In July of this year, the Transportation Safety Administration (TSA) released Security Directive Pipeline-2021-02D (SD-02D) Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing. The directive—aimed at owners and operators of liquid and natural gas pipelines or facilities designated as critical infrastructure—outlines requirements for enhancing cyber resilience through the implementation of a TSA-approved cybersecurity implementation plan (CIP). While most of the requirements and compliance elements remain consistent with the previous iteration (SD-02C), SD-02D establishes updated requirements and specific benchmarks and timelines for assessing and auditing security capabilities. According to TSA administrator David Pekoske, “Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans.”
Breach and Attack Simulation in Integrated IT/OT Environments
In an earlier blog, we discussed how security teams in critical infrastructure verticals are increasingly using breach and attack simulation (BAS) technologies to gain better visibility into their information technology/operational technology (IT/OT) environment by testing their security controls from the IT network, through the OT demilitarized zone (DMZ), and into the critical OT operations control layer.
By leveraging the tactics, techniques, and procedures (TTPs) used by malicious actors, BAS continuously simulates real attack scenarios against a security ecosystem to proactively test its efficacy and resilience.
Through these attack simulations, analysts can quickly understand what the attack surface of the integrated IT/OT environment looks like, test its resilience against thousands of real-world attack methods, and determine which security controls are providing protection and where the gaps lie. And because the simulations can be safely run on a continuous basis, it is easy to measure risk in real-time and over time.
How BAS Supports TSA Requirements for Enhancing Cyber Resilience
The requirements in SD-02DA are another great example of where a comprehensive BAS platform like SafeBreach can be helpful in establishing and maintaining compliance, not only by validating the TSA-mandated security controls, but also in reducing the time and effort required to comply with the new audit and reporting requirements. Many of the SD-02D requirements where BAS can be most beneficial are listed in Section G of the security directive. Below, we’ll look at a few of the requirements and discuss how SafeBreach can help pipeline operators maintain compliance.
Section G: Subsection 1- “The Owner/Operator must develop a Cybersecurity Assessment Plan for proactively assessing Critical Cyber Systems to ascertain the effectiveness of cybersecurity measures and to identify and resolve device, network, and/or system vulnerabilities.”
Validating security controls is the most common use case among SafeBreach customers. SafeBreach continuously tests the efficacy of endpoint, network, web, and cloud security controls against 30,000+ predefined attack methods in our Hacker’s Playbook, including several that are specific to industrial control systems. SafeBreach is also the only BAS provider to maintain a service-level agreement (SLA) to add new attack content to our platform within 24 hours of critical US-CERT and FBI Flash alerts, allowing critical infrastructure organizations to proactively test against the latest emerging threats.
Section G: Subsection 2: Paragraph C– The Cybersecurity Assessment Plan must “Incorporate other assessment capabilities, such as penetration testing of Information Technology systems and the use of “red” and “purple” team (adversarial perspective) testing.”
Testing Your Organization’s Resilience to Cyberattacks
There are a number of security validation methods available on the market today, but each has different uses and functions. And, not all of them are appropriate in every IT environment. Don’t waste time and resources on technologies that aren’t a good fit for your specific use case.
We applaud TSA’s requirement for noting the need for “other assessment capabilities” within the Cybersecurity Assessment Plan. While not specifically listed, BAS technology is a critical component of an organization’s assessment capabilities and offers several advantages that can augment the limitations of the technologies listed by TSA. For example, penetration testing and red teaming represent a point-in-time assessment that is quickly outdated. SafeBreach attack simulations run continuously to ensure your assessment results are always current.
Penetration testing and red teaming are also time and resource intensive activities with the potential to disrupt production systems (a non-starter in OT environments). SafeBreach is automated, so the time and resources required to run attack simulations is much lower. In addition, because SafeBreach simulates real-world attacks, rather than actually executing malicious actions, there is no risk of disrupting production processes.
Section G: Subsection 2, Paragraph D – The Cybersecurity Assessment Plan must “Include a schedule for assessing and auditing specific cybersecurity measures and/or actions …. The schedule must ensure at least 30 percent of the policies, procedures, measures, and capabilities in the TSA-approved Cybersecurity Implementation Plan are assessed each year, with 100 percent assessed over any three-year period.”
Because SafeBreach’s BAS platform continuously tests the efficacy of security controls, pipeline operators who incorporate it into their assessment plan can easily assess and validate 100% of their controls at any time. And, this information is visualized in customizable dashboards and reports to help key stakeholders quickly understand existing gaps, evaluate risks, and track improvement over time.
Ready to learn more about how SafeBreach can help you maintain compliance with this and other IT/OT security directives? Check out our IT/OT resource hub or schedule a personalized demo with a SafeBreach cybersecurity expert.