The Colonial Pipeline attack exposed what a lot of us have been saying for years – that when it comes to U.S. critical infrastructure, the emperor has no clothes.
After the attack on Colonial was dealt with, TSA issued a directive very quickly that was pretty superficial. It required, among a couple of other things, that operators identify a cybersecurity coordinator who is available 24×7 and assess whether their security practices are aligned with the 2018 pipeline security VOLUNTARY directive.
In fairness, there was not a lot of time to prepare and TSA – those same folks that do a wonderful job of stopping guns getting through security in airports (in a public outing, in 2016 the TSA director was fired after it became public that the TSA failed to detect guns 95% of the time) – said that more would be coming.
The electric distribution network, managed by NERC and FERC, have done a somewhat better job of protecting that infrastructure, but even that has a lot of holes in it. No one seems to be watching the water supply.
Now we are learning that the TSA issued another directive regarding pipeline security. Given all of the recent supply chain attacks, this is decades past due and nothing will change immediately, meaning that the Chinese, Russians, North Koreans and others will still have years to attack us. This directive requires the pipeline industry to implement specific mitigations (not explained, likely due to security issues) to protect against ransomware and other known threats, to develop and implement a cybersecurity contingency plan, to implement a disaster recovery plan and review the security of their cyber architecture.
The TSA is still not acting like a regulator. There do not appear to be any penalties for not doing these things and there doesn’t even seem to be much oversight. The TSA calls the companies that it regulates its partners. I cannot recall, for example, ever hearing banking regulators calling the banks that they regulate their partners. The TSA is not the partner of the companies that it regulates (unless maybe, they are getting kickbacks, in which case, okay).
Sorry, but that is completely the wrong model and is doomed to fail. It may require Congress to do something although I am pessimistic that they will. You can never tell.
This directive comes on the heels of another report from the FBI and CISA that the Chinese targeted 23 pipeline operators between 2011 and 2013. Why they didn’t think it important to tell us about this for 10 years is not explained. Maybe the facts were about to be leaked? Don’t know.
Are there more attacks that they are not telling us about still?
Of the 23 pipeline operators in this report, 13 were confirmed to have been breached. Three more were what the feds call near misses, whatever that means, and the remaining 8 were unknown as to how badly there were compromised.
Well, that certainly gives me a warm fuzzy feeling.
At the same time, CISA has been reporting an insane number of IoT vulnerabilities on every brand of industrial IoT equipment. While it is good that CISA is “outing” these vendors’ decades-old sloppy security practices, there is still a long way to go. For every bug they announce, who knows how many remain and, more importantly, will the operators of the vulnerable equipment even bother to deploy the patches. In fairness, in many cases the cost of downtime is high and the operators’ confidence that their equipment will still work after being patched is low.
For many operators, the equipment that is vulnerable has been in place for 10, 15, even 20 years and the people who installed it or designed it are retired and possibly even deceased. To reverse engineer something like that is an insanely complex task.
The alternative is to ignore the problem and hope that the Chinese, Russians and others decide to play nice and not attack us. Fat chance.
We should also consider that independent hackers who may have even less morals than the North Koreans (is that possible?) may have discovered these bugs – which of course are now being made public on a daily basis – and choose to use them to attack us for their own motives. Even if we do arrest them after, for example, they blow up a refinery, that is a tad bit unsatisfying to me.
If you get the sense that I am disgusted that the government is decades behind in protecting us, I am. You should be too. By the way, this is not a Democratic vs. Republican thing. Administrations on both sides of the aisle have put this in the “too hard to do pile” and pretended that it does not exist.