This article is in response to the release of the U.S. Government Accountability Office (GAO) study in December regarding significant weaknesses in pipeline security program management.
As we enter 2019, the global threat to critical infrastructure has reached a critical mass. The seemingly countless attacks against utilities, nuclear facilities, pipeline infrastructure, defense systems, energy grids, food manufacturing, healthcare, and oil and gas facilities in the past five years have been noteworthy. Examples would include the “Stuxnet” attack against the Iranian nuclear program in 2015, the Russian NotPetya and general power outage attacks in 2017 – both leveled against Ukraine, and the cyber attack against the United States energy grid in 2018. The question is, why is this such a huge attack vector for hackers and nation states alike? The answer is as simple as it is obvious, an effective attack on critical infrastructure could cause a cascading impact to the lives of thousands or even millions, potentially bringing an entire nation to its knees for days, weeks or even months.
The primary factors that have put our critical infrastructure at risk are directly linked to the convergence of what has been, until recently, disparate technologies. Most people have a fairly clear understanding that we live in a connected world, but they’re likely not aware of how deep this really goes. Superficially, we live our daily lives using cell phones, computers, air traffic control systems, vehicle GPS, voice-activated services, connected audiovisual systems, etc. However, we are less aware that virtually everything that controls anything in the world, is connected to the internet or to what is commonly known as the cloud (95 percent of which is connected by wire across the global grid and exists on a remotely located computer, not yours). This reality means that in order to protect this infrastructure in the world of cyber and physical security, we have to clearly understand that a converged approach to security is the only way to define and defend the infrastructure around us.
The four elements that are the most critical to protect in this modern world of correlated threats are Secured Communication, Secured Cloud, Secured Storage, and Secured Entry. These elements must reach across the four domains of Information technology – IT, Operational Technology – OT (control systems such as SCADA, and PLC’s), Physical Security – PS (cameras, access control systems, video management systems) and Internet of Things – IoT (all things at the edge, such as sensors, etc.). Unfortunately, this is only the beginning, since, without cyber and physical security governance across business units and organizations, the entire concept falls flat on its face. Yes, communication between siloes of businesses, organizations, and agencies is extremely important. This was highlighted by the lack of communication that occurred between first responders and agencies in the wake of the 9/11 attacks. The final piece to the puzzle is a clear understanding of how security touches and is touched by business process, compliance/regulations, behavior (such as the acceptance of a secured environment or the desire for open unrestricted spaces) and finally, adoption of the proper technology to solve the threats and vulnerabilities that exist due to human’s interaction with all of the above.
The Four Elements of Security
Now that I have your head spinning, let’s begin the process of addressing the four elements of security (communications, cloud, storage and entry) across the four domains of IT, OT, PS and IoT.
The first step is to perform a converged assessment of your environment. In this context, a converged assessment is one that correlates findings across IT, OT, PS, and IoT while identifying gaps across the entire environment as a whole. Today, most assessments are conducted in siloes. The very same siloes I’ve explained above. These are often preferred targets for hackers since they can take advantage of the fact that the left hand doesn’t particularly know what the right hand is doing in most organizations, especially in the public sector. This siloed approach frequently leads to an abundance of redundant technology, with layer upon layer of open API and IP addresses, often stemming from the proliferation of edge devices and Sensors across IT, OT, and PS. Yes, it’s a mess and the GAO (with the help of DHS and the TSA) are screaming for help.
At this point, many of you may be wondering why this isn’t being handled already. Well, the pure and simple answer is money. Budgets within the security arena are minuscule. In fact, even though this threat is clear and ever-present, most CFO’s and procurement directors will often take the posture that this is a cost and does not make their company any money. This is absolutely incorrect. In fact, the complete opposite is true and would be clear if you were to follow the “bouncing ball” that I’ve explained in the previous paragraph. The important part is the fact that all of this is connected, which means that the production of product and services are at risk. You may well ask then, “How do I measure this?”
