At a glance.

  • US TSA issues relaxed pipeline cybersecurity directives.
  • A new approach to the development of international cyber norms. 
  • CISA issues guidance on migrating to Modern auth in Microsoft Exchange Online. 

US TSA issues relaxed pipeline cybersecurity directives.

After last year’s unprecedented Colonial Pipeline attack, the US Transportation Security Administration (TSA) responded by issuing a set of strict cyber security directives for pipelines and other surface transportation industries. The first-of-their-kind directives received pushback from companies and industry lobbyists who felt that the rules, written in the heat of the moment, were too extreme and could disrupt business operations. Now the TSA has released updated, less stringent directives that industry experts say could indicate how the administration plans to write permanent rules going forward. 

One revised directive allows designated pipeline operators a full twenty-four hours to report an attack (twice the time allotted in the original rules). An update to a second directive is expected to be less stringent about required security measures like multi-factor authentication password-reset requirements, which work in traditional business settings but would prove nearly impossible for pipelines’ more complicated systems. 

TSA says they consulted with industry and government partners in drafting the new rules, explaining, “The goal is to move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology.” Suzanne Lemieux, director of operations security and emergency response policy at the American Petroleum Institute, told the Wall Street Journal, “We’re encouraged by the changes they’ve made. There were a lot of things that weren’t well thought out in the urgency of getting this out [last year].”

We received comment on the regulations from various industry experts. SynSaber CTO & co-founder Ron Fabela thinks it worth remembering that compliance isn’t an end in itself. He wrote to say:

“Reactive cyber security rules for industry continue to be a challenge for the entire industry, not just pipeline operations. The move to more performance-based metrics does give asset owners and operators room to implement security controls that meet their unique environmental requirements, and while expanding the breach notification timeline from 12 to 24 hours must be a relief, the industry needs to ask, ‘what happens after I report?’ Breach notification has potential for confusion as the community wrestles with ‘what event or events constitute a reportable breach,’ and more critically, ‘what are the benefits of reporting besides compliance.’ With a focus on breach notification becoming standard across all sectors, it’s apparent that scalable and flexible monitoring be factored into every compliance program, as the answer of “we didn’t know” is no longer acceptable to regulators.”

Chris Grove, Cyber Security Strategist, Director at Nozomi Networks, sees two important issues the updated guidelines emphasize:

“The updated guidance serves to highlight 2 important things; 1- Attempting to prescribe solutions across an entire sector can be complicated, if not impossible, and 2- cooperation between government and the private sector is crucial to our success. We need an increase in transparency between asset owners, government, and other stakeholders, in a way that improves our ability to respond to threats without overburdening the asset operators, or codifying recommendations that could work against the tenants of safe and secure industrial operations. These much-needed changes allow for defenders to be more agile, and do what’s best for their specific infrastructure and environment using a measurable, performance-based approach.

A new approach to the development of international cyber norms. 

Lawfare discusses a new approach to cultivating conformance when it comes to international cyber norms. The United Nations (UN) Group of Government Experts and Open-Ended Working Group have attempted to regulate international cyberspace by proposing peacetime cyber norms, but these attempts have fallen short, as not all UN member states can agree on how or if these traditional norms apply to cyberspace. The Global Commission on the Stability of Cyberspace (GCSC) has proposed several prohibitive norms more likely to compel action by more adequately addressing on-going destabilizing behaviors. For instance, the GCSC’s norms forbid state and non-state actors from pursuing or allowing cyber operations with the goal of disrupting essential election infrastructure elections, and they prohibit state and non-state actors from hijacking the general public’s information and communications tech for use as botnets. The writer posits that governing bodies must employ a new approach for cultivating conformance that focuses on cyber persistence.

CISA issues guidance on migrating to Modern Auth in Microsoft Exchange Online. 

The Federal Civilian Executive Branch requirements outlined in the White House’s Executive Order 14028, “Improving the Nation’s Cybersecurity,” call for mandatory use of multi-factor authentication. To align with these requirements, Microsoft will be permanently disabling Basic Authentication (“Basic Auth”) in Microsoft Exchange Online on October 1, 2022. In preparation, the US Cybersecurity and Infrastructure Security Agency (CISA) is urging all organizations, public and private, to make the switch from Basic Auth to Modern Auth, or OAuth 2.0, and has issued guidance on the migration process. CISA states, “Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth. After completing the migration to Modern Auth, agencies should block Basic Auth.” As Security Week notes, Basic Auth is used in protocols such as ActiveSync, Exchange Web Services, Post Office Protocol/Internet Message Access Protocol , and Remote Procedure Call over HTTP. Decipher explains that agencies should begin by reviewing their Azure Active Directory sign-in logs to determine which applications or users are authenticating with Basic Auth, and then make plans for transitioning these identified applications and users to Modern Auth. Mark Montgomery, executive director of the Cyberspace Solarium Commission, expressed his support of CISA’s directive. “Effective and widespread use of multi-factor authentication is very helpful to overall cyber hygiene in the federal government,” Montgomery stated. “My only surprise was that CISA could not mandate this guidance to federal agencies.”