Pipeline Security blog image
Blog

Pipeline Security, Visibility, and Detection at the OT Edge

Jori VanAntwerp, CEO SynSaber
Jori VanAntwerp
CEO, SynSaber

[originally published in World Pipelines Magazine | Volume 22 | Number 9 | September 2022]

How can you detect malicious or anomalous activity at the edge of your network, when your environment includes a pipeline or disparate facilities spanning thousands of miles?

Pipeline security has become a greater public concern in recent years, with increased media and regulatory attention after the Colonial Pipeline ransomware incident in mid-2021. Colonial Pipeline’s lack of visibility into their OT environment combined with “best practice” policy for operations shut down a pipeline for an extended period of time. These challenges are not Colonial’s alone. This incident showed us just how little visibility into these environments we have today, and the single points of failure within that limited visibility.

The threat landscape continues to evolve, now including issues such as Ransomware as a Service (RaaS) and increased mass scanning techniques, and new attacks are being developed every day. While OT networks may be more likely to be a victim of “splash damage” rather than a direct attack, the risks to critical infrastructure are not disputed. As a result of the increased threat and awareness of potential risks, organizations are looking for ways to improve their visibility and their defenses against these attacks.

Organizations are updating their security policies, reviewing operations, and implementing new security platforms as a result of governmental regulations and security directives. That being said, the reactionary (and often rushed) regulatory policies can cause pipeline operators and owners increased administrative burden, without a tangible increase in security posture.

This article presents an overview of the current state of pipeline visibility and security challenges, including environmental and technical issues that come into play. In addition, it provides some guidance on how to improve visibility and detection at the edge of your networks, even if that “edge” is thousands of miles from your main data center.

Monitoring and Environmental Challenges

Pipelines typically run over large geographical distances, through harsh environments, and with limited communications and power infrastructure available. In addition, pipelines must comply with increasingly stringent environmental, safety, and cybersecurity regulations, frequently without the ability to address physical threats. To address environmental and safety regulations, new operational and multiservice applications are being deployed to take advantage of increased bandwidths from developments in WAN technology. Modern cathodic detection, leak detection, video, audio, and remote collaboration solutions have integrated with each other to link pipeline stations and control centers while allowing for expansion in future technology.

The challenge now lies in integrating these technologies and services to provide real-time or near-real-time information about the status of the pipeline and its components. While some of these systems may be able to detect anomalies or failures, they cannot necessarily identify what caused the anomaly or failure. For example, if a pump station detects a fault, it will send out a message to the operator at the control center. However, the operator often has no way of knowing whether the fault was due to a mechanical failure, a software bug, or something else entirely. Without the ability to access the data and correlate events between different sensors, operators are unable to determine which component failed first, and, therefore, which part needs maintenance or other attention.

In order to get a more holistic view of any problems, it’s helpful to collect data from multiple sources, integrate that data, and then use analytics to understand the cause of any anomalies or failures. Part of the reason why my co-founder and I founded SynSaber was to help empower industrial operators with data from the OT edge in a vendor-agnostic platform. The solution gives them the ability to slice and dice the data however they prefer within their current workflows prior to sending it to their existing SIEM, SOAR, MSSP, or wherever the data is needed most.

The Role of Regulation in Pipeline Security

Increased guidelines and directives are often some of the first steps taken by the government or authoritative bodies responsible for regulating various industries. After the Colonial Pipeline incident, it’s widely agreed that much of the new regulation was reactive in nature and that the regulatory bodies could have benefited immensely from reaching out directly to the community for guidance and feedback prior to publication.

With the recent (late July 2022) revisions to the TSA Pipeline Security Guidelines, we’re hopeful that collaboration between the administrative entities and the industrial community they’re regulating continues to improve.

Below is a list of some of the regulations that pertain to organizations managing pipelines:

  • IEC 62443
  • NIST SP 800-53
  • NIST Framework for Improving Critical Infrastructure Cybersecurity
  • ISO27001 Section A12
  • API 1164
  • NERC-CIP
  • TSA Pipeline Security Guidelines (updated in July 2022)

A crosswalk of these regulations does take into account the unique implementations seen with Industrial Control Systems (ICS) but relies incredibly heavily on segmentation and air gapping to separate the native insecurities of the systems and break chains of attack. While the basic sanitization logic offered by these regulations does make it more difficult for attackers to cause impacts to the systems, pipelines are unique in their tolerance to the adoption of new technology and increased integrations with corporate environments. This shifting set of technology-driven threat vectors is difficult to effectively measure and develop a security culture around with a remote, isolated workforce.

