Cybersecurity Legislation 2021: The US Government Against Ransomware

From the TSA to the CISA/FBI to the White House – ransomware is front-of-mind in Washington these days

The recent flood of serious ransomware attacks on industrial and critical infrastructure targets – the latest being the crippling attack on the Colonial Pipeline - has led the US government to turn up the heat on both ransomware attackers and defenders. The past month has seen the extensive introduction of new cybersecurity legislation standards of both regulatory oversight and law enforcement to protect clearly-exposed assets.

Critical Infrastructure owners are required to act immediately and report back to CISA by June 28th.

Cybersecurity Legislation Highlights of the New TSA Directive

The Transportation Security Administration – which oversees, among other facilities and activities, all US pipelines – was the most recent heavy-hitter to weigh in on pipeline cybersecurity. The agency’s new security directive, that went into effect May 28 in light of the Colonial Pipeline attack, contains a string of specific and strict security and reporting requirements for pipeline owners, notably:

• Asset (pipeline) owners are required to report cybersecurity incidents to the CISA no later than 12 hours after a cybersecurity incident is identified
• Asset owners are required to appoint a Cybersecurity Coordinator who will be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address incidents 
• Asset owners are required to review their current activities against TSA’s recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA

Most critically, the TSA is requiring asset owners to conduct a Vulnerability Assessment and report within 30 days of the effective date of the security directive, meaning by June 28th. The assessment must include the status of compliance with IEC62443 and NIST 800-82r2 (mentioned in TSA Security Directive on Pipelines – section 7.4, page 27).

Highlights of the FBI/CISA Joint Advisory

The advisory was issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on May 28th and relates specifically to the Colonial Pipeline attack. The advisory has a high level of technical detail regarding the attack’s perpetrator, Darkside and its Ransomware-as-a-Service, as well as specific recommendations for businesses on how to prevent and mitigate the effects of similar ransomware attacks. 

Notably, the report recommends that organizations reduce the risk of ransomware attack by:

1. Mandating multi-factor authentication for any remote access to the OT or IT networks
2. Implementing a user training program that simulates attacks 
3. Monitoring software to ensure it remains updated - operating systems, applications, and firmware on IT network assets 
4. Adopting a centralized patch management system
5. Restricting unnecessary access to resources, notably via Remote Desktop Protocol (RDP) 
6. Adopting a risk-based asset inventory strategy that learns how OT network assets are identified and evaluated for the presence of malware

If they are hit by ransomware, organizations reduce the risk of a severe business or operational impairment by:

1. Ensuring robust OT-IT network segmentation 
2. Organizing OT assets into logical units – factoring in criticality, consequence, and operational necessity 
3. Preventing Industrial Control Systems (ICS) from accessing the IT network
4. Testing contingency plans – notably manual controls – to ensure that critical functions can be maintained during a cyber incident
5. Making sure that user and process accounts are limited via account use policies, user account control, and privileged account management

New Legislative Initiatives affecting the industrial cybersecurity sector

Beyond the CISA/FBI advisory and the Executive Order mentioned above, two bills have been recently introduced by US lawmakers to address cybersecurity in US industry and critical infrastructure:

• The Pipeline Security Act – This act aims to codify the roles the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA) play in securing US gas and oil pipelines against “cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines... “
• The CISA Cyber Exercise Act – This proposed law would amend the Homeland Security Act of 2002 and require CISA to create a "National Cyber Exercise Program" in which the government and companies would test their IT infrastructure against cyberthreats.

Cybersecurity Legislation 2021: The Bottom Line

Interestingly, despite the fact that the Colonial Pipeline (as well as other attacks) actually hit IT network systems – the recent directive from the Transportation Security Administration, the recommendations in the FBI/CISA Joint Advisory and President Biden’s Executive Order on Improving the Nation’s Cybersecurity – all address both IT and OT security. 

The reason? The US government is essentially confirming what OT security professionals have been claiming for some time: IT and OT security are interdependent (and in many cases convergent), and only a holistic and proactive approach can keep industrial and critical infrastructure secure.

There is a growing realization that securing the Operational Technology networks that control industry and infrastructure demands a different type of OT cybersecurity approach. Both governments and industrial/critical infrastructure operators are becoming aware of the need for attack mitigation tools that were designed and built from the ground up for OT ecosystems - with operational processes and business continuity as their number one priority. 

OTORIO offers an automated Security Assessment - OTORIO Spotlight. The Security Assessment is a short yet powerful offline process - with zero interference to your operational environment. Data from your systems is collected and analyzed using automated tools provided by OTORIO. The end result is a comprehensive view of risks, exposures and vulnerabilities, along with a clear and feasible risk mitigation plan – all prioritized according to the potential impact of each risk to your business. The Spotlight risk assessment can dramatically speed the process of addressing the new  TSA Directive requirements, to which Critical Infrastructure owners are required to act immediately and report back to CISA by June 28th.