The IT Nerd

I am late to the party on this one. But that’s the side effect of being on vacation.

Last week, the TSA put out new cybersecurity requirements for pipeline owners. No doubt to prevent another Colonial Pipeline situation:

“TSA is committed to keeping the nation’s transportation systems safe from cyberattacks. This revised security directive follows significant collaboration between TSA and the oil and natural gas pipeline industry. The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said TSA Administrator David Pekoske. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes. We will continue working with our partners in the transportation sector to increase cybersecurity resilience throughout the system and acknowledge the significant work over the past year to protect this critical infrastructure.”

I have some commentary on this topic.

Chris Warner, OT Senior Security Consultant at GuidePoint Security:

The TSA has announced updates to its Security Directive (SD) aimed at strengthening the operational resilience of oil and natural gas pipeline owners and operators against cyber-attacks. These updates, effective from July 27th, 2023, introduce certain requirements that may demand additional resources from organizations to comply. At a high level, the updated SD includes the following provisions:

1. Annual submission of an Updated Cybersecurity Assessment Plan (CAP) for TSA review and approval.
2. Reporting of the previous year’s assessment results and providing an annual schedule for auditing cybersecurity measures, with 100% assessment of security measures required every three years.
3. Annual testing of at least two objectives of the Cybersecurity Incident Response Plan (CIRP), involving relevant individuals identified in the plan.
4. Maintaining existing requirements, such as reporting significant cybersecurity incidents to CISA, designating a cybersecurity point of contact, and conducting a cybersecurity vulnerability assessment (SD Pipeline 2021-01C).

The updated SD introduces several changes:

• Section II.A.3 now requires Owner/Operators to reassess their systems if they change their method of pipeline operations, notifying TSA of a schedule for compliance with the SD’s requirements.
• A new Section II.B.3 clarifies whether an Owner/Operator needs to amend their TSA-approved Cybersecurity Implementation Plan (CIP) based on the updated SD.
• Section II.B.4 has been removed, and Section III.A allows TSA to identify additional Critical Cyber Systems not previously identified during review.
• Section III.F.1.e updates requirements for CIRP exercises, mandating Owner/Operators to test at least two CIRP objectives, such as network segmentation and OT and IT system isolation, at least twice a year. They must also identify two employee positions that participated in the exercises. Additionally, an annual CAP Report must include the assessment results, methods used, and the effectiveness of policies, procedures, and capabilities.
• Section III.G changes the acronym CAP to Cybersecurity Assessment Plan, requiring not only its annual submission but TSA approval. The CAP schedule must assess 30% or more of policies, procedures, measures, and capabilities annually to achieve 100% completion of the TSA-approved CIP within three years.
• Section IV.A now requires referencing previously developed plans, assessments, tests, and evaluations in the CIP and making them available to TSA upon request.
• Finally, Section V.C is a new requirement addressing how documents are written and submitted to the TSA to provide flexibility for future capabilities in enhancing operational resilience.

Overall, these newly introduced provisions mandate pipeline owners and operators take proactive steps to enhance their systems’ security and protect against potential cybersecurity threats in the oil and natural gas sector. Despite the resource challenges, pipeline owners and operators understand the critical importance of strengthening their cybersecurity measures. While the implementation may be demanding, it is essential to safeguard their systems against potential cyber threats in the oil and natural gas sector. This calls for strategic planning and resource allocation to effectively address the new TSA SD requirements and enhance the overall security posture of these vital infrastructure systems.

Ron Fabela, Field CTO at XONA Systems:

Some minor but interesting updates have been made to TSA SD Pipeline-2021-02D.  Interesting bits by section:

Section II – TSA seems to be making some clarifications, additions, and removals of sections based on feedback from the pipeline community or as a result of successes (or lack thereof) with certain requirements.  For instance, those owner/operators that have identified no “critical cyber systems” will have to reevaluate when operations change, or now TSA may add “critical cyber systems” that were not previously included before. This may be an indication in owner/operator requirement avoidance by simply stating they have no systems applicable to new regulation. NERC had similar challenges early in CIP regulation days when asset owners were allowed to self identify if they had any “Critical Cyber Assets”. Of course the answer at the time was “none here, regulation not applicable”

Section III changes incident response plans testing and introduces a new term “Cybersecurity Assessment Plan”. Changes to exercising the cybersecurity incident response plan are interesting in that they now only require that half of the requirements (at least 2 out of the 4 objectives) be tested annually instead of all. These requirements are not especially rigorous, so one wonders what prompted the change.

