Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Improving Your Security Posture with the Pipeline Cybersecurity Initiative
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Improving Your Security Posture with the Pipeline Cybersecurity Initiative

5 years ago Bob Covello
Improving Your Security Posture with the Pipeline Cybersecurity Initiative

A few years ago, I worked alongside some oil commodity traders. Environmental concerns aside, I never realized how many parts were required to get the oil out of the ground, not to mention everything else that finally resulted in the production of refined products that surround our lives. As a cybersecurity professional, I was more interested in how all the pipelines were intertwined and, of course, protected.

When the commodity traders asked me to install the America Online Instant Messenger application onto their desktops, I hesitated. For what legitimate purpose could an office use such an application? They informed me that a person standing on an oil rig in the ocean would use AOL-IM to communicate operational advisories to people working on the mainland, including the commodity traders. This instant knowledge enabled them to execute trades, predict the futures markets, and facilitate a group of other commodity trading endeavors. However, I was thunderstruck at this lack of security forethought by an entire industry!

I saw some of the communications, which were quite elegant in their simplicity, and quite scary from a security perspective.  To paraphrase:

Oil Rig Operator: Valve 725 open at line 60.

Group recipients: Understood. Will notify downstream operators.

Can you ponder some of the varied ways that a malicious actor could wreak havoc with such information?

Introducing the Pipeline Cybersecurity Initiative

Fortunately, in recent years, the Department of Homeland Security has developed a plan to increase security of this area of critical infrastructure. This plan was then assigned to the Cybersecurity & Infrastructure Security Agency (CISA) to carry out its implementation. It is called the Pipeline Cybersecurity Initiative (PCI), and while I wish they came up with a better name as to avoid confusion with the PCI-DSS Standard, I will not quibble.

It turns out that there are more than 2.7 million miles of pipelines responsible for transporting oil, natural gas, and other commodities across the globe. Think of that distance for a moment. Then, in light of the unsecured communication technique used by the industry, think of what it would take to disrupt that as well as the cascading consequences that such a disruption could produce. According to the PCI overview, “a compromise of pipeline systems could result in explosions, equipment destruction, unanticipated shutdowns or sabotage, theft of intellectual property, and downstream impacts to National Critical Functions (NCF).” 

When hearing about pipeline security and anything related to critical infrastructure, most people immediately think of securing Industrial Control Systems (ICS). While the PCI guidance addresses that, it takes a broader approach, as well. Topics such as evaluation of the overall security posture of a system and engaging with partners and stakeholders are considered.

CISA also offers a handy Pipeline Cyber Risk Mitigation Infographic, a resource which outlines activities that pipeline owners and operators can undertake to improve their ability to prepare for, respond to, and mitigate against malicious cyber threats. The infographic also includes historical examples to add context to some of the exploits that have occurred through a lack of the various security labels.

CISA Pipeline cyber risk mitigation

Many of the recommendations in the PCI guidance are similar to those of other familiar security strategies, such as boundary protection, monitoring, configuration management, and access control, so one may wonder why the oil industry doesn’t just follow all the other available advice. While I am sure that they do that, there is just something different about advice when it is more directly focused to a particular industry. Similar to any advice, guidance always has more authenticity when addressed to a specific audience. 

Other industries could also benefit by examining the PCI information. Since collaboration is key to the success of any cybersecurity plan, cross-industry awareness is also important for a more complete approach to these critical networks.

I am optimistic that the commodity traders no longer rely on unsecured messenger systems. Now, the entire pipeline industry can have a place to turn for more guidance.

The post ” Improving Your Security Posture with the Pipeline Cybersecurity Initiative” appeared first on TripWire

Source:TripWire – Bob Covello

Tags: Critical Severity, Encryption, Goverment, TripWire, Vulnerability

Continue Reading

Previous Data Classification Is Data Storage
Next SolarWinds Hackers Also Breached Malwarebytes Cybersecurity Firm

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

16 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More

21 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

We Found Eight Attack Vectors Inside AWS Bedrock. Here’s What Attackers Can Do with Them

22 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

23 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

1 day ago [email protected] (The Hacker News)

Recent Posts

  • Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
  • North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware
  • ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
  • We Found Eight Attack Vectors Inside AWS Bedrock. Here’s What Attackers Can Do with Them
  • Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT