CyberWire staff | Thecyberwire.com »
The Transportation Security Administration (TSA) yesterday released another Security Directive, formulated under CISA’s tutelage, that requires critical pipeline owners and operators to devise a disaster plan, run a security architecture assessment, and execute certain mitigations. TSA’s first Directive arrived in May of this year.
Roger Grimes, data driven defense evangelist at KnowBe4, sees the regulations as steps in the right direction, but that probably won’t take the industry very far in the direction of security. Cyber conflict is a human problem, like war itself, and not easily solved by technical or regulatory means:
“This is good news. Anything that gets us better secured is a good thing. It will also likely not work. Why? Because it is hard to be perfect and every organization is already trying to do computer security perfectly. Adding another requirement on top of all the other requirements and regulations overtop of what they already know they should be doing is likely not going to result in being significantly more resilient to cyber attacks. It cannot hurt…but it is not likely to be the final nail in the coffin that defeats all malicious hackers and malware.
“Well, what then will it take? For one, we need to make it harder for malicious hackers and malware to hide. Hackers hack and spread malware because they either cannot be traced or cannot be arrested and punished when caught. A malicious hacker is more likely to be struck by lightning, twice, than to get arrested for hacking. We need to significantly secure the internet itself, to make it more secure by default. We will stop more bank robbers when we stop allowing so many banks to be robbed and for all the bank robbers to get away. There are ways to make the internet significantly more secure. I have written on this topic for decades and recently re-submitted plans for how to do so to CISA and other internet security groups. We have the technology. We do not have to re-invent the wheel. We just need the right people in the same room and a true willingness to solve the problem.
“I do not want to undersell how hard it is to get people to agree on anything, much less how to fix the internet. But it is not a technical problem. It is a sociological problem…it is a human problem. One day, some digital 9/11-type event will happen to the internet, and when it does, enough enemies and competitors will come together against a common foe that we actually get the support to push the new technology. The technology is there. We are just waiting for agreement. Until we get a far more secure internet and global agreement on digital crimes, we will fight malicious hackers and malware. One more regulation on an industry is not going to change the problem. How do I know? Because we have had three decades of increased regulation and the problem is only getting worse each year.”
Still, a valuable exercise, but not one that will, in Grimes’ view, amount to a panacea.
We also heard from Saryu Nayyar, CEO of Gurucul, cautions that last month’s attack on Colonial Pipeline won’t be the last any more than it was the first:
“As a result, the TSA is mandating protections against pipelines and other types of infrastructure for ransomware and other similar attacks. This directive by the Federal government is long overdue and represents an acknowledgement of the vulnerabilities of our infrastructure to weaknesses in such areas as pipelines, power plants and other utilities, and transmission networks. Although these industrial systems have become increasingly automated, the designers have not given proper attention to protecting their networks from attacks. While no large-scale network is completely safe, infrastructure providers have to do more, including monitoring their networks for unauthorized traffic, and having systems in place to understand and investigate anomalous traffic behavior.”
And Doug Britton, CEO of Haystack Solutions, sees a convergence of cyberspace and kinetic space:
“This is a stark reminder that we are entering a new era where threats are moving from atoms to bits. The digital world is inextricably linked to our physical infrastructure and threats will be an ever-present element of operating in this new normal. It is time to make important and much needed investment in our cyber workforce. A critical element in protecting our infrastructure. We have the tools to find the talent we need, but we need to get them in place before more of these attacks erode trust in critical systems we all rely on.”
External Link: TSA Announces New Pipeline Security Guidelines