Simple, if you multiply the rate of risk by the baseline liability and divide by the acceptable level of risk then your answer will be a clear roadmap to the acceptable level of technology. Measuring the use of technology and how it applies to all areas of your business or entity while ensuring that you can run an organization securely, is critical. Examples are as simple as mitigating the cost of guard services with the use of unmanned security revolving doors. The use of secured communication to mitigate or properly use IT and cyber personnel. Using security video technology that is also being used for product manufacturing to mitigate potential machine failures with high low sensors for warnings. The use of layered approaches to security around SCADA systems, pump stations, gas and energy distribution to not only prevent systems from being hacked but prevent sabotage.
Critical Infrastructure Threats and Vulnerabilities
What GAO Found
Related to the document, "Actions Needed to Address Significant Weaknesses in TSA's Pipeline Security Program Management GAO-19-48, published: Dec 18, 2018," the GAO found that TSA relies on the industry's self-evaluation "using ill-defined criteria" to determine whether pipeline operators have critical facilities within their pipeline systems. "As a result, approximately one-third of the top 100 systems based on volume indicated to TSA that they do not have any critical facilities and TSA did not conduct an onsite review of these facilities," the report said.
The nation depends on the interstate pipeline system to deliver oil, natural gas, and more. This increasingly computerized system is an attractive target for hackers and terrorists. (Protection of cyber critical infrastructure is on our High-Risk List.)
GAO found weaknesses in how the TSA manages its pipeline security efforts. For example, it has no process for determining when to update its guidelines for pipeline operators. Also, its method for assessing risks needs updating.
Map of Hazardous Liquid and Natural Gas Pipelines in the United States, September 2018
Pipeline operators reported using a range of guidelines and standards to address physical and cybersecurity risks, including the Department of Homeland Security's (DHS) Transportation Security Administration's (TSA) Pipeline Security Guidelines, initially issued in 2011. TSA issued revised guidelines in March 2018 to reflect changes in the threat environment and incorporate most of the principles and practices from the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. However, TSA's revisions do not include all elements of the current framework and TSA does not have a documented process for reviewing and revising its guidelines on a regular basis. Without such a documented process, TSA cannot ensure that its guidelines reflect the latest known standards and best practices for physical security and cybersecurity, or address the dynamic security threat environment that pipelines face. Further, GAO found that the guidelines lack clear definitions to ensure that pipeline operators identify their critical facilities. GAO's analysis showed that operators of at least 34 of the nation's top 100 critical pipeline systems (determined by the volume of product transported) deemed highest risk had identified no critical facilities. This may be due, in part, to the guidelines not clearly defining the criteria to determine facilities' criticality.
U.S. Pipeline Systems' Basic Components and Vulnerabilities
To assess pipeline security risks, TSA conducts pipeline security reviews—Corporate Security Reviews and Critical Facility Security Reviews—to assess pipeline systems' vulnerabilities. However, GAO found that the number of TSA security reviews has varied considerably over the last several years, as shown in the table below.
Pipeline Security Reviews Conducted, Fiscal Year 2010 through July 2018
aFiscal year 2018 data are through July 31, 2018.
bFiscal years 2010 and 2011 represent Critical Facility Inspections—the predecessor of the Critical Facility Security Review.
TSA officials stated that staffing limitations have prevented TSA from conducting more reviews. Staffing levels for TSA's Pipeline Security Branch have varied significantly since the fiscal year 2010 with the number of staff ranging from 14 full-time equivalents in fiscal years 2012 and 2013 to 1 in 2014. Further, TSA does not have a strategic workforce plan to help ensure it identifies the skills and competencies—such as the required level of cybersecurity expertise— necessary to carry out its pipeline security responsibilities. By establishing a strategic workforce plan, TSA can help ensure that it has identified the necessary skills, competencies, and staffing.
