or falls victim to a cybersecurity incident. The loss of those critical infrastructures can have huge impacts. In oil and gas last year, we saw Colonial Pipeline shut down because they feared a breach could impact their safety systems and put the public at risk. A lot of times, these sectors - they underinvest or they just don't have as many resources at their disposal. And on top of all this, we've seen a number of the cybersecurity incidents really increase over the years - whether it's been targeted OT attacks or simply bleed-over from IT, the number of potential threats is always continuing to rise. 

Mark Urban: And so we've seen some efforts from the U.S. federal government. 

Jim Gilsinn: Last year, we saw the U.S. Department of Energy release the 100-day plan for power grid cybersecurity. And then earlier this year, the EPA started up a similar plan for water utilities. Then, back in May of 2021, President Biden signed the executive order on improving the nation's cybersecurity, which created the Cyber Safety Review Board, among other things. In terms of other countries releasing things recently, the Kingdom of Saudi Arabia's National Cybersecurity Authority released their OT cybersecurity controls for critical infrastructure earlier this year, and then Australia released their security legislation amendment for critical infrastructure. Regulations for critical infrastructure was also recently announced as well. 

Mark Urban: All right, so a lot of activity across different sectors. Let's turn to oil and gas pipelines. This new regulation was probably at least influenced by what you mentioned - the Colonial Pipeline incident. I think that was May 2021. Can you give us a brief description of what happened there? 

Jim Gilsinn: In May of 2021, Colonial Pipeline's IT systems were attacked by a cyber incident. Basically, ransomware hit them and encrypted a lot of their IT systems. They lost a lot of their data. And they chose to pay the ransom, but the company also broke their connection between their IT and their OT systems for fear that the ransomware would spread into the OT environment. 

Mark Urban: OK. So that's a highly simplified view of the incident. Maybe you can talk a little bit about kind of the implications or the fallout. 

Jim Gilsinn: Sure. In total, the company only shut down their pipeline for six days. And while that may not seem like a lot, it actually resulted in a large impact - some out of fear, some out of actual production issues. There were, like, 10,000 gas stations, approximately, that ran out of gas, more out of fear from the public versus the actual loss of gas in those regions. The company itself had to pay out 4 million-plus in ransomware. Some of it was later recovered by, I believe, the FBI. Gas prices rose during that time. A lot of that was speculation, but it was nine to something in the 10 to 20, like, cents a gallon. And even flight - airline flights were impacted because of the fear and fuel deliveries that were coming through the pipeline. 

Mark Urban: All right - so a lot of implications. For those with their own OT-dependent businesses or operations, think about the loss of revenue for a week - as an example, impact - plus all of the investigation and restart costs, the time and effort to communicate and manage that sort of crisis. That's a lot of impact. And, you know, to the public, whether an actual impact or the fear that it creates among a population, you see the implications of the - you know, of an attack like this or an incident like this, right? So that's one piece of the context. So let's talk specifics about the new TSA directive. Jim, can you kind of walk us through that? 

Jim Gilsinn: Yeah. So on July 21 of this year, TSA released a revised version of their directive. Originally, they released a version back in - shortly after Colonial Pipeline - July of 2021. And they revised that just recently this year, effective July 27, for owner-operators of oil and gas pipelines. With that, they have to submit a cybersecurity implementation plan within 90 days. And, overall, the goal is to protect these critical gas and liquid pipelines from malicious cyber events. Specifically, they're trying to protect the national security, economy and public health and safety of the U.S. and its citizens. 

Mark Urban: That's great. I think that's a direct quote out of the regulation. You said that this was an update - the 02C. What's the reason for the change or the update from the original one that was issued? 

Jim Gilsinn: As I said, the first one was issued fairly shortly after Colonial Pipeline. And with everything that comes out, like, very quickly after an incident, a lot of that was quickly put together and didn't take into account all of the things that it should have when they were building it. They were trying to put something together very quickly. It was - the way it was written was very prescriptive, so it told them specifically how they needed to do things. It gave them very tight timelines for compliance, and there were a lot of things that were geared very much to the IT environment that didn't really apply as well to OT systems, like zero trust and multifactor, for all the systems. 

