The Transportation Security Administration Is Now Screwing Up Cyber Security
from the here's-a-bunch-of-copy-pasted-boilerplate-said-TSA-security-experts dept
Formed less than a month after the 9/11 attacks in 2001, the TSA has yet to get a firm grip on “transportation security,” the thing that makes up two-thirds of its acronym. Audit after audit has found TSA screeners are incapable of finding explosives and other dangerous contraband. If auditors can rack up a 90-95% success rate smuggling in explosives, no doubt terrorists can do it, too.
But terrorists haven’t. Why? Because terrorists have better options than hijacking planes, something the TSA admitted years ago but somehow still feels justifies it hoovering up billions in funding every year. The “successes” the TSA tends to tout are its ability to fully participate in asset forfeiture programs and sniff out novelty “weapons” carried by passengers with no terroristic plans or desires.
The TSA doesn’t just handle planes. It also handles other forms of mass transit, including trains and buses. And it’s similarly disinterested in security when handling those vehicles. Most of its time is wasted the same way it’s wasted at airports: looking for cash or things that aren’t actually contraband.
What you may not know is the TSA is also in charge of overseeing the many gas pipelines that cross the nation. True, pipelines do transport stuff, but not the kind of stuff that can be handled in the “fondle your genitals” sort of way TSA agents are used to. The threat to pipelines has mostly been theoretical, which has largely allowed the TSA to do this job without having its failures detailed by journalists and activists.
Since the threat has mostly been theoretical, the TSA has been able to coast along for several years without having its competency questioned or challenged. Unfortunately for the TSA, the threat went from “theoretical” to “incipient” to “underway” when the Colonial Pipeline (which supplies gas to much of the southeast United States) was hit with ransomware, resulting in shutdowns and gas shortages.
Rather than place the cybersecurity of the pipeline (given the hackers had no genitals to be fondled) in the hands of an actual cybersecurity entity (of which the federal government has several), this security job was handed to the least qualified candidate. As Eric Geller reports for Politico, the TSA has approached this new job with the same level of competence it’s approached everything else.
Oil and gas pipeline operators say the TSA’s cyber regulations are full of unwieldy or baffling requirements that could actually jeopardize pipeline safety and fuel supplies. Others in the energy sector, and cyber experts who help defend these systems, agree with these objections and say the TSA’s small cyber team has been overwhelmed by a flood of industry requests for workarounds.
“In every sense, TSA has screwed this up,” said Robert M. Lee, the CEO of Dragos, a cybersecurity firm that works with critical infrastructure companies. “It is a giant cluster and in many ways is a perfect example of what not to do with a regulatory process.”
Now, to be fair, the TSA was incredibly ill-equipped to handle this new directive. Given the heightened threat of Russian cyberattacks following the Russian government’s regular attacks of Ukraine, some agency was going to be saddled with securing pipelines and it sort of made sense to hand it off the entity allegedly handling the physical security of the pipelines.
But the TSA is not only under-equipped to handle this new directive, it has apparently done little to make it better equipped. While TSA officials are currently working with industry reps to iron out the OOPS! ALL WRINKLES rollout of the agency’s apparently copy-pasted security “plan,” the agency apparently only has one official and a handful of part-timers handling questions and applications from pipeline companies attempting to comply with the TSA’s carelessly assembled mandates.
The mandates handed down by the TSA’s cybersecurity team appear to be direct copies of mandates applied to the tech handling the government’s clerical work, rather than the specialized computers and systems that actually control gas pipelines.
In July, the TSA issued rules requiring companies to deploy more than three dozen common cybersecurity defenses, including weekly antivirus scans, prompt security patching, strict firewalls to block malware and adoption of multifactor authentication, a technology that asks users for a second proof of identity in addition to a password, in order to block unauthorized access.
You can’t just apply office software fixes to hardware running on specialized, often proprietary software. The patching demanded by the TSA’s copy-pasted mandates meant companies would need to send people to each physical control box and attempt to do whatever roughly aligned with the TSA directive to comply. And months after this first directive went out, operators are still struggling to carry out the TSA’s mandates.
The TSA has, at least, admitted it has screwed up this cybersecurity rollout. But apologies aren’t going to make pipelines more secure. Counterproductive efforts like these are actually making it more difficult to secure pipelines from cyberattacks. Gas production and transportation are heavily regulated industries and the to-do list for companies is often topped by federal compliance demands. An inadequate, thoroughly inapplicable set of regulatory demands means companies first have to find something that works that is still compliant and then wait around for the TSA’s understaffed pipeline cybersecurity office to institute changes that better reflect the hardware and software being used by oil companies.
Companies want outcome-based targets that allow them to institute fixes that address the end goals without being tied to ridiculous demands like, I don’t know, purchasing the full version of Norton Antivirus. Given what “help” it’s been so far, it makes far more sense for those handling the equipment to figure out how to best secure the equipment. If the TSA wants to blunder in later to spot check things, then I guess it will give those employees something to do that won’t involve separating people from their medical equipment and/or constitutional rights.
Filed Under: cyberattacks, cybersecurity, oil pipelines, security theater, tsa
Comments on “The Transportation Security Administration Is Now Screwing Up Cyber Security”
The home of Barny Fife
Anyone who has ever flown knows the real name of the TSA is Tub Stacking Authority.
There is no meaningful security in anything they do.
Until something major (well more major) happens & gathers breathless reporting Congress will do fsck all about it.
They dare not look like they are assisting any tech group when reelection is on the table, they will ignore experts for them just hating conservatives which fuels that basic things they point out should be done.
Humans react stupidly & then over-compensate behaving like it will happen again any second now. We defend against the black swan coming again, while ignoring those damn canadian geese shitting all over everything.
