Implementing secure remote access under the new TSA Pipeline Security Guidelines
Responding to cyberattacks against Colonial Pipeline and other critical infrastructure, the Transportation Security Administration (TSA) announced the Pipeline Security Guidelines in 2021 (Guidelines) and two security directive additions. These mandate new security requirements for pipeline owners including rules governing cybersecurity around operational technology (OT).
The Guidelines address malicious cyber activity targeting natural gas and oil pipelines by working to mitigate risk associated with operational technology systems through the adoption of baseline and enhanced standards within the industry.
Included in the Guidelines are new mandatory conditions governing how remote access to critical infrastructure is permitted.
This post describes best practices for implementing secure remote access, including how to meet the five requirements in order to allow remote access control within the framework set forth by the Transportation Security Administration.
Remote access can be a valuable tool to troubleshoot operational problems and address issues quickly. It's important to balance the need for remote access with security requirements such as access requests, authentication, logging, and segmentation/session isolation. We'll tackle how to handle this balance here too.
Bear in mind that TSA has issued two security directive addendums in addition to the Pipeline Security Guidelines. These are not all made publicly available, and we therefore do not speak to them in this article.
How do the Guidelines address cybersecurity?
TSA's cybersecurity guidance for OT systems are based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Framework). If you're familiar with the NIST Cybersecurity Framework (CSF) 1.1 then this will look familiar to you—the Framework builds heavily off of the CSF.
The Guidelines recommend pipeline operators use the NIST Framework and the guidance issued by DHS and the Department of Energy along with industry-specific or other established methodologies, standards, and best practices when implementing an effective cybersecurity strategy.
The TSA Guidelines conveniently use the same categories as the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.
The five requirements you must meet when allowing access control
The Guidelines specifically address Access Control within the Protect section. There are other areas that tie into a secure access program we'll touch on below, but Access Control is the best place to start.
Here is what you need:
1. Enforce unique user accounts
Establish and enforce unique accounts for each individual user and administrator, establish security requirements for certain types of privileged accounts, and prohibit the sharing of these accounts. In instances where systems do not support unique user accounts, then implement appropriate compensating security controls (e.g., physical controls).
In higher security situations:
Restrict user physical access to control systems and control networks through the use of appropriate controls. Employ more stringent identity and access management practices (e.g., authenticators, password-construct, access control).
Dispel enforces NIST Special Publication 800-63B Digital Identity Guidelines for user accounts, which enforces unique accounts for each user, sets role-based access control rules (RBAC) for user permissions, and use MFA to restrict sharing of accounts. Through the use of virtual desktops and ACLs, Dispel provides the compensating security controls needed when systems do not support unique user accounts. Finally, in higher security situations, Dispel Access Control List (ACL) restricts remote (not physical) access to control systems and networks through 800-63B identity and access management practices, including MFA.
2. Remove inactive user accounts
Ensure that user accounts are modified, deleted, or de-activated expeditiously for personnel who no longer require access or are no longer employed by the company.
Dispel Access Request Enforcement automatically removes users who no longer require access, and lock out inactive accounts if desired.
3. Enforce and monitor access policies
Establish and enforce access control policies for local and remote users. Procedures and controls should be in place for approving and enforcing policy for remote and third-party connections.
In higher security situations:
Monitor physical and remote user access to critical pipeline cyber assets.
Dispel Access Control List (ACL) allows per user, per IP, port, and protocol access enforcement. This includes environments where the underlying system itself is on a flat network. Addressing enhanced security requirements, Dispel session records allows for real-time and audit monitoring of remote user access to critical pipeline cyber assets.
4. Segregate duties
Ensure appropriate segregation of duties is in place. In instances where this is not feasible, apply appropriate compensating security controls.
Dispel enforces segregation of duties between remote access requests and permissions. Dispel also provides logs of who requested access, when, for how long, what reason, and who approved their request.
5. Change default passwords or implement an intermediate barrier when systems only have one user account/password
Change all default passwords for new software, hardware, etc., upon installation. In instances where changing default passwords is not technically feasible (e.g., a control system with a hard-coded password), implement appropriate compensating security controls (e.g., administrative controls).
In higher security situations:
Employ mechanisms to support the management of accounts.
Dispel does not permit default passwords for remote access. For systems where changing passwords isn't supported, Dispel provides the appropriate compensating security controls (VDI and time-restricted access with unique passwords). And, Dispel user management supports management of accounts.
The TSA Guidelines in full
Access Control ties into other Guidance sections
While access control enjoys its own category in the Guidance, don't think that your critical infrastructure remote access system should only align with just that section. Pipeline owners and operators should use integrated technologies that support a complete and connected view of those who have access to their computer systems over the internet.
Remote access should be aware of the situation it is operating in to get the most out of your system. For example, if you as the cybersecurity coordinator want to apply per-user IP, port, and protocol access control list restrictions while a user connects, the remote access software must understand which endpoints are within the network so that rules can be applied. The enhanced view gives the pipeline owner's cybersecurity coordinator confidence that the procedures are being followed. They have real-time data sets to back up the rules.
Specifically, we believe access control should play a part in Asset Management, Protective Technology, Anomalies and Events, Security Continuous Monitoring, Recovery Planning, and Improvement. See the long-form image for more details.
Where to next?
The TSA Security Guidelines and security directives transfer greater responsibility to energy sector operators. The enforcement of new cybersecurity requirements for the liquid & natural gas and oil sector is a responsible development to defend U.S. critical infrastructure.
Given the TSA's usage of the NIST Cybersecurity Frameworks, it seems logical that future industry guidelines will continue to build upon the work and materials already available to the sector.
Here at Dispel, we'll continue building a platform designed to meet security requirements for heavy industries and utilities. Contact us if you'd like help with your program.