GAO also identified factors that likely limit the usefulness of TSA's risk assessment methodology for prioritizing pipeline system reviews. Specifically, TSA has not updated its risk assessment methodology since 2014 to reflect current threats to the pipeline industry. Further, its sources of data and underlying assumptions and judgments regarding certain threat and vulnerability inputs are not fully documented. In addition, the risk assessment has not been peer reviewed since its inception in 2007. Taking steps to strengthen its risk assessment, and initiating an independent, external peer review would provide greater assurance that TSA ranks relative risk among pipeline systems using comprehensive and accurate data and methods.
TSA has established performance measures to monitor pipeline security review recommendations, analyze their results, and assess effectiveness in reducing risks. However, these measures do not possess key attributes—such as clarity and having measurable targets—that GAO has found are key to successful performance measures. By taking steps to ensure that its pipeline security program performance measures exhibit these key attributes, TSA could better assess its effectiveness at reducing pipeline systems' security risks. Pipeline Security Branch officials also reported conducting security reviews as the primary means for assessing the effectiveness of TSA's efforts to reduce pipeline security risks. However, TSA has not tracked the status of Corporate Security Review recommendations for the past 5 years. Until TSA monitors and records the status of these reviews' recommendations, it will be hindered in its efforts to determine whether its recommendations are leading to a significant reduction in risk.
Why GAO Did This Study
More than 2.7 million miles of pipeline transport and distribute oil, natural gas, and other hazardous products throughout the United States. Interstate pipelines run through remote areas and highly populated urban areas and are vulnerable to accidents, operating errors, and malicious physical and cyber-based attack or intrusion. The energy sector accounted for 35 percent of the 796 critical infrastructure cyber incidents reported to DHS from 2013 to 2015. Several federal and private entities have roles in pipeline security. TSA is primarily responsible for the oversight of pipeline physical security and cybersecurity.
GAO was asked to review TSA's efforts to assess and enhance pipeline security and cybersecurity. This report examines, among other objectives: (1) the guidance pipeline operators reported using to address security risks and the extent that TSA ensures its guidelines reflect the current threat environment; (2) the extent that TSA has assessed pipeline systems' security risks; and (3) the extent TSA has assessed its effectiveness in reducing pipeline security risks.
GAO analyzed TSA documents, such as its Pipeline Security Guidelines; evaluated TSA pipeline risk assessment efforts; and interviewed TSA officials, 10 U.S. pipeline operators—selected based on volume, geography, and material transported—and representatives from five industry associations.
What GAO Recommends
GAO makes 10 recommendations to the Transportation Security Administration's (TSA) to improve its pipeline security program management and DHS concurred. GAO recommends, among other things, that the TSA Administrator take the following actions:
- Implement a documented process for reviewing, and if deemed necessary, for revising TSA's Pipeline Security Guidelines at defined intervals;
- Clarify TSA's Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities;
- Develop a strategic workforce plan for TSA's Security Policy and Industry Engagement ‘s Surface Division;
- Update TSA's pipeline risk assessment methodology to include current data to ensure it reflects industry conditions and threats;
- Fully document the data sources, underlying assumptions and judgments that form the basis of TSA's pipeline risk assessment methodology;
- Take steps to coordinate an independent, external peer review of TSA's pipeline risk assessment methodology;
- Ensure the Security Policy and Industry Engagement ‘s Surface Division has a suite of performance measures which exhibit key attributes of successful performance measures; and
- Enter information on Corporate Security Review recommendations and monitor and record their status.
For more information, contact Chris Currie at (404) 679-1875 or [email protected] or Nick Marinos at (202) 512-9342 or [email protected].
We are at the precipice of a world that that is completely connected. From smart cities to smart buildings, with the use of machine learning, and deep learning we are closer than ever to being completely converged. This is also our Achilles heel which may lead to a disaster that we cannot possibly imagine. The need for our understanding of these threats from the lowest to the highest parts of our organizations is crucial. However, the time for education is growing short its either we get it or its game over.
About the Author:
Pierre Bourgeix is President ESI Convergent and Enterprise Consulting Manager for Boon Edam Inc.
