Recent Pipeline Incident Drives Home IT/OT Interdependence
June 4, 2021
My team and I often speak (maybe preach) to those in the industrial and infrastructure space about the interdependence between operations and the business. Many companies still have siloed OT and IT security initiatives; or lack comprehensive security and resilience for their OT networks all together leaving them exposed to an increasingly hostile threat landscape.
We’ve seen first-hand the ripple effects an enterprise breach can have on operations and vice versa. Each environment offers a door to the other making an integrated approach to cyber defense and resiliency a must.
In the most recent case of a cyber-attack on a critical pipeline in the United States we felt the effect of how a ransomware attack can force a company to shutdown all operations in order to manage and contain the threat. This 11-day shutdown constrained fuel access to states along the U.S. Eastern seaboard, and prompted the U.S Department of Homeland Security, Transportation Security Administration (TSA) to issue a Security Directive outlining new cybersecurity requirements for critical companies in the pipeline sector.
Days earlier (May 12) the White House released an 18-page Executive Order on Improving the Nation’s Cybersecurity, outlining deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas. One of those agencies is the Cybersecurity and Infrastructure Security Agency (CISA), which has responsibility over identifying and addressing the most significant risks to our nation’s critical infrastructure and plays a key role in the TSA Security Directive.
The TSA Security Directive is a short list of requirements, but with an aggressive deadline for compliance: June 25, 2021. Given how quickly the directive was assembled, there is no doubt in my mind there will be follow-on mandatory measures to boost the cybersecurity of the pipeline industry. So gear up, there will be more to come.
Included in the directive are requirements for critical pipeline owners and operators to:
If you haven’t stood up a task force to understand the baseline requirements, determine a scope of activity, and gather data from across the company, you may be behind the ball. Consider enlisting the help of your cybersecurity advisory partner as soon as possible; even the most mature pipeline companies are asking for input, guidance, and help. And this is likely just the beginning, rather than the end of what will be required.
The directive and executive order send a resounding message for government agencies to get more aggressive on cybersecurity. It should sound like an airhorn to companies with ground to make up when it comes to building operational resilience in the face of a cyber incident, now is the time to take action. With a menagerie of PLCs, field sensors, workstations, SCADA systems, machines, and software (some commercial, some home-grown), coupled with all of the IT assets that run the business it is a complex environment that requires a delicate hand and custom approach to secure.
The current directive should behoove you to lead the change when it comes to your own IT and OT cybersecurity and resilience, rather than be forced to implement what regulators decide is appropriate.
For example, being mandated by the government to upgrade all your operating systems to the latest versions is a hypothetical, but viable requirement that could introduce your entire system to multiple challenges, including downtime, safety issues, hazards and financial blowbacks.
So rather than think of the directive as a compliance activity, use it as an incentive to begin building a truly resilient enterprise-wide security program. Some of the steps include:
As noted earlier, this is just the beginning. To keep our clients informed and ready for the next wave of critical infrastructure cybersecurity requirements, Accenture actively engages with government and legislative officials. We also continuously monitor the threat landscape specific to IT and OT targets and host CISO working groups to discuss strategy and peer feedback as events unfold.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.
Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
The reproduction and distribution of this material is forbidden without express written permission from Accenture. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this document. This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.
Copyright © 2020 Accenture.
All rights reserved. Accenture and its logo are registered trademarks