Tag Archives: TSA

Pipeline Operators Are In the Crosshairs – From Both Regulators and Hackers

The Colonial Pipeline attack exposed what a lot of us have been saying for years – that when it comes to U.S. critical infrastructure, the emperor has no clothes.

After the attack on Colonial was dealt with, TSA issued a directive very quickly that was pretty superficial. It required, among a couple of other things, that operators identify a cybersecurity coordinator who is available 24×7 and assess whether their security practices are aligned with the 2018 pipeline security VOLUNTARY directive.

In fairness, there was not a lot of time to prepare and TSA – those same folks that do a wonderful job of stopping guns getting through security in airports (in a public outing, in 2016 the TSA director was fired after it became public that the TSA failed to detect guns 95% of the time) – said that more would be coming.

The electric distribution network, managed by NERC and FERC, have done a somewhat better job of protecting that infrastructure, but even that has a lot of holes in it. No one seems to be watching the water supply.

Now we are learning that the TSA issued another directive regarding pipeline security. Given all of the recent supply chain attacks, this is decades past due and nothing will change immediately, meaning that the Chinese, Russians, North Koreans and others will still have years to attack us. This directive requires the pipeline industry to implement specific mitigations (not explained, likely due to security issues) to protect against ransomware and other known threats, to develop and implement a cybersecurity contingency plan, to implement a disaster recovery plan and review the security of their cyber architecture.

The TSA is still not acting like a regulator. There do not appear to be any penalties for not doing these things and there doesn’t even seem to be much oversight. The TSA calls the companies that it regulates its partners. I cannot recall, for example, ever hearing banking regulators calling the banks that they regulate their partners. The TSA is not the partner of the companies that it regulates (unless maybe, they are getting kickbacks, in which case, okay).

Sorry, but that is completely the wrong model and is doomed to fail. It may require Congress to do something although I am pessimistic that they will. You can never tell.

This directive comes on the heels of another report from the FBI and CISA that the Chinese targeted 23 pipeline operators between 2011 and 2013. Why they didn’t think it important to tell us about this for 10 years is not explained. Maybe the facts were about to be leaked? Don’t know.

Are there more attacks that they are not telling us about still?

Of the 23 pipeline operators in this report, 13 were confirmed to have been breached. Three more were what the feds call near misses, whatever that means, and the remaining 8 were unknown as to how badly there were compromised.

Well, that certainly gives me a warm fuzzy feeling.

At the same time, CISA has been reporting an insane number of IoT vulnerabilities on every brand of industrial IoT equipment. While it is good that CISA is “outing” these vendors’ decades-old sloppy security practices, there is still a long way to go. For every bug they announce, who knows how many remain and, more importantly, will the operators of the vulnerable equipment even bother to deploy the patches. In fairness, in many cases the cost of downtime is high and the operators’ confidence that their equipment will still work after being patched is low.

For many operators, the equipment that is vulnerable has been in place for 10, 15, even 20 years and the people who installed it or designed it are retired and possibly even deceased. To reverse engineer something like that is an insanely complex task.

The alternative is to ignore the problem and hope that the Chinese, Russians and others decide to play nice and not attack us. Fat chance.

We should also consider that independent hackers who may have even less morals than the North Koreans (is that possible?) may have discovered these bugs – which of course are now being made public on a daily basis – and choose to use them to attack us for their own motives. Even if we do arrest them after, for example, they blow up a refinery, that is a tad bit unsatisfying to me.

If you get the sense that I am disgusted that the government is decades behind in protecting us, I am. You should be too. By the way, this is not a Democratic vs. Republican thing. Administrations on both sides of the aisle have put this in the “too hard to do pile” and pretended that it does not exist.

TSA Issues New Pipeline Security Directive

After not doing anything over the last twenty years to protect the cybersecurity of pipelines, the TSA decided they needed to do something – anything – so that they have the appearance of responding the problem.

If you get the sense that I am not impressed, you are correct.

So what do pipeline operators have to do now?

The first thing, which I suspect that operators are not thrilled about, is that they now have to report both confirmed and POTENTIAL cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

One requirement that probably won’t be too painful is that they are required to designate a cybersecurity coordinator and that person needs to be available 24/7.

They also have to review their current security practices and report risks, gaps and remediation measures to the TSA and CISA within 30 days. What makes this a bit toothless is that there is no guidance in how to conduct this risk assessment.

The Secretary of Homeland Security, Alejandro N Mayorkas said that DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.

I would rather they treat these organizations like businesses that they are regulating and hold them accountable for their horrible security (reminder: the auditor of an audit that Colonial paid for a few years ago said their security was so bad that an 8th grader could hack them). Partners are cozy. Way too cozy. Credit: Bleeping Computer

Nothing in this order requires them to fix any issues, fix them in a particular amount of time or adhere to any standards. Even the electric industry has standards. Credit: Metacurity

While this is designed to give the appearance that the government is doing something, that something is, in reality, not very much.

