October 2021, Vol. 248, No. 10
Cybersecurity
Cybersecurity Directive for Oil, Gas Pipelines Targets Vulnerabilities
By Marco Ayala, Director of Industrial Control Systems 1898 & Co., a part of Burns & McDonnell
A comprehensive cybersecurity self-assessment sent to pipeline operators by the Transportation Security Administration (TSA) is a clear signal that the federal homeland security apparatus is fully engaged in getting ahead of future attacks. The security directive (SD) was sent in consultation with the Cybersecurity and Infrastructure Security Agency (CISA).
Although designed as an assessment of what security measures have been put in place in response to TSA cybersecurity guidelines released in 2018, operators should view this as a first step toward mandatory compliance with definitive standards.
The SD went out shortly after the Colonial Pipelines ransomware attack that shut down that pipeline system for five days and raised alarm throughout the country. Although much of the ransomware has since been recovered, it is expected that attacks on pipelines and other critical infrastructure systems will continue as more and more industries demonstrate vulnerability to cyberattacks.
We are currently in the guidelines and voluntary compliance phase. The SD stipulates that the assessment be returned by June 28, while also mandating new requirements for staffing and incident reporting. For instance, the SD stipulates that if a cyberattack is detected in any form, no matter how successful, it must be reported to TSA and CISA within 12 hours.
The directive also requires pipeline operators to create a cybersecurity coordinator position. Although this can be an existing position, it must be filled by a U.S. citizen who is eligible to receive a security clearance. The coordinator also must be the primary contact for TSA and CISA and must be available 24/7.
The assessment section of the SD requires pipeline owner/operators to review current cybersecurity procedures against 18 specific sections covered in the earlier 2018 security guidelines. The assessment is a checklist with yes/no fields to respond to queries covering the full scope of the guidelines. The goal is to assess current risks, identify gaps and describe any current remediation measures underway.
For example, the sections query steps taken to protect operational technology (OT) or supervisory control and data acquisition (SCADA) systems needed to operate pipelines, compressor stations, booster stations and any other portion of critical pipeline infrastructure.
This Isn’t Punitive (Yet)
Even if an operator responds with several “no” answers, it is not in trouble. This should be viewed as a true self-assessment, and truthful answers will be viewed favorably by the TSA and CISA.
This is a good faith effort on the part of the Department of Homeland Security to work in partnership and assist pipelines and private industry in general. However, companies that provide inaccurate or untruthful responses or simply do not comply should expect a firm response. TSA has statutory authority to see that companies comply and can levy fines and other penalties to enforce directives.
Of course, companies that affirm relatively low levels of preparedness should expect follow-up by the federal agencies to request clarification on any shortcomings. The federal agencies can conduct audits to identify gaps and weaknesses, but these would come at taxpayer expense and could take considerable time.
Companies that confirm deficiencies on the TSA assessment may be well advised to begin consulting arrangements with cybersecurity firms for vulnerability and risk assessments.
Where Is this Going?
Realistically, oil and gas pipeline owners and operators should expect more prescriptive regulatory requirements in the future.
There is no question the pipeline industry has been leery of cybersecurity regulations similar to the NERC-CIP cybersecurity protocols in place for the utility industry. These all-encompassing Critical Infrastructure Protection (CIP) rules issued by the North American Electric Reliability Corp. (NERC) establish definitive security and control requirements for all elements of electric grid operations.
The electric utility industry has had the advantage of several years’ effort in implementing defense-in-depth strategies to protect the grid from attacks. Many lessons learned in that industry can now be applied elsewhere as other industries enhance their defense postures.
Pipelines have had some flexibility in implementing cybersecurity strategies, but there is a viewpoint now that it is time to reel some of that back in. The oil and gas industry definitely is taking cybersecurity seriously, but recent events demonstrate things can always be done better. In the Colonial Pipeline incident, the company had performed penetration testing but still didn’t detect a vulnerable point in an obsolete virtual private network (VPN).
It is not an easy task to catch everything. Attackers only need to be lucky once, while we need to be on our game 100% of the time. We as an industry and nation must create and maintain a robust security design that gives us greater visibility into our critical systems.
TSA will be releasing SD 02 for pipeline cybersecurity soon and it has reached out to relevant trade organizations for comments. Cybersecurity mitigation actions, contingency planning and testing are key elements that pipeline owners and operators must identify and address to TSA in the coming months. Pipeline companies will be tasked with defined turnaround times to meet specific security controls to be released in the updated directive.
Author: Marco Ayala is director of Industrial Control System Security and Sector lead for 1898 & Co., a part of Burns & McDonnell. A process automation professional, Ayala has more than 25 years of experience working in petrochemical facilities where he designed, implemented and maintained process instrumentation, automation systems and process control networks.
Comments