In the beginning of May, a U.S. pipeline company suffered a ransomware attack. The company decided to respond by halting operations while it investigated the incident. This delayed tens of millions of gallons of fuel from reaching their destination all along the East Coast.
Less than a week later, Bloomberg reported that the company had paid millions of dollars to a ransomware group in order to regain access to their systems. U.S. government officials were aware of the payment, a source told Bloomberg. Acting through the Department of Justice (DOJ), those individuals retrieved part of the payment from the attacker’s bitcoin wallet.
The TSA’s Response
Alejandro Mayorkas, Secretary for the Department of Homeland Security (DHS), responded to the pipeline security incident discussed above by meeting with other officials to consider how they might leverage the Transportation Security Agency (TSA) to improve the digital security of the pipeline industry. Those individuals together decided that the TSA, a unit of the DHS, would issue a new security directive concerning companies in that sector. According to the Washington Post, the directive requires pipeline organizations to disclose security incidents such as ransomware attacks to TSA and the Cybersecurity & Infrastructure Security Agency (CISA). It also mandates that those organizations have someone like a CISO who has a 24/7 direct line to both TSA and CISA for the purpose of reporting an attack.
Senior officials at the DHS went on to say that the security directive will precede the release of a set of robust security controls concerning pipeline organizations. Those controls will break from previous pipeline security guidelines, noted by The Washington Post, as they won’t be voluntary. Pipeline organizations will need to use them to harden the security of their systems or risk incurring financial penalties.
Tripwire’s Response to the TSA’s Security Directive
Tripwire recognizes the importance of protecting U.S. pipeline owner/operators as well as their importance to the U.S. economy and citizens’ livelihood and well-being. A leading provider of IT and OT system integrity solutions, Tripwire stands ready to partner with the DHS on several key provisions of the TSA’s security directive. These requirements include the following:
Leverage a Designated Executive Available in the Event of a Security Incident
While Tripwire can’t designate an executive in the event of an intrusion, its cybersecurity solutions help the designated executive to gain visibility into what, when, and where there has been impacted due to a cybersecurity event. These details allow the designated executive to quickly identify the impacted assets down to MAC IDs, IP Addresses, Serial Numbers, and Host Names to assess corruption while also producing log files to better diagnose the situation.
Designate a Cybersecurity Coordinator with 24/7 Availability to TSA and CISA
Tripwire can monitor continuously both in the IT and OT environments against policies, changes, or malicious activity. Tripwire can actively identify IT assets with agent or agentless capabilities perform passive deep packet inspection (DPI) against over 100+ IT and OT protocols, and bring back rich data of these assets. With Tripwire’s continuous 24/7 monitoring, the cybersecurity coordinator can easily respond back to the TSA and CISA with updates on potential intrusion to both the IT and OT environment.
Review Activities against TSA’s Recommendations in Section 7 of Security Guidelines
Tripwire covers all associated OT systems listed from SCADA, PCS, and DCS along with integration and visibility to the IT environments. System integrity—the continuous revalidation of trustworthiness—is essential to knowing that critical systems are as they should be. Additionally, Tripwire works closely with and provides out-of-the-box policy compliance for NIST recommendations provided within this document’s introduction.
Pipeline owner/operators will also be required to understand what assets are critical and non-critical on their networks. Tripwire can quickly help with scanning, identifying, and tagging assets on the OT systems for classification of critical and non-critical assets. From there it can provide out-of-the-box support for Owner/Operators in creating the TSA-required baseline policies and measurements on these newly classified assets. By monitoring for a desired system state and alerting to changes that may deviate from that state, it provides the ultimate backstop to other cybersecurity solutions, which tend to focus on detecting malicious activity.