Pipelines’ Digital Defense is on the Line
In early May 2021, Colonial Pipeline—an operator of a massive pipeline system that carries an estimated 45 percent of the fuel used on the U.S. East Coast—was successfully targeted by a ransomware attack. Colonial stopped all of its pipeline operations on 7 May while it tried to deal with the attack. Under normal circumstances, Colonial’s systems cover more than 5,500 miles and deliver more than 100 million gallons every day between New Jersey and Texas.
After Colonial’s CEO Joseph Blount was notified about the ransom and decided to shut down the pipeline system—which would impact fuel prices for months—he authorized a payment of $4.4 million.
Even prior to the ransomware attack on Colonial, the pipeline industry was aware its assets were of interest to attackers who would leverage cyberattacks to either control or disrupt operations. In 2018, the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) and Natural Gas Council (NGC) noted that such attackers—whether representing nation-states, organized criminal groups, or others—present “enterprise risks” which could endanger a company’s viability.
Cybersecurity is applied throughout the entire value chain of the oil and gas industry, from wellheads to pipelines to power generation stations. For U.S. pipelines alone, this means that cybersecurity is tied to more than 3.3 million miles of a physical network that delivers natural gas, hazardous liquids, and other materials for the energy industry.
While a portion of pipeline operations are controlled manually, there are also automated controls, like supervisory control and data acquisition (SCADA) systems that monitor and manage operations. Preprogrammed factors, remote sensors, and signals maintain flows and pressures within an acceptable range.
Cyberattacks targeting U.S. energy infrastructure have increased steadily over the past few years. “The number of reported incidents directed at critical infrastructure rose from 245 in 2014 to 295 in 2015, with a similar count (290) in 2016. Of the reported incidents, roughly 20 percent (59 reported incidents) targeted the energy sector,” ONG SCC and NGC wrote in a whitepaper, Defense-in-Depth: Cybersecurity in the Natural Gas & Oil Industry.
And pipeline networks “are vulnerable to cyber-attacks due to legacy (industrial control systems) that lack updated security controls and the dispersed nature of pipeline…networks spanning urban and outlying areas,” according to the U.S. Transportation Security Administration (TSA). As aspects of operational and information technology become further integrated, those industrial control systems (ICSs) become a bigger target for cyber attackers.
A significant aspect of the industry’s efforts to shore up against potential cyberattacks involved internal systems, such as risk-based management, technology solutions, and more. But external efforts were also emphasized, including cooperation through information sharing analysis centers (ISACs), and leveraging trade associations to enhance individual companies’ threat analysis capabilities, according to ONG SCC and NGC. And coordination with government agencies has proved equally important in these efforts.
One of the many responsibilities of the TSA involves pipeline security. After the Colonial Pipeline shutdown, the TSA issued security directives to pipeline systems that the administration designated as critical. The directives aimed to allow the administration to better determine and respond to threats to these pipelines systems.
On 27 May 2021, TSA announced Pipeline-2021-01. It required critical pipeline owners and operators to notify the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) about any potential or confirmed cybersecurity incidents. It also directed owners and operators to designate a cybersecurity coordinator who would be available 24/7, and to review current practices to identify any security gaps—plus appropriate remediation measures—with a report of the results to TSA and CISA.
“These initial guidelines were seen as a good first step without being overly burdensome,” Dragos said in a 2022 oil and gas brief, U.S. Transportation Security Administration Pipeline Security Directives: Lessons Learned & Cybersecurity Requirements for Pipeline and Facility Owners & Operators.
However, when TSA issued another directive on 20 July 2021, owners and operators bristled. In an interview with Security Management, a spokesperson from the American Petroleum Institute (API) describes the second directive as “onerous.”
Pipeline-2021-02 required owners of critical pipelines that carry natural gas or hazardous liquids to apply various “protections against cyber intrusions,” according to DHS. On top of Pipeline-2021-01, operators and owners were mandated to apply mitigation methods against cyberattacks, create a contingency and recovery plan, and review their cybersecurity programs.
“Pipeline owners and operators found the second directive to be more difficult to implement,” according to the Dragos whitepaper.
The directive was classified as Security Sensitive Information (SSI), so there were restrictions on sharing the directive’s information with third parties and non-TSA government parties. Compounding the frustration was that the directive included seemingly arbitrary deadlines and “many technical requirements that could not be easily implemented as they were developed for IT systems with no consideration taken for the complexity of OT systems,” Dragos wrote.
