From May 7 to 12, 2021, the massive Colonial Pipeline refined oil product delivery system ground to a halt. It was the victim of a DarkSide ransomware cyberattack. The Colonial Pipeline delivers about 45% of fuel for the East Coast, including gasoline, diesel fuel, heating oil, jet fuel and fuel used by the military.
When Colonial security teams detected the malware, it had already infected the company’s IT network, which they shut down. The pipeline operators also shut down OT systems to prevent the malware from spreading. Due to the threat of a fuel shortage, North Carolina, Virginia, Georgia and Florida declared a state of emergency.
As per Jen Easterly, CISA Director, the Colonial Pipeline attack was a watershed moment “when the vulnerability of our highly connected society became a nationwide reality and a kitchen table issue.” The attack — and many more that followed — forced policymakers, regulators and executives to take cybersecurity threats and policy issues more seriously.
Follow up on TSA security recommendations
In the wake of the Colonial attack, the TSA issued two pipeline security directives in FY 2021. How well did they do following their own directives?
Recently, the DHS Inspector General released an audit report that was used to determine whether TSA’s 2021 security directives addressed cyber threats and stakeholder concerns. Was pipeline security strengthened after all? Unfortunately, the audit findings were not very encouraging.
According to the document, “TSA also did not follow up and track the pipeline operators’ assessments of the effectiveness of their cybersecurity practices. This occurred because TSA does not have standard operating procedures or a formal system to track and follow up on pipeline operators’ implementation of the security directives. Without additional oversight, TSA cannot ensure full implementation of security directives, which can leave pipelines vulnerable to cyberattacks.”
What good are security recommendations if there’s no way to track implementation? Maybe other industries could give cybersecurity some advice. How do other sectors address similar situations?
How the FDA tracks implementation
In regulated industries, governing bodies make recommendations to improve safety and outcomes. For example, the FDA has its Case for Quality program.
The Case for Quality program is designed to help identify device manufacturers that consistently produce high-quality devices. This allows the FDA to identify participants with manufacturing practices that are of consistently high quality and also align with FDA laws and regulations.
There’s another reason why the program seeks to identify successful manufacturers. It’s a way to help other companies improve their manufacturing quality as well.
The FDA launched the Case for Quality in 2011 following an in-depth review of device quality data and feedback from both FDA and industry stakeholders. The analysis revealed common manufacturing risks that impact product quality. The review also showed that companies that actively address the risks become more productive, receive fewer complaints, need fewer corrective actions and have lower product costs.
The FDA Case for Quality initiative treats compliance attainment as a baseline, not an end goal. From there, it seeks the inclusion of critical-to-quality practices that result in improved outcomes.
The FDA also works with the Medical Device Innovation Consortium (MDIC) and other stakeholders to foster medical device compliance and quality in a more collaborative manner. This inclusion allows the FDA to launch initiatives beyond traditional oversight models.
In summary, the FDA tracks and guides quality measure implementation by:
- In-depth industry review, which includes identifying top performers
- Treating compliance as a baseline
- Looking at quality measures beyond compliance
- Fostering stakeholder engagement and collaboration to think outside of the box.
How the FAA does it
What about the FAA? How do they measure safety implementation? The FAA’s Safety Management System (SMS) is the formal, top-down, organization-wide approach to managing safety risk and assuring the effectiveness of safety risk controls.
The FAA uses a structured, systematic process that obligates organizations to manage safety with the same level of priority as other core business processes. This applies to both internal (FAA) and external aviation industry organizations (Operator and Product Service Provider).
SMS is becoming a standard throughout the aviation industry worldwide. Moreover, SMS is becoming a standard for the management of safety beyond aviation, such as in quality control, occupational safety and health, security and environment.
Qualified product and service providers are granted SMS certificates. Meanwhile, regulators integrate modern safety risk management and assurance concepts into repeatable, proactive systems.
By recognizing the organization’s role in accident prevention, SMSs provide both certificate holders and the FAA with:
- A structured means of safety risk management decision-making
- A means of demonstrating safety management capability before system failures occur
- Increased confidence in risk controls through structured safety assurance processes
- An effective interface for knowledge sharing between regulator and certificate holder
- A safety promotion framework to support a sound safety culture.
We can see how cyber could benefit by adopting a similar framework. In the name of innovation, some might wince at things like “obligated management” and “structured processes.” However, there may be no other option than to create software “certificate holders” for companies that serve infrastructure clients.
Change management strategies
Perhaps cyber can take a cue from change management culture as well. Some change management firms expect their clients to measure the contribution of their change management activities. And research reveals a positive correlation between measuring compliance and overall performance.
For example, change management certifier Prosci asked participants in a research study if they internally measured compliance with the change and overall performance in meeting project objectives. Of those who measured compliance with overall performance, 76% met or exceeded project objectives. In contrast, only 24% of the respondents who did not measure compliance and overall performance met or exceeded objectives.
Could insisting that companies measure their compliance with cybersecurity recommendations make a difference? According to change management, the answer is yes.
Long-term industry changes ahead
For now, the federal government has passed legislation such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The law requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the CISA.
The industry is still far behind initiatives such as the FDA’s in-depth quality analysis or the FAA’s structured, systematic process. As long as malicious actors continue to attack critical infrastructure, cyber may need to adopt similar practices sooner than later.