Jim Gilsinn: Many of the owner-operators were not really happy about the directives 02B. They said that the directives themselves were hard to use - the OT systems. In addition to that, they also had to apply, a lot of times, for what are called alternative methods or compensating controls in order to show that they met the spirit of the requirement without being able to actually meet the direct requirement itself. So one of the things that TSA did with this directive was they really made a major shift away from prescriptive requirements to performance-based or functional requirements. These would describe more what has to be accomplished and why it has to be accomplished versus specifically how it needs to be done. And this allows owners and operators to really find the solution that works best for their needs, while still trying to meet the goals and meet those performance-based requirements. 

Mark Urban: Gotcha. So that's interesting. When you said they were treating OT almost like a whole computer or IT - that was a theme on the last episode of Learning Lab, where we were talking about the difference between operational technology systems that often, you know, you can't just patch them because you have to shut down a plant, right? It's different than updating your PC at home. The OT environment is vastly different. And that's - it's another proof point here. So that's just interesting, the update. So tell us then about - a short explanation of what the newest rules are. 

Jim Gilsinn: Sure. So getting into a little more details, as I said before, they have 90 days to submit their cybersecurity implementation plan. And there's a few specific, like, major areas. This is too much to go through. Like, the details are too much to go through here. But at least going through the major things - so identifying their critical cyber systems, then implementing network segmentation policies and controls. This, again, is that separation between IT and OT and separation between critical systems within their OT environment. Implementing secure access controls - so, again, a lot of times these systems maybe need to be accessed locally or remotely, and so they need to add extra access controls on top of that to prevent unauthorized access. Implementing continuous monitoring - so making sure that they have the ability to detect and sort of prevent and respond to cybersecurity threats affecting their cybersecurity - or their critical cyber systems. They do actually want you to look at patching your systems if possible. And so having a patch management program and a vulnerability management program within the organization and having at least some plan for how to respond to potential patches that do come out and then how you manage ones that may not make operational sense for them. 

Jim Gilsinn: This implementation plan - basically, the company submits it, they have 90 days to submit that plan, and then TSA and the company actually work together to approve it. And once they have that approved, they have 60 more days to release an assessment program. So they have to develop an annual plan for assessing their program and proactively looking to audit their systems to assess how well their subsequent measures are working. And then one last piece - owner operators have to develop and maintain an up-to-date cybersecurity incident response plan as well. So not just planning their defenses and planning how they're going to assess their systems, but in the event that they do run into an actual incident, how would they actually respond to that? There are some specifics about records and document procedures, but that's sort of the very short overview of the controls. 

Mark Urban: OK. So that's seven specific requirements. If you look at that, how does that relate to other frameworks and standards, like 62443 or C2M2 or the NIST CSF? 

Jim Gilsinn: The way these are written is they are very compatible with a lot of those other frameworks. And I think TSA actually got recommendations to do that because a lot of the other frameworks have additional guidance material and really have - there's a lot of information that OT organizations can use to help guide them and how to actually build these out internally. And so they - a lot of the requirements go very much hand in hand with 62443 and NIST and C2M2 and CMC and a lot of those other frameworks. 

Mark Urban: Gotcha, Jim. OK. So there is a bit of pushback from the earlier version of the TSA directives - too prescriptive, not recognizing a lot of the distinct kind of nature of operational technology and how to properly secure that. This distilled version perhaps a bit easier to act on and compatible with those more detailed controls. All right, Jim, thanks so much for your perspective today. 

Jim Gilsinn: Thanks a lot. 

Mark Urban: For more information on the directives, you can access the infographic at dragos.com. The actual URL is in the show notes. We also are having a webinar that walks through the regulations in more detail. And if you're not an owner operator of liquid and gas pipelines but want to take steps to secure your OT environment, I encourage you to access - a couple of podcast episodes ago was the five critical controls. And we have information on that on a website but it's also, just go back a couple episodes in this podcast and you can find again all the links for these resources in the show notes. Just go to your podcast manager to access the show notes there. And thank you very much once again for the Learning Lab on "Control Loop." This is Mark Urban. 

Dave Bittner: And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at thecyberwire.com Sound design for this show is done by Elliott Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch and Mark Urban. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.