Getting Back to Basics

While there is no one regulation or solution that can protect against all possible attacks, the list below provides a good starting point for developing a strategy to better secure your pipeline environment. The key is to start with the basics:

Segmentation – Separate networks and devices based on function and location.
Air-Gapped Networks – Separate networks based on geographic distance.
Physical Access Control – Limit access to only those who have been granted authorization.
Log Management – Monitor logs for suspicious activity.
Network Monitoring/IDS – Monitor network traffic for unusual behavior.
Firewall – Block incoming connections to known malicious sites.
Vulnerability Management – Remain vigilant and aware of new vulnerabilities as they are reported. Understand the risk to your environment and patch vulnerabilities promptly (we know this can be tricky in ICS environments, but it’s still an important part of a robust security program).
Security Awareness Training – Ensure employees know how to properly handle sensitive information.

While ICS and pipeline environments offer unique challenges, it’s important to start with a foundation of the basic security elements listed above.

Technical Challenges to Increasing Visibility

Communication architectures must incorporate multiple applications and traffic types traversing over multiple wired and non-wired paths for primary and failover information exchanges. WAN, Ethernet, MPLS, DWDM, OTN, cellular, and wireless are all used as communication mediums with a budding collection of single-purpose hosts, applications, and protocols depending on the location and project requirements.

The power and space limitations make hardware deployment increasingly challenging, lending to embedded applications with complicated deployment strategies to be managed by limited staffing. Monitorable service-level agreements (SLAs) must be delivered with network security solutions accounting for sub-50-ms network reconvergence, traffic engineering for path redundancy and selection, bandwidth reservation, and quality of service changes that prioritize operations.

Another technical challenge that pipeline owners and operators face when trying to increase visibility in their networks is the form factor involved in their environments. Often, the equipment boxes that manage leak detection, flow valves, PLCs, and other data points are very small. Asset owners are challenged to find a solution that can harness the data from those elements with a form factor small enough to fit within the monitoring stations and locked equipment boxes.

This is a large focus for us at SynSaber, and it’s the reason why we have developed a software sensor with an ultra-small footprint that only needs two cores and 2GB of RAM to run effectively. Our goal is to empower industrial operators with the data they need from the edge of their networks without requiring costly and bulky hardware.

Mitigating Future Risks Through Improved Edge Visibility

Adoption of a robust security and visibility program can provide metrics that enhance understanding in performance management, accounting management, fault management, and configuration management. These operations provide a foundation of data that ultimately enhances reliability in systems that are mandated to perform in real-time (and with less downtime maintenance opportunities than other verticals).

Ultimately, visibility creates opportunities for CapEx and OpEx savings with low footprint products that take into account variable networks, deployment limitations, protocols, and project requirements in a growing technological reservoir.

Network Visibility Improves Reliability

A reliable network is essential to the smooth operation of any business, and it’s especially important in critical infrastructure environments like pipelines. When a network fails, it causes disruptions in the flow of information throughout the company. If a network does not work properly, then it could cause a loss of productivity and revenue (i.e., Colonial Pipeline shutting down the OT network as a result of ransomware on the IT side). Greater visibility helps to improve the reliability of the network and the reliability of the critical infrastructure environment itself.

Increased Visibility Drives Innovation

Visibility also provides a platform for innovation. It allows for the development of new metrics that will drive future growth. For example, it enables the creation of new tools and techniques that allow for better monitoring and analysis of the network infrastructure and operability. This includes the ability to monitor and analyze traffic patterns, detect anomalies, and correlate events across different layers of the network. With increased visibility, it becomes possible to create new methods for managing the network based on the needs of the organization (i.e., stop sending Tim or Tammy in a truck down to a facility when you can view data showing the anomalous activity remotely).

Visibility Provides Insight Into Operational Performance and Efficiency

Operational performance is one of the key factors that determine the success of any business. A well-designed operation should have high availability, scalability, and performance. To achieve these goals, the network has to be monitored and analyzed regularly. By increasing visibility at the OT edge, you can get insight into how your entire operation performs rather than a fraction of your overall environment. Identify bottlenecks, find out where there is congestion, and see if there are any problems with hardware, network, or systems.

The Ultimate Goals: Safety & Reliability

Asset owners, operators, and analysts in critical infrastructure typically don’t want cybersecurity just for cybersecurity’s sake — they want safety and reliability. While implementing foundational security basics, maintaining compliance with new regulations, and increasing visibility into the edge of your networks is important, it all comes down to safety and reliability.

International pipeline operations are a critical part of many other organizations, and consumers and regulatory entities will continue to maintain their focus on the reliability and security of the industry. Whether you choose to use a software solution like SynSaber or any other monitoring and detection platform, gaining visibility into the edge of your OT networks will help to reduce risk and improve uptime, reliability, and operational efficiencies.

~Jori 🤘⚔️