Government regulators have been recently taking an increased and active interest in cybersecurity defenses, especially with transportation and energy industries. Although the best practices proposed are basic measures that organizations should take, there are additional approaches that can boost an organization’s security capabilities and responsiveness.
Given the massive differences in cybersecurity levels in many companies both in energy and transportation, there is a pragmatic logic to providing a basic set of guidelines that most organizations can implement fairly easily and quickly. That said, given the extreme importance of cybersecurity in 2022 due in part to ransomware and state actor attacks, it might be prudent to ask what else companies can do.
The U.S. Department of Homeland Security’s Transportation Security Administration (TSA) issued two security directives issued in December 2021. First, we should stress that all of these directives are not being published for the entire industry, so we can only discuss the few details they have announced.
The TSA Security Directives announced today target higher-risk freight railroads, passenger rail, and rail transit, based on a determination that these requirements need to be issued immediately to protect transportation security. These Directives require owners and operators to:
- designate a cybersecurity coordinator;
- report cybersecurity incidents to CISA within 24 hours;
- develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and,
- complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
While many enterprises may already have been doing some of these for years if not decades, the conversation also needs to move towards resilient approaches that can increase their defenses.
The energy new rules–specifically, for “critical pipeline owners and operators”–came out the summer of 2021. The second directive, which builds on top of a first directive back in May of 20201, requires pipeline owners and operators to “implement specific mitigation measures to protect against ransomware attacks and other known threats to IT and OT systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
What companies need to do today to boost cybersecurity is to not only boost security defenses, but to make sure they have modern mechanisms in place to use those security tools and get maximum value out of those tools.
The best example: Automation. The speed and intensity of attacks is such that enterprises need to come up with new ways to keep up. After all, the best way to slow down a meaningful defense is to hide/obscure the attack for as long as possible. That typically means either an undifferentiated flood of simultaneous attacks–to hide the actual attack–or to stage one large focused attack, such as a DDOS, to take attention away from the real target, such as rerouting Payroll payments or downloading a half-petabyte of customer data. Otherwise, Security will waste lots of time chasing down bogus alerts–which is precisely what the attackers want.
Automating incident response and investigation as much as possible, along with leveraging machine learning to allow the system to figure out what to do, is an ideal way to quickly identify the real attack so that the SOC team can minimize impact of the attack.
A big challenge for security today is that many enterprises have not sufficiently changed their security defenses over the last several years, despite the fact that the attack surface they are defending has dramatically changed. How so?
- Much higher cloud usage than had been projected for 2022,
- Remote sites have soared
- On-prem has shrunk faster than expected for 2022
- Partners (contractors, suppliers, distributors, supply chain, large customers, etc.) are demanding and being granted far deeper access to data, apps and systems
- IoT and IIoT increasing rapidly, including IoT with independent communications capabilities (antenna) and secret IIoT. Secret IIoT such as manufacturing systems that the enterprise has used for decades, but the vendor has now added IIoT devices without telling the enterprise. Surprise!
And yet, the cybersecurity defense strategies are relatively the same. Please don’t get me wrong. Tools and apps and network appliances have been repeatedly upgraded, with better security. But the defense strategy is pretty much the same, despite the cybersecurity landscape being entirely different.
Enterprises need to embrace the intent of modernizing security, including seriously starting the journey to true zero trust, boosting authentication (including behavioral analytics, continuous authentication, and robust MFA, which means excluding weak efforts such as unencrypted SMS).
Are enterprises truly using modern security? Are they leveraging network segmentation via DNS? Do they have strong meaningful real-time visibility into what OT systems are on the network and what are they doing? Enterprises need to maintain a list of domains that are frequently visited and match them to domain reputations.
Those partners that are now getting deeper access? Contracts with those partners must now insist on the partner matching the enterprise’s security level, verified by routine third-party audits.
There are many straight-forward approaches to security modernization. The most critical first step, though, is making sure that your enterprise is focusing on what it needs to defend and protect, which includes leveraging what you can from your existing systems. But if you limit your efforts to slightly upgrading what you already have, you may find that your arsenal is no longer up its task.
