Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past week:
Policymakers and members of Congress have increasingly called for a "whole of government" response to cybersecurity threats, including foreign election meddling and critical infrastructure protection, and a formal, unified cyber doctrine to govern U.S. policy.
One idea – that of a single, consolidated agency with authority over most civilian cyber operations – is garnering increased attention from both nation states and policy analysts.
In February, Microsoft put out a white paper laying out best practices for a single national cybersecurity agency that drew from the company's experiences dealing with governments around the world. Such agencies should have a clear statutory mandate to manage policy, the ability to conduct outreach to industry and allies, oversee regulation of private industry and coordinate emergency incident response.
Our Take: Currently there are at least 6 federal bodies with responsibility for cybersecurity policy and response: FBI, Federal Trade Commission, Dept. of Homeland Security, Secret Service, and National Institute of Standards and Technology and National Security Agency. Coordination of policy and action across that many bureaucracies doesn’t lend itself to speed and agility against the rising tide of cyberthreats, so consolidation of responsibility, with a clear charter and authority is certainly intriguing. The Microsoft whitepaper referenced in the article is worth a look.
At least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down over the last few days, with three confirming it resulted from a cyberattack.
On Tuesday, Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyberattack."
A day earlier, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns, with Eastern Shore saying its outage occurred on March 29. The Department of Homeland Security, which said Monday it was gathering information about the attacks, had no immediate comment Tuesday.
“We do not believe any customer data was compromised,” said the Latitude Technologies unit of Energy Services Group, which Energy Transfer and Eastern Shore both identified as their third-party provider. “We are investigating the re-establishment of this data,” Latitude said in a message to customers.
Our Take: Claroty was quoted extensively last week in coverage around this attack. Our take was the following:
- The motivation behind the attack is still unclear. It does not appear to be targeting disruption of gas supply, but was possibly financially motivated.
- The use of third-parties for system maintenance and support often requires systems to allow remote access to systems. This creates a large attack surface for hackers to gain entry either directly or indirectly.
- For critical infrastructure providers (and any enterprise) that allows remote access to 3rd parties, additional controls must be in place like multifactor authentication and implementing the process, policy and technology to constantly monitor those connections.