We now are in a world where despite billions flowing into the coffers and allegedly the best minds working on it the government itself is hacked on a regular basis.
They cannot secure themselves yet believe they have deployed the best & brightest to protect the nation… we see how that worked out.
I also question if there actually was a gas shortage, I mean it took 5 days to get it back to full operation, but if idiots weren’t filling paint buckets from home depot, the plastic lined beds of trucks, mason jars, and every other nonsensical thing you should NEVER KEEP GAS IN in a panic acting like this was the last gasoline on the planet & the zombies were on the way… I don’t think stations would have “run out” before anyone noticed.
But y’all live in a country where plastic sheeting & duct tape were the best suggestion to protect ourselves from an anthrax attack that was coming any second now.
As Bruce Schneier so succinctly observed, the TSA performs “security theater,” which has little or no relation to actual security. Theater may work for airline passengers, but pipelines make a really lousy audience, aren’t so readily manipulated, don’t have any underwear to sort through, and have no need to rush hurry to find a place for their carryon in the overhead bin.
If you want to actually secure something, you need to start with a clear understanding of what it is you’re trying to protect and a prioritized model of the probable threats. It’s also helpful to have some reasonable knowledge of the domain in which you are operating. How many TSA agents have ever met a pipeline?
I’m guessing it’s a round number. Very round.
And probably exactly the same as the number of agents who have the slightest clue about any of the infrastructure, systems and software that’s needed to actually operate one…
Re:
In breaking news…
TSA has just enrolled all pipeline owners into LifeLock… we’re all safe now.
And still, to this day, efforts to address the problem at its core are opposed by some politicians.
There is major issue with dependency on fossil fuels, oil in particular, but any attempt to reduce this dependency is met with opposition by all republicans… and even some democrats. (I won’t name Manchin, but you know who I’m talking about. :D)
Classic republican approach, where the solution to a problem is more of the problem.
Add to this the use of an agency that has a proven track record… of 95% failure… on what was supposed to be its core function… to handle something that was never its expertise, and the result was awfully predictable.
Re:
Wyrm: Only fossil fuels are vulnerable to cyberattacks, and anyone who claims otherwise is a Republican.
Techdirt, talking about the 5800 German windmills knocked out as collateral damage to a satellite hack: (¬_¬)
Re: Re:
Yeah, take that strawman elsewhere because it can’t even stand up by itself.
Here’s the thing, the world are magnitudes more dependent on fossil fuel than the ability to reset a couple thousands of windmills if need be. Someone hacks the control-system for a gas or oil pipeline and suddenly you have millions of people without gas, heat and electricity.
Remember the Colonial Pipeline hack? That was just an extortion attempt that succeeded, if he hackers had gone in and actually bricked systems guess what would have happened? It wouldn’t have been pretty.
Another wonder.
In the past,
Where has all the moaning and groaning about Infrastructure security Gone?
We have been listening to this for along time. Shouldnt this already be DONE?
Where did all the hacking happen and end up, That SUPPOSEDLY was happening?
Now if these SMART corps got lazy, they would have integrated with the internet, and NOT build their own system, that would require being connected ONLY to that system.
Then lets not count that the US Gov. subsidizes Oil exploration for over $24 billion, the oil corps Export most USA oil for a $8 billion profit, then Imported more oil to make another $8 billion Profit from Citizens.
And if they Aint created a Good protection system, Whose problem is it? Who do we complain to?
Then lets not Look back on history of the oil pipelines and Maintenance. And we Still have not looked/supported Alternatives that would bypass the OIL pollution system.
It is a giant cluster
Did he really say “cluster”? Because I keep reading it as something slightly more expressive.
Re: Correct Term
The correct term is ``Hungarian Group Entertainment”, sometimes abbreviated HGE.
(term may be used to refer to updates that break preview on websites)
Common sense?
I have been a net. admin. at a private school for many years, and about 7 or 8 years ago we were hit with ransomware three times. In our case, all three occasions were the result of a user clicking something they shouldn’t have. All three occasions were detected early, and were stopped by manually pulling the plugs of the machines affected. All three occasions were remedied the “old fashioned” way: we restored the affected data from backups, and moved on.
We are a school, and thus rely on internet and email for nearly every aspect of what we do; there is no getting around it. The internet cannot ever be trusted; there is also no way around this. The internet an ocean, rife with malice and malignancy powered by inexhaustible resources, constantly working to drill into, or at least erode, your hull and sink your ship. If you must traverse this ocean, understand that your time and resources are better spent preparing for a breech rather than buying a hull whose manufacturers claim to be unsinkable with the misguided belief that you are somehow safe.
Which leads me to my question about this incident, as well as any other concerns about hackers gaining access to any critical infrastructure: WHY THE FUuCK ARE THESE SYSTEMS CONNECTED TO THE INTERNET?
Also, no redundancy? No backups? It kinda seems like the TSA aren’t the only ones caught hastily penguin-shuffling back to their desks with their +5 Pants of Incompetence slacked around their ankles.
Re:
In the Colonial case, the pipeline was never hacked. The attackers disabled the company’s other systems, such as billing, and the company voluntarily shut down the pipeline because they wouldn’t have been able to charge for the oil. So securing the pipeline control software isn’t enough.
I get to do it!
Ahhh the TSA cancer,just another boondoggle created so elites can fill their coffers so the gub can say “we did gumtin”!! Not a debate of course so ho hum anyway. BUT, AND YOU KNOW ITS A’COMIN! #ABOLISHTHETSA #treasonoussanctomoniousasshats #thievessayand #thankssorryanext
P>s> Its not like there is anything left to….. @abolishthepolice #reefermadness #waronpeople #acab damn! What’s the correlation here?!? I believe I said good day!