Security News for the Week Ending April 10, 2020

Remember that Real-ID Deadline we Were Worried About

Since planes seem to be flying with less passengers than flight crew members these days – if they fly at all – the gov has decided to make some security changes.   In addition to the fact that they are allowing you to bring a 12 ounce bottle of hand sanitizer onto the flight, they are allowing people to fly with EXPIRED drivers licenses since DMV offices are closed in almost every state.  They can be expired up to the later of one year or 60 days past the end of the pandemic emergency.  The DMVs were saying that, given the number of licenses that they had to re-issue to comply with Real ID, the October 1, 2020 date was going to be impossible to meet – before the pandemic.  Now that date would require a miracle – assuming we even know when DMV offices will reopen.  Of course, since no one is flying right now, it is sort of a moot point for the moment.  Several House members wrote to DHS pointing that fact out, but as of today, other than saying that you can use an expired license, they haven’t said anything about Real ID.  I am reasonably confident that they will delay enforcement.  Again.  For the umpteenth time.  Source: CNN

Hacker Takes on Elastic Search Scorched Earth Policy

A hacker or hackers have decided to make a point that putting servers on the Internet with no password is not exactly a bright strategy.

To reinforce that point, the hacker is wandering around the Internet, finding unprotected servers and wiping all the data from.  As of earlier this week, that amounts to around 15,000 servers.  It is unknown whether these servers are active or abandoned or whether the owner has a backup, but hopefully the point will be made and people will start securing their servers.  Source: ZDNet

Russia one-ups China – Steals Internet Traffic for 200 Networks for an Hour

Russia does not want to feel unloved.  Therefore, it stole all of the Internet traffic for 200 or so content delivery networks such as Facebook, Google, Amazon and others for an hour.  After vacuuming in all that data, it spit it back out to the rightful destination, so other than the connection being slow, the users were unaware.  I am sure it was just an accident.  Of course, if Russia wanted to, it could have rerouted all that data and just thrown it in the trash.  The good news is that there is a new spec for BGP routing security and there are a few tests going on right now as some companies begin to implement it.  In ten years or so (if we are lucky), when it is fully implemented, these attacks won’t work.  Source: ZDNet

Microsoft Pays for Its Past Sins

A couple of weeks ago it was reported that the owner of the domain corp.com was putting the domain up for sale.  This was an issue because for years Microsoft used Corp.com as the example domain for setting up Active Directory and thousands of companies used that example for real.  This week Microsoft bought the domain which was for sale for $1.7 million.  Microsoft didn’t say how much they paid, but the really had no option because if a bad guy bought it, the passwords of tens of thousands of companies employees would be at risk.  Credit: Bleeping Computer

What Do You Get for $7.55 Billion?

This year the TSA’s performance is better than last year.

Last year, it has been reported, TSA checkpoints failed to detect contraband 95% of the time.

That means for $7+ billion, TSA agents only stopped 5% of the stuff that was not supposed to be allowed on board.

This year, according to reports, the number is in the neighborhood of 80% failure, meaning that the bad guys have a 4 out 5 chance of getting contraband on board.

That makes me feel safer, for sure.

The briefing, before the House Committee on Homeland Security, was classified. I think the bad guys understand that their odds are good in getting stuff through the checkpoints.  The reason the hearing was classified, no doubt, is they probably discussed what types of things were least likely to be detected and techniques that they used.

This year, instead of using specially trained red teams during the test, they used secretaries and clerks.  You would think that might improve the odds of getting caught, but apparently not.

Rep. Mike Rogers told TSA administrator David Pekoske that “this agency that you run is badly broken”.

That would qualify as an understatement.

Of course, none of this is news to those of us in security.

Going back to when Mary Schiavo was the Inspector General of the Department of Transportation, corruption, fraud, incompetence and abuse in the DoT was being exposed.  Schiavo had over 150 convictions during her 6 years as IG.

TSA “red teams” have been trying to sneak stuff through checkpoints for 15 years.  In 2015, the TSA screeners failed in 67 out of 70 tests, according to leaked reports.

This years is a tad bit better, but still, the odds of getting contraband through – including guns and explosives – is insanely high.

It might also be useful to understand that the so-called “9/11” security fee that is added to every airplane ticket has been mostly diverted to other purposes and is not used to pay for or improve security or buy new screening devices.

Because the 9/11 fee is being diverted to items like building the border wall, security at airports is being degraded.  DHS Viper teams that use dogs to secure transportation facilities are being cut from 31 teams to 8 teams, for example.

I think I am going to drive on my next trip – it might be safer.

Information for this post came from ABC.

TSA Rolls Out New Screening Rule

Earlier this summer, TSA banned laptops and other large electronics on flights into the United States from certain countries.  Almost as quickly, they removed those bans – likely due to feedback from the airlines who were concerned that travelers would use video conferencing instead of flying.

Later this summer, TSA started a pilot program at a few airports that implemented enhanced scanning of electronics.

Now they are beginning the roll out of the program nationwide between now and early 2018.

Here is how the program will work.  Passengers will be required to take ALL electronics larger than a cell phone out of their carry on bags and place them in a tray by themselves with nothing underneath them and nothing on top of them.

This includes game consoles, cameras, iPads and other large electronics.

Because of these new rules and the anticipated delays at screening locations, TSA is recommending that passengers arrive at the airport 90 minutes before their flight rather than 60 minutes before.

It is not clear if these rules will apply to TSA Precheck passengers.

Information for this post came from Security Today.