Similarly, while Cybersecurity Assessment Plans must now be reviewed and approved by TSA a section was added only requiring 30% coverage of requirements to be assessed each year, with 100% assessed over any three-year period. Ignoring the obvious math error (3×30%=90%, not 100%) assessing only one third of your security measures a year is a bold outlier to an effective security program.

Section IV changes make an interesting clarification. Use of previous plans, assessments, tests, and evaluations as evidence to meet the SD security directives must now explicitly incorporate these by reference into the CIP and made available to TSA upon request.  With TSA having to make these specific changes, I speculate that owner/operators may have said that they have requirements met by other artifacts but then failed to produce said evidence.

Overall it’s great to see updates being made by TSA to clarify the requirements and in some cases, remove any loopholes as a result of practical application of these Security Directives in the field. I would expect more revisions as assessments and technical evaluation of control effectiveness are conducted in the years to come.

Josh Thorngren, Senior DevSecOps Engineer at ForAllSecure:

The encouraging piece here is that it treats cyber strategy as something that needs to evolve. Most of the changes related to ensuring cybersecurity strategy and implementation are reviewed at least annually seem apparent, but it is a pretty impactful task. It’s easy to think about cybersecurity as ‘maintaining walls’ – a legacy of the era where we just cared about the perimeter is an acceptance and encouragement to play active defense instead. To continually update and reevaluate. It’s too early to tell the impact, but it’s incredibly encouraging to treat cyber as an evolving posture vs a fixed one.

At least there were lessons learned from the Colonial Pipeline episode that are resulting in change. And change is good as it will help to make us all safer.

The UK Government’s Cyber Security Skills in the UK Labour Market 2023 report shows that more than 50% of UK companies have a basic cybersecurity skills gap and 33% have an advanced skills gap showing close to no improvement since last year.

This year was the first year of the study that included a survey question focused on the UK Cyber Security Career Route Map, introduced in 2021, intended to make it easier for individuals to enter cyber security roles via a range of possible pathways. Unfortunately, most of the respondents hadn’t heard of it, so more referenced certification requirements as a hurdle.

“The training is there but it is costly. The certification programmes require quite a hefty cost for the training if you’re going to send people off for the week. Because there is such a shortage of skills in the industry, a lot of organizations are reluctant to put employees through it because once they are qualified, they are quite likely to move to another job on a higher salary,” said an unnamed Cyber sector respondent.

Furthermore, 41% of businesses report a lack of confidence in the area surrounding incident response, one of the top areas covered by external providers. Of the 33% of businesses that outsource any aspect of cybersecurity, 82% utilized an external cybersecurity provider to deal with incident response and recovery.

“There is a low level of understanding of what to do with incident response. I’ve even found with qualified IT security people, because they don’t have to do incident response very often, sometimes when they need to do a basic one, they need help,” said an unnamed public sector respondent.

Avkash Kathiriya, Senior VP of Research and Innovation, Cyware had this comment:  

“The cybersecurity skills gap is a consistent challenge for security teams, and while programs designed to incentivize education and development, we as an industry need to do more to promote these programs and address barriers to entry. For example, ISC^2 has recently introduced an entry level cybersecurity certification program.  

“But this problem isn’t scalable with human expertise alone, particularly in terms of incident response. We need technology that can automate tedious, time consuming tasks that connect the dots for security practitioners, providing visibility and context to take the right action at the right time.”

This is a challenge not just for the United Kingdom, but for everyone as finding people with the right skills is a non-trivial task for many sectors. Hopefully this is something that can be turned around before it comes back to bite us all.