Operators were strongly against the revised guidelines because it meant that an auditor could just show up with a line of questioning disconnected or nearly irrelevant from the actual environment. “Operators hated it,” says Dane Langen, global segment lead for security for Luna Innovations—a fiberoptics sensor manufacturer that offers pipeline companies with equipment to support monitoring and communication of pipeline infrastructure.
“At one level it was an annoyance,” Langen recalls hearing from pipeline operators. The administration was ordering them to meet several requirements within a very limited timeframe. “The operators, the infrastructure that they have is old, old, old, old school. A lot of them don’t even have Internet at their pumping and compressing stations along the pipeline routes. So now, they have to handle these older, legacy-based technologies that don’t really interface with the Internet and convert them.”
Industry-wide, there were several comments from pipeline owners and operators over the second directive.
“I’m speaking more from myself but also from several colleagues I’ve talked with, we feel that this last round of the guideline it became much more or less of, ‘We’re going to accept your guys’ input as to where those guidelines should go,’ notes Don Greenwood, corporate security manager for TC Energy.
Instead of a collaboration with industry stakeholders, which has been the norm since at least 2011, according to Greenwood, the second round of guidelines from the TSA was seen as encroaching, nearly a set of intrusive orders. “Right now, thankfully, it’s still a guideline and it’s going to make things difficult for the industry but if they do move that guideline into regulation, it is going to damper the pipeline industry significantly.”
So, when it came to crafting a revised version of Pipeline-2021-02, TSA worked again with industry stakeholders.
Between 2021 and July 2022, TSA—with input from owners and operators—produced a slightly revised version of the second directive, creating Pipeline-2021-02B. The administration continued seeking information from these stakeholders about how to revise the directive to help pipeline organizations achieve improved overall cybersecurity resilience, according to Dragos.
Part of the revision process involved a series of technical roundtables with the TSA and subject matter experts, API says.
In July 2022, TSA published Pipeline-2021-02C, which incorporated that input. For example, the administration aligned the directive’s requirements with industry standards, such as those published by the National Institute of Standards and Technology (NIST), the International Society of Automation, and the American Petroleum Institute. This in turn gave pipeline owners and operators some flexibility in how to meet the requirements.
Most recently, in November 2022, the TSA published an advance notice of proposed rulemaking (ANPRM), which was founded on the security directives and will apply to pipeline and rail sectors.
The proposed priorities include having owners and operators assess and improve the current baseline of operational resilience and incident response; maximize owners’ and operators’ abilities to be self-adaptive to respond to evolving threats and technologies; identifying opportunities for third-party experts to support compliance; accounting for varied cybersecurity maturity across the sector and owners and operators; incentivizing cybersecurity adoption and compliance; and building quantifying measures to assess performance into a cybersecurity program.
The TSA also identified core elements of an effective cybersecurity risk management program to support a larger security initiative, which include access controls; designating a responsible individual for cybersecurity; drills and exercises; measuring the implementation, effectiveness, efficiency, and impact of cybersecurity controls; and vulnerability.
The TSA is seeking comments on the proposed rules from interested stakeholders, industry associations, third-party cybersecurity subject matter experts, insurers and underwriters for cybersecurity risks, and especially owners and operators of higher-risk pipeline and rail operations, according to the notice. Comments were due by 17 January 2023.
And other aspects of public-private relationships are improving, too, especially as the stakeholders shore up against cyber attackers.
“In the past, it was very hush-hush,” Greenwood recalls. Knowing that some ambiguous threat was occurring without getting more details from a government agency was frustrating, and Greenwood adds that things have improved significantly. Now, pipeline companies regularly interact with agencies, including the TSA. Greenwood and other security personnel have monthly calls with relevant agencies, and part of those meetings involve some intelligence sharing.
“I think they’re more and more willing to share,” Greenwood says. “The one caveat I would add to that is it would be nice if they would give us a little bit more details. …Especially after-action, understanding what they’ve learned from certain things that have happened, what they learned from the Colonial Pipeline for instance. …It would help the industry a lot of they really were able to open up a little bit more.”
But perhaps some of that desire for additional knowledge can be ameliorated from the private end. Greenwood recommends having more personnel achieve a security clearance, which could give agencies more confidence in sharing additional information into incidents.
Sara Mosqueda is associate editor for Security Management. Connect with her at [email protected] or on LinkedIn. Follow her on Twitter: @ximenawrites.