To protect infrastructure from cyberattacks, think progress, not perfection
July 22, 2022
By Jim Guinn II, senior managing director, global cybersecurity industry groups lead, Accenture
New Accenture cyber threat intelligence shows that malware specifically targeting industrial control systems (ICS) is available for purchase in forums on the dark web. If you're a cybercriminal, it's a great deal: It comes with instructions and is fully ready to unleash.
Although the underground selling of destructive malware is nothing new, the motives of cybercriminals like the ones offering this deal are shifting. They're now more ideologically focused versus seeking financial gains.
And if their claims are true, this tool could be used by any number of attackers to target any ICS that uses Modbus, a de facto standard communication protocol used to connect industrial electronic devices. This is a potentially serious problem for nearly every industry, since ICS assets are used just about everywhere: manufacturing, airports, cargo, rail, power generation and water treatment, for example. Any business involved with moving critical goods, services and commodities to our homes and businesses could be at risk.
In the face of these increased cyber threats, now more than ever we must collaborate closely, sharing what we know to collectively prepare for what might come next. In the United States, several of the paths to increased collaboration and a successful cyber defense are being offered or in some cases mandated by agencies and regulators.
One excellent voluntary program initiated by the U.S. Cybersecurity Infrastructure Security Agency (CISA) is its Joint Cyber Defense Collaborative (JCDC) ICS Group, which shares intelligence across the private sector and government. This collaborative is working to help ICS manufacturers, owners and operators, cybersecurity firms and the U.S. Government get timely access to critical cyber threat information.
On the mandatory side we have the Transportation Security Agency's (TSA) two 2021 Pipeline Security Directives (2021-01 and 2021-02), intended for owners and operators of pipelines and liquified natural gas (LNG) facilities moving refined products to market. Both offer good progress toward the goal of better securing our critical infrastructure.
After the Colonial Pipeline attack, the TSA was under tremendous pressure to come up with cohesive, all-encompassing regulations fast. What followed was a series of security directives aimed first at pipelines, then extended to some air and rail organizations. Many of the new requirements were on point. Some, though, needed improvement because they essentially asked the impossible. In some cases, for example, supply chain issues have made it impossible to obtain new technology in time to meet the required timelines in the original security directive.
That's why the TSA yesterday made some modifications to its second 2021 security directive for critical pipeline owners and operators (SD 2021-02C). One change gives organizations more flexibility in how they design and execute their cyber defenses. This “outcome-based” approach is a welcome acknowledgement that one size does not fit all.
Also, SD 2021-02C reduces the number of controls to effectively 46 down from the 53 in the original security directive. Other changes would give the industry more time to evaluate a potential cyberattack prior to notifying the government—it can be helpful to have a better understanding of the potential impact and validity of a cyber event. The proposal also would allow owners and operators to suggest alternative paths, rather than risk the potentially harmful disruptions that could occur by implementing “IT patching” on ICS and process control networks (PCS). This is important because many ICS vulnerability patches must be thoroughly tested before making them available for deployment, a long process.
Changes like this are a welcome recognition that cybersecurity is not black and white. It is iterative, guided by complex variables such as industry standards, processes for testing like Management of Change, budget constraints, an organization's legacy technology and even whether the organization can access the right talent.
All in all, the new outcome-based controls proposed as part of SD 2021-02C are welcome. However, as the TSA works on a formal rulemaking it should consider some additional changes:
In summary, what the TSA is proposing with SD 2021-02C is a positive, improved path to increasing cyber resilience. Let's rally around it, but let’s also collectively help the TSA and other regulators improve their work by getting into the game—submitting feedback, working the process, talking to our government about what works and what does not.
It's not enough to observe that there's more work to do. We have to remember that a lot of that work is on all of us.
Jim Guinn, II leads cybersecurity strategy and consulting globally including critical infrastructure consulting for Accenture. With more than 25 years of deep industry experience and business acumen, he plays a strategic role in setting the direction and overseeing the delivery of operational and enterprise cybersecurity solutions for Accenture’s clients.
The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.
Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Technology and Operations services and Accenture Song — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 710,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.
Copyright © 2022 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.