US pipeline operators face compliance with new cyber security directive after colonial pipeline attack

Published: 11 June 2021

• A ransomware attack forcing the precautionary temporary shutdown of the Colonial Pipeline system in the US in May 2021 has sparked regulatory checks on pipeline cyber security
• Existing risk assessment frameworks and models can help operators to comply with a new Directive from the US regulator, prompted by the attack and requiring information and risk analysis
• DNV Recommended Practice DNVGL-RP-G108 Cyber security in the oil and gas industry based on IEC 62443 can assist pipeline operators to apply relevant standards to comply with the Directive’s requirements.

A new Directive issued by the US Federal Government has ordered pipeline operators to check and report on the cyber security of their pipeline systems within a month. Security Directive Pipeline-2021-01 (‘the Directive’) of 28 May 2021 was published after a ransomware attack led to the six-day shutdown of an 8,900-kilometre pipeline carrying 45% of the US East Coast’s gasoline, diesel, and jet fuel.

Colonial Pipeline felt obliged to pay a ransom to the DarkSide cyber-criminal gang so the operator could regain access to its own IT systems that had been locked by the ransomware. The operator said it would cost tens of millions of US dollars to check and fully restore its systems over months.¹ It stressed that the attack had affected only its IT, and had not resulted in DarkSide gaining access to operational technology (OT).

In industry, the term OT covers software and hardware – e.g., supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs) – that monitor and control assets, specific equipment such as valves, events, and processes.

Gartner research suggests that 60% of companies operating critical infrastructure are only in the earliest stages of maturity when it comes to having integrated and optimized cyber security for OT and cyber-physical systems in place. These companies are aware of the risk, but are unlikely to have implemented robust solutions.²

“If pipeline companies show the same spread of maturity about OT cyber security as Gartner found among companies in general, it will likely take a significant effort for some pipeline operators to rigorously apply existing US cyber guidelines for pipeline systems,” said Jim Ness, Regional Business Manager, Cyber Security