My team and I often speak (maybe preach) to those in the industrial and infrastructure space about the interdependence between operations and the business. Many companies still have siloed OT and IT security initiatives; or lack comprehensive security and resilience for their OT networks all together leaving them exposed to an increasingly hostile threat landscape.

We’ve seen first-hand the ripple effects an enterprise breach can have on operations and vice versa. Each environment offers a door to the other making an integrated approach to cyber defense and resiliency a must.

In the most recent case of a cyber-attack on a critical pipeline in the United States we felt the effect of how a ransomware attack can force a company to shutdown all operations in order to manage and contain the threat. This 11-day shutdown constrained fuel access to states along the U.S. Eastern seaboard, and prompted the U.S Department of Homeland Security, Transportation Security Administration (TSA) to issue a Security Directive outlining new cybersecurity requirements for critical companies in the pipeline sector.

Days earlier (May 12) the White House released an 18-page Executive Order on Improving the Nation’s Cybersecurity, outlining deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas. One of those agencies is the Cybersecurity and Infrastructure Security Agency (CISA), which has responsibility over identifying and addressing the most significant risks to our nation’s critical infrastructure and plays a key role in the TSA Security Directive.

TSA Security Directive is Likely First Phase of a Larger Initiative

The TSA Security Directive is a short list of requirements, but with an aggressive deadline for compliance: June 25, 2021. Given how quickly the directive was assembled, there is no doubt in my mind there will be follow-on mandatory measures to boost the cybersecurity of the pipeline industry. So gear up, there will be more to come.

Included in the directive are requirements for critical pipeline owners and operators to:

  1. report confirmed and potential cybersecurity incidents to the CISA;
  2. designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week;
  3. review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

If you haven’t stood up a task force to understand the baseline requirements, determine a scope of activity, and gather data from across the company, you may be behind the ball. Consider enlisting the help of your cybersecurity advisory partner as soon as possible; even the most mature pipeline companies are asking for input, guidance, and help. And this is likely just the beginning, rather than the end of what will be required.

Use the Directive as an Incentive to Advance Your Security Posture

The directive and executive order send a resounding message for government agencies to get more aggressive on cybersecurity. It should sound like an airhorn to companies with ground to make up when it comes to building operational resilience in the face of a cyber incident, now is the time to take action. With a menagerie of PLCs, field sensors, workstations, SCADA systems, machines, and software (some commercial, some home-grown), coupled with all of the IT assets that run the business it is a complex environment that requires a delicate hand and custom approach to secure.

The current directive should behoove you to lead the change when it comes to your own IT and OT cybersecurity and resilience, rather than be forced to implement what regulators decide is appropriate.

For example, being mandated by the government to upgrade all your operating systems to the latest versions is a hypothetical, but viable requirement that could introduce your entire system to multiple challenges, including downtime, safety issues, hazards and financial blowbacks.

So rather than think of the directive as a compliance activity, use it as an incentive to begin building a truly resilient enterprise-wide security program. Some of the steps include:

  • Bring together the right stakeholders to develop a comprehensive security strategy
  • Designate/hire a Cybersecurity Coordinator (more often referred to as a Chief Security Officer or Chief Information Security Officer (CISO)).
  • Assess your environment and identify security gaps
  • Develop a mitigation plan and assign clear roles and responsibilities in the event a cyber incident occurs
  • Implement cybersecurity policies, tooling for anomaly detection, and access controls across IT and OT assets
  • Develop an incident response, testing, and recovery plan – and test it regularly
  • Execute security training at all levels of the company, remembering, security is not an IT problem, it is a business imperative

As noted earlier, this is just the beginning. To keep our clients informed and ready for the next wave of critical infrastructure cybersecurity requirements, Accenture actively engages with government and legislative officials. We also continuously monitor the threat landscape specific to IT and OT targets and host CISO working groups to discuss strategy and peer feedback as events unfold.

 

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.

Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

The reproduction and distribution of this material is forbidden without express written permission from Accenture. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this document. This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Copyright © 2020 Accenture.
All rights reserved. Accenture and its logo are registered trademarks

Jim Guinn

Managing Director – Accenture Security, Strategy & Consulting Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog