The 2021 ransomware attack against Georgia-based Colonial Pipeline didn’t expose the weaknesses in America’s critical pipeline system — they were long and well-known within the industry and government. However this highly disruptive incident finally made the vulnerabilities impossible to ignore as a genuine threat to national security, and the Department of Homeland Security (DHS) initiated a series of steps to protect the nation’s pipeline infrastructure from cyber attacks.
The Transportation Safety Administration’s Security Directives
Less than a month after the breach, the TSA, part of DHS, announced a fairly general security directive that marked the start of the TSA and CISA’s (Cybersecurity and Infrastructure Security Agency) active involvement in pipeline cybersecurity. The general directive was followed by much more prescriptive guidelines, but they were difficult to implement. It was even difficult to share the guidelines with security vendors because they were classified. By July 2022, after consulting with the industry, the TSA issued a new set of standards that were performance-based rather than prescriptive, aiming to protect information and operational technology under more manageable rules.
Pipeline Cybersecurity: TSA Directives You Can Manage with TXOne Networks
As a leader in operational technology (OT) digital safety and oil and gas cybersecurity, our engineering team identified how TXOne Networks’ hardware and software solutions can support the oil and gas industry in their efforts to manage TSA directives. While it is important for owners, operators, and security teams to develop an ongoing cybersecurity process with the proper resources, vendors, and internal stakeholders, our solutions can help fulfill these specific TSA directives:
Critical Systems Identification
Owner/operators must create a complete inventory of every connected device, computer, and workstation in the critical system environment they are controlling. Because systems are usually a mix of new and legacy systems built up over time, most operators don’t know what they have. Maintaining visibility of all assets on your network is the first step to effective cybersecurity.
Network Segmentation
An intruder can freely wander the entire system in an unsegmented network, reaching any IT or OT component. Network segmentation makes it more difficult to move among areas and limits the damage.
Access Control
Access control, both physical and digital, has long been one of the most challenging aspects of pipeline cybersecurity. In the Colonial attack, a VPN password was easy to compromise because it was likely used in more than one place, an all too common habit.
Continuous Monitoring and Detection
Build continuous monitoring and detection policies and procedures to scan for malware, intruders, and other issues that might affect critical cyber system operations.
Patch Management
Fix unpatched systems with regular, timely application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems.
Preservation of Forensic Evidence
It’s important to establish an evidence trail to see how an attack occurred both to prevent further breaches and share with CISA so the industry can be alerted to new methods.
How TXOne Technology Helps Meet TSA Directives for Pipeline Cybersecurity
EdgeIPS™
EdgeIPS™ is an industrial-grade intrusion prevention system that’s designed to be placed in front of mission-critical assets at the network edge. In the Purdue Model, this is for level-one, -two, or -three environments, as shown in our deployment model.
EdgeIPS serves these TSA directives:
Critical Systems Identification: EdgeIPS passively assesses network packets that are being sent through the device to determine whether other devices are in the environment, and it helps identify critical assets.
Network Segmentation: Configuring the policies and profiles allows the limitation and segmentation of the network traffic, thus segmenting the network.
Access Control: By configuring the policies and profiles, EdgeIPS controls the access of different departments, user groups, and IT/OT network communication.
Patch Management: Using the IPS Profiles, virtual patching can be configured to deny known, unpatched exploits.
Forensic Evidence Preservation: The device stores system and event logs and has the ability to ship the logs to a Syslog server for quicker analysis.
EdgeFire™
EdgeFire™ is a hardware-based firewall for inline threat detection. EdgeFire™ gives users attack information, event logs, early attack detection, and trust list-based filtering of control commands.
EdgeFire provides the same capabilities for Critical Systems Identification, Network Segmentation, Access Control, Patch Management, and Forensic Evidence Preservation.
EdgeIPS™ Pro
EdgeIPS™ Pro is a TXOne first-of-its-kind technology. A purpose-built, high port density appliance, it’s designed for IT-OT convergence cybersecurity in highly automated environments.
EdgeIPS Pro provides the same capabilities for Critical Systems Identification, Network Segmentation, Access Control, and Patch Management as EdgeIPS and EdgeFire, plus:
Continuous Monitoring and Detection. Streaming-based antivirus profiles provide an extra layer of protection and scanning, optimizing memory utilization for large archive files by decompressing the files on the fly and scanning the PE and ELF format for malware files.
OT Defense Console™
TXOne OT Defense Console™ (ODC) provides centralized oversight for up to 1,000 network segments for a comprehensive, consolidated overview, organized into alerts, assets, and incident events.
OT Defense Console™ serves these TSA directives:
Critical Systems Identification. ODC collects the asset list from the connected Edge products to provide a centralized list of other devices in the environment and help identify critical assets.
Access Control. ODC can be configured to use TACACS (Terminal Access Controller Access-Control System) to ensure that only authorized users have access. ODC also offers a user management capability to the Edge Device Groups to limit access to only the devices that the user needs.
Continuous Monitoring and Detection. ODC offers the capability to search the logs for all connected devices and helps to monitor for anomalies or threat detection events.
Forensic Evidence Preservation. ODC stores the logs for all connected Edge devices and offers the capability to build reports based on the logs. ODC has the ability to ship the logs to a Syslog server for quicker analysis.
Stellar™
Stellar™ is an industry-leading endpoint cyber defense solution that’s especially well-suited for the oil and gas industry. The two primary Stellar™ components are StellarProtect Agents that work one-to-one with assets; and a centralized StellarOne management console that streamlines their use. Of interest to pipeline operators, this is the first solution that offers seamless protection and oversight for legacy and modern assets running side by side.
Stellar™ serves these TSA directives:
Access Control. StellarOne can be configured to use SAML (Security Assertion Markup Language) to ensure that only authorized users have access. Application Lockdown can also be used to ensure that only pre-authorized applications are running on the machine and that unauthorized file changes are not being made on the system.
Continuous Monitoring and Detection. Configure Real-time Scan for the StellarProtect Agents to have them scan files as they are accessed to ensure that no malicious activity is detected in the file. The StellarProtect Agents also store logs of all events and send these logs to StellarOne.
Forensic Evidence Preservation. StellarOne stores the logs for all StellarProtect Agents and offers the capability to build reports based on the logs. StellarOne has the ability to ship the logs to a Syslog server for quicker analysis.
Trend Micro Portable Security™ 3
Trend Micro Portable Security™ 3 is a small, portable, hardware-based software scanner that can scan unknown devices from vendors or contractors before they interface with industrial control systems.
Trend Micro Portable Security™ 3 serves this TSA directive:
Access Control. Portable Security can be used to scan and clean all vendor devices or newly acquired devices prior to allowing connection to the ICS network. This will ensure that the device is clean of threats without installing software on incoming devices.
Are TSA Directives Giving You a Headache? We’re Here to Help!
The challenges of securing oil and gas pipelines and production are constantly evolving. This is a great deal of information, and our team is ready and happy to help you and your vendors find the OT cyber defenses that are best for you. Contact us today to learn how TXOne solutions can keep your system safe, compliant, and operational.
