By Jim Guinn II, senior managing director, global cybersecurity industry groups lead, Accenture

New Accenture cyber threat intelligence shows that malware specifically targeting industrial control systems (ICS) is available for purchase in forums on the dark web. If you're a cybercriminal, it's a great deal: It comes with instructions and is fully ready to unleash.

Although the underground selling of destructive malware is nothing new, the motives of cybercriminals like the ones offering this deal are shifting. They're now more ideologically focused versus seeking financial gains.

And if their claims are true, this tool could be used by any number of attackers to target any ICS that uses Modbus, a de facto standard communication protocol used to connect industrial electronic devices. This is a potentially serious problem for nearly every industry, since ICS assets are used just about everywhere: manufacturing, airports, cargo, rail, power generation and water treatment, for example. Any business involved with moving critical goods, services and commodities to our homes and businesses could be at risk.

Time to circle the wagons

In the face of these increased cyber threats, now more than ever we must collaborate closely, sharing what we know to collectively prepare for what might come next. In the United States, several of the paths to increased collaboration and a successful cyber defense are being offered or in some cases mandated by agencies and regulators. 

One excellent voluntary program initiated by the U.S. Cybersecurity Infrastructure Security Agency (CISA) is its Joint Cyber Defense Collaborative (JCDC) ICS Group, which shares intelligence across the private sector and government. This collaborative is working to help ICS manufacturers, owners and operators, cybersecurity firms and the U.S. Government get timely access to critical cyber threat information. 

On the mandatory side we have the Transportation Security Agency's (TSA) two 2021 Pipeline Security Directives (2021-01 and 2021-02), intended for owners and operators of pipelines and liquified natural gas (LNG) facilities moving refined products to market. Both offer good progress toward the goal of better securing our critical infrastructure.

A good job under pressure

After the Colonial Pipeline attack, the TSA was under tremendous pressure to come up with cohesive, all-encompassing regulations fast. What followed was a series of security directives aimed first at pipelines, then extended to some air and rail organizations. Many of the new requirements were on point. Some, though, needed improvement because they essentially asked the impossible. In some cases, for example, supply chain issues have made it impossible to obtain new technology in time to meet the required timelines in the original security directive.

That's why the TSA yesterday made some modifications to its second 2021 security directive for critical pipeline owners and operators (SD 2021-02C). One change gives organizations more flexibility in how they design and execute their cyber defenses. This “outcome-based” approach is a welcome acknowledgement that one size does not fit all.

Also, SD 2021-02C reduces the number of controls to effectively 46 down from the 53 in the original security directive. Other changes would give the industry more time to evaluate a potential cyberattack prior to notifying the government—it can be helpful to have a better understanding of the potential impact and validity of a cyber event. The proposal also would allow owners and operators to suggest alternative paths, rather than risk the potentially harmful disruptions that could occur by implementing “IT patching” on ICS and process control networks (PCS). This is important because many ICS vulnerability patches must be thoroughly tested before making them available for deployment, a long process.

Changes like this are a welcome recognition that cybersecurity is not black and white. It is iterative, guided by complex variables such as industry standards, processes for testing like Management of Change, budget constraints, an organization's legacy technology and even whether the organization can access the right talent.

All in all, the new outcome-based controls proposed as part of SD 2021-02C are welcome. However, as the TSA works on a formal rulemaking it should consider some additional changes:

  • First, it is requiring companies to provide detailed cybersecurity information on the owner and operator’s security posture and their plans for conforming with the directive. This is undesirable because it creates a single location where our cyber adversaries could launch targeted attacks to gain detailed knowledge about organizations' security programs. The TSA should consider having these organizations create secure “virtual” rooms for access to documents. This would minimize many owner and operator’s concerns about the security of their data because having all pipeline owner and operator's cyber defense information in one place makes for a significant target.
  • Second, when there is a specific control an owner and operator cannot meet, and the TSA has approved that company’s mitigating control, the TSA could discuss with other owners and operators struggling with the same issues, when appropriate. Bi-directional sharing of best practices could help companies better protect themselves while reducing unnecessary compliance time and cost. Out of the original 53 controls in the security directive, over 400 requests for mitigating actions have been submitted to the TSA.
  • Third, the directive should address asset inventory and asset management. In many cases these companies have grown via acquisition, built new facilities or performed turnarounds updating ICS and PCN technologies. This means that in many cases their asset inventory management solutions are out of date or missing. I often say you can’t protect what you can’t see, and if you don’t know you have it you can’t see it. Up-to-date asset management and asset inventory solutions will give these owners and operators a full picture to their entire operation and enable more rapid identification of systems or asset that needs immediate patching.  Section IV of SD 2021-02C says the TSA could inspect such an inventory, so better to have it than not.
  • Finally, the TSA’s directives only cover the midstream segment of the energy value chain (refined products and LNG), not the entire system. Thus, many PLCs and ICS assets in refineries and gathering systems might still be vulnerable even if an owner / operator follows every TSA control. It’s a great sign that TSA is collaborating with other agencies like the Coast Guard and Department of Energy. We need a wholistic approach to ensuring cyber resilience of energy collection all the way to market, protecting the entire value chain.

In summary, what the TSA is proposing with SD 2021-02C is a positive, improved path to increasing cyber resilience. Let's rally around it, but let’s also collectively help the TSA and other regulators improve their work by getting into the game—submitting feedback, working the process, talking to our government about what works and what does not.

It's not enough to observe that there's more work to do. We have to remember that a lot of that work is on all of us.

Jim Guinn, II leads cybersecurity strategy and consulting globally including critical infrastructure consulting for Accenture. With more than 25 years of deep industry experience and business acumen, he plays a strategic role in setting the direction and overseeing the delivery of operational and enterprise cybersecurity solutions for Accenture’s clients.

The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.

About Accenture

Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Technology and Operations services and Accenture Song — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 710,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.

Copyright © 2022 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.

Jim Guinn

Senior Managing Director – Security, Strategy & Consulting Lead, Accenture

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog