Pipeline operators are taking necessary steps to strengthen their digital infrastructure and build cyber resilience at a time of increased uncertainty. Depending on who you ask, nearly every digital component they rely on is potentially at risk in some way. While owners and operators realize the potential cascading effects of a cyber incident affecting their operations, companies and stakeholders are still mostly reacting to security incidents rather than preparing for their potential impacts.
The risk of widespread and lengthy disruptions, outage, or destruction of critical resources, products, or services requires immediate attention and ongoing action. That’s why the TSA recently released new guidance and requirements for owners and operators of pipeline and liquified natural gas facilities.
Regulations have to be vague enough that they do not become obsolete given a dynamic and growing threat landscape while not being overly prescriptive in a way that diminishes an organization’s ability to comply.
In this blog we’ll outline the latest TSA guidelines designed to ensure these risks are addressed and provide some guidelines to help operators plan for long-term success.
Pipeline Risks and Requirements Today
Recently, nation state capabilities for targeting physical operations are on the rise. OT vulnerabilities are included in opportunistic probing of IT networks, USB attacks continue to plague industry, and insider threat scenarios continue to be the top cybersecurity threat in their environment.
When it comes to oil and gas pipelines, a range of cyber scenarios can cost millions in unplanned outages and maintenance, with costs skyrocketing to include recovery and remediation. The top risks remain evergreen, including:
- Insecure and hijacked remote connectivity
- Well-known vulnerabilities in systems designed without security in mind, some without available patches or difficult to isolate and/or update
- Internet connectivity and control systems connected to corporate/enterprise networks
- Widespread technical specifications for control systems available online and in print
TSA recently released new guidance and requirements for owners and operators of pipeline and liquified natural gas facilities, directing them to:
- Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
Pipeline owners and operators are also required to:
- Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth in the security directive.
- Develop and maintain a Cybersecurity Incident Response Plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident.
- Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.
It’s important to report significant incidents, but the best suggestion in the new guidance is to not only create plans, but to test plans regularly (early and often). This requires implementation of many of the other requirements, especially the cybersecurity point of contact who will need to iron out a communications procedure in case of incident or emergency.
The updated requirements also allow flexibility for cybersecurity preparedness and resilience that can be aligned to these priorities without compromising safety and business continuity. They avoid prescriptive guidance that can leave many end users scrambling to check boxes on an audit form but inform critical decisions—like comprehensive password, backups, and recovery policies, with key caveats about alternative measures and controls for systems where the stated requirement is not technically feasible.
Coordinators will have their work cut out for them, working to build out training, stress test plans, and demonstrate ROI for security investments and processes over time. Short term, they must also plan for a cyber incident to happen at any time, involving a wide range of stakeholders. As we have learned from other major attacks, the weakest link in an organization may be an IT system critical for business operations. It may also be a compromised cyber-physical system, broad access to a component of operations that enables remote access or unnecessary internet connectivity.
It is imperative that asset owners have the right tools and expertise to determine whether an issue is caused by a nation state campaign, equipment malfunction, misconfiguration, ransomware situation, or ghost drifting—when a device incrementally slips out of scope over time without oversight.
Building a Mature Security Posture
The industry is not starting from zero, it continues to evolve to meet safety and security concerns. Pipeline operators prioritize public and worker safety, quality and continuity of their operations, and protecting sensitive information and systems. We are at the point where every asset owner must evaluate their independent needs and changes to be made to improve their security postures. Maturing a security posture will require a holistic plan to fortify operations from the inside out, beginning with the following suggested components:
- Develop a comprehensive asset inventory of everything that’s critical to your organization’s mission and connected to anything that’s required for business continuity.
- Identify internal vulnerabilities on systems in use and create a strategy for tracking and reducing risks and hardening the assets.
- Monitor the network at all levels, leveraging signature-based threat intelligence and behavior-based anomaly detection.
- Monitor critical assets for changes to anything—the firmware, function codes, configuration settings, and administrative-level controls.
- Ensure there are redundant backups of data and systems, where restoration policy takes safety and process operations into account first and foremost.
- Develop and test incident response playbooks and execute table-top exercises to build resilience and understand impact analysis of cyber scenarios.
Strengthening Pipeline Security is a Long Game
With this latest announcement of additional requirements and potential rules for pipeline companies to implement in their operations, some industry leaders may struggle to understand the impacts of additional regulatory guidance. Though it is too soon to grade requirements as a success or failure, it is not too late to start asking what success looks like and how to get there.