In a move that I think is long overdue, The Security And Exchange Commission is requiring public companies to disclose cyberattacks in four days:

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

Craig Burland, CISO, Inversion6 had this comment:

The SEC continues to ramp up expectations for publicly traded companies. The four-day disclosure, however, is not the kicker here. Companies have two subjective decisions before being forced to disclose. First, they have to determine the cyber event was an incident – data was lost, business was disrupted, etc.  Finding sufficient evidence to prove loss takes time. Second, the impact has to be material. For large corporations, this is a high bar that very few incidents would eclipse. 

he real toll of this decision is the one not getting the headlines.  It’s part two of the requirements: the SEC wants companies to “disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” Implicit in this decision is that companies have a cybersecurity risk strategy and perform cyber governance. All too often, that’s not the case. A requirement to publicly disclose the practiced level of cyber-competence will open eyes and raise eyebrows across the country.

While not perfect, this is a great move by the SEC as I think it would force companies to invest in cybersecurity because they would face significant blowback in the form of lower stock values and the like if they were forced to disclose that they were pwned within a 4 day window. Not to mention having to disclose where they are in terms of cybersecurity. Perhaps this will be the start of companies finally getting their act together?

UPDATE: I just got a comment on this from Ani Chaudhuri, CEO, Dasera:

The new rules implemented by the SEC are a notable stride towards transparency in a world where cybersecurity incidents are increasingly common. With digital assets becoming increasingly critical to businesses, timely and comprehensive disclosure of such incidents to shareholders is pivotal.

Material incidents are those that have a significant impact on a company’s financials, operations, or reputation – elements which shareholders would indeed consider crucial in making an investment decision. The same principles apply whether we’re talking about a physical asset like a factory, or digital data. Cybersecurity is no longer a domain exclusive to IT professionals; it’s a concern for everyone.

While the SEC’s approach is admirable, it does bring a set of new challenges to the table. The reporting timeline may indeed seem tight, especially for complex incidents where an understanding of the scope and impact may take longer than four days. Given the technical and complex nature of cyber incidents, it’s important to strike a balance between providing timely information and ensuring that information is accurate and complete.

The additional 180 days granted to smaller companies is also a thoughtful concession, acknowledging that not all entities have the same resources to manage and report cyber incidents.

However, it is the clause about the potential postponement of disclosure in instances where it might pose a significant risk to national security or public safety that can be more contentious. While the intent is certainly valid, the execution must be handled carefully. Defining ‘significant risk’ might be a potential gray area, and companies should not misuse it as a loophole to delay disclosure.

Furthermore, while the rules require companies to provide a concise description of the incident, its impact, and the data compromised, they do not require companies to disclose specifics of their incident response plans or details about potential vulnerabilities. In this sense, the rules are a missed opportunity to push companies towards better preparedness and proactive planning. The more information available, the more we can learn and improve our defenses.

Lastly, let’s not forget that this rule is reactive. Disclosing an incident after it has happened does not prevent the incident in the first place. The real need of the hour is to invest more resources in proactive measures that would make our systems more resilient and reduce the chances of such incidents happening in the first place.

The SEC’s new rules are a positive step towards more transparency in handling cybersecurity incidents. Still, valid concerns and potential challenges must be addressed in implementing these rules. As we continue to rely more heavily on digital assets, the onus is on us to evolve our approach towards cybersecurity, making it a key part of strategic decision-making.

UPDATE #2: Another comment has come in from Christopher Prewitt, CTO, Inversion6:

After years of rumor and innuendo, it’s great to see the SEC act, requiring disclosure. This may force some needed attention on the criticality of cyberattacks on companies. More and more organizations fully depend on IT to perform almost every business process, and the interconnected nature of business in 2023, it can sometimes feel like a house of cards seeing the impact of an event.

It would be expected that there will be associated fines for those who don’t meet the 4 day window. The other requirement of disclosing on an annual basis material information regarding cybersecurity risk management, I believe, is an even more important action. This will likely bring the cyber security program to the table in the board room in a more effective manner.