May 2022, Vol. 249, No. 5
Features
Enhancing Pipeline Security: Cybersecurity Alone Is Not Enough
By Mike Nushart, principal consultant, Black & Veatch
Like any industrial operation, pipeline operators strive to provide safety and reliability in the delivery of their products. However, impacts from a variety of factors – from natural and environmental processes to vandalism and terrorism – threaten to disrupt the safety and reliability of pipeline systems.
As the pipeline industry uses new digital technology to safeguard and strengthen their systems, that technology opens a door for cyberattacks, which have quickly become the hot topic of pipeline security.
While cybersecurity is a crucial part of any pipeline security plan, comprehensive, enhanced pipeline security must consider and mitigate the full range of pipeline threats, both digital and physical.
Wake-Up Call
In 2021, a cyberattack on the Colonial Pipeline triggered a clarion call from the U.S. Transportation Security Administration (TSA) to operators of critical pipelines. It came in the form of a Security Directive with three critical components to tighten security of our nation’s pipeline infrastructure.
First, it requires TSA-specified owners and operators to report any cybersecurity incidents to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Second, it requires owners and operators to designate a cybersecurity coordinator who must be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise.
Finally, the directive requires that owners and operators evaluate their current operations against TSA's recommendations for pipeline cybersecurity, to assess cyber risks, identify any gaps, develop remediation measures and report the results to TSA and CISA.
These regulations make clear the deep concern the TSA holds for the safety of our pipeline infrastructure. This is highlighted in the way their guidelines broaden the definition of cyberattacks to include operational impacts. This accounts for the effects of cyberattacks on not just digital systems, but also on the related physical assets and operational capabilities.
The May 28, 2021, directive outlines the variety of such threats, requiring operators to report several types of incidents, not least of which is Item 5(B):
“Any other cybersecurity incident that results in operational disruption to the Owner/Operator's Information or Operational Technology systems or other aspects of the Owner/Operator's pipeline systems or facilities, or otherwise has the potential to cause operational disruption that adversely affects “the safe and efficient transportation of liquids and gases including, but not limited to impacts to a large number of customers, critical infrastructure or core government functions, or impacts to national security, economic security or public health and safety.”
In other words, operational disruptions, customer impact and affected critical infrastructure impacting government functions or national security are the principal concerns surrounding pipeline security.
Consequences
The TSA Pipeline Security Guidelines, first published in 2010 and updated in 2018, place emphasis on the social, environmental, and economic consequences of interruptions in pipeline operations from any potential pipeline threat.
The guidelines urge operators to identify and mitigate situations with operational consequences that would disrupt or significantly reduce required service or deliverability to installations identified as critical to national defense and key infrastructure, such as power plants or major airports.
It also specifies that operators should mitigate scenarios that may result in a state or local government’s inability to provide essential public services and emergency response for an extended period, which may cause mass injuries, casualties or significant health or environmental effects that may disrupt or significantly reduce the intended usage of major rivers, lakes or waterways.
Mitigation must also take place in cases that might significantly disrupt pipeline system operations for an extended period of time.
Further, the newer May 2021 Security Directive requires TSA-specified owners and operators to report incidents involving unauthorized access of an information technology (IT) or operational technology (OT) system, discovery of malicious software on an IT or OT system, activity resulting in a denial of service to any IT or OT system and any physical attack against the network infrastructure.
It goes on to broaden this with the stipulation that owners and operators should report any other cybersecurity incident that disrupts operations of pipeline facility systems in a way that has the potential to adversely affect the safe and efficient transportation of liquids and gases, or that would cause impacts to a large number of customers, critical infrastructure or core government functions, national security, economic security or public health and safety.
While cybersecurity continues to be a significant concern for operators, physical threats have equal potential to generate the undesirable conditions listed in the TSA documents; as such, they must be considered for mitigation. Owners and operators must consider all potential intrusion types to develop a set of mitigation plans.
Initiation of any security breach scenario requires a change of state of the pipeline and its control equipment. Depending on the installed equipment types, the changes of state can be accomplished remotely or locally, and both scenarios must be considered.
Risk Analysis
The TSA Pipeline Security Guidelines outline an analysis process for operators to use in evaluating their operations as the first stage in security planning. It begins by outlining specific security breach consequences of concern, including disruptions that jeopardize critical infrastructure, health and well-being of the public and the environment, and disruption of major waterways.
To avoid such disruptions, it is imperative that pipeline operators create detailed security plans. This begins with evaluating current standing and identifying areas for improvement. The TSA Pipeline Security Guidelines detail three main areas for assessment, which each call for their own unique security response.
Criticality Assessment: This entails a review and analysis of all computer systems and physical assets that can potentially contribute to one or more of these operational consequences.
In addition to computer systems, a few examples of asset types to be reviewed are critical valves, pressure control equipment, exposed piping, supervisory control and data acquisition (SCADA) remote terminal units (RTU), pressure and temperature transducers and SCADA-connected or stand-alone programmable logic controllers (PLCs).
The TSA recommends that operators review and update the criticality assessment on a periodic basis with the maximum interval not exceeding 18 months.
Security Vulnerability Assessment (SVA) – The SVA is one of the risk assessment processes conducted to further identify the potential occurrence of operational consequences.
While the criticality assessment identifies systems and assets or groups of assets with the potential of generating undesirable consequences, the SVA identifies the types of vulnerabilities for the critical asset types and control systems. The asset type examples listed above include both pipeline-attached appurtenances as well as remote monitoring and control equipment and their host systems.
Operators should assign knowledgeable teams to identify systems requiring cybersecurity evaluations and mitigation. The May 2021 Security Directive states applicability to owners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility notified by TSA that their pipeline system or facility is critical.
SVA teams should consider if the system vulnerability extends beyond the transmission pipeline. Operators of transmission and distribution facilities frequently apply supervisory control on the distribution assets at the transmission to distribution delivery location.
With supervisory control of valves and pressure and flow control equipment, the greater the threat is of operational consequences in case of an attack.
Remote Facility Physical Vulnerabilities Assessment: At the same time as Criticality Assessments and SVAs are performed, an assessment of physical vulnerabilities should be performed on remote facilities.
The assessment needs to begin with the security perimeter and the efficacy of intrusion detection and other measures to prevent unauthorized persons and vehicles from entering remote sites. Is the traditional main gate single chain with multiple padlocks still in place as the primary security measure? Is that single chain capable of protecting the site?
The assessment team should determine if critical assets are protected from vehicular damage using bollards or permanent barricades. The team should also consider the vulnerability of exposed pressure/flow control lines to projectiles and whether additional protection is prudent. The connection and termination points of SCADA and PLCs need to be secured from unauthorized access, as well.
Conclusion
Teams with operational experience possess the synergy to observe and anticipate critical systems and assets and determine mitigative actions. While it is nearly impossible for pipeline operators to fully protect facilities from terrorism, malicious cyber and physical vandalism attacks can be bested.
Risk analysis efforts with periodic detailed review plans can help identify new critical systems and assets and enable new mitigative actions.
The TSA Security Directive and its companion, the Pipeline Security Guidelines, provide a valuable starting point for operators to enhance pipeline security.
Author: Mike Nushart, principal consultant at Black & Veatch, has more than four decades of natural gas transmission and distribution experience. After a successful utility career, he has been consulting with gas operators in the integration of pipeline integrity management with work and asset management systems, as well as developing cost-effective compliance programs.
Comments