Contact us:
Published: 11 June 2021
- A ransomware attack forcing the precautionary temporary shutdown of the Colonial Pipeline system in the US in May 2021 has sparked regulatory checks on pipeline cyber security
- Existing risk assessment frameworks and models can help operators to comply with a new Directive from the US regulator, prompted by the attack and requiring information and risk analysis
- DNV Recommended Practice DNVGL-RP-G108 Cyber security in the oil and gas industry based on IEC 62443 can assist pipeline operators to apply relevant standards to comply with the Directive’s requirements.
A new Directive issued by the US Federal Government has ordered pipeline operators to check and report on the cyber security of their pipeline systems within a month. Security Directive Pipeline-2021-01 (‘the Directive’) of 28 May 2021 was published after a ransomware attack led to the six-day shutdown of an 8,900-kilometre pipeline carrying 45% of the US East Coast’s gasoline, diesel, and jet fuel.
Colonial Pipeline felt obliged to pay a ransom to the DarkSide cyber-criminal gang so the operator could regain access to its own IT systems that had been locked by the ransomware. The operator said it would cost tens of millions of US dollars to check and fully restore its systems over months.1 It stressed that the attack had affected only its IT, and had not resulted in DarkSide gaining access to operational technology (OT).
In industry, the term OT covers software and hardware – e.g., supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs) – that monitor and control assets, specific equipment such as valves, events, and processes.
Gartner research suggests that 60% of companies operating critical infrastructure are only in the earliest stages of maturity when it comes to having integrated and optimized cyber security for OT and cyber-physical systems in place. These companies are aware of the risk, but are unlikely to have implemented robust solutions.2
“If pipeline companies show the same spread of maturity about OT cyber security as Gartner found among companies in general, it will likely take a significant effort for some pipeline operators to rigorously apply existing US cyber guidelines for pipeline systems,” said Jim Ness, Regional Business Manager, Cyber Security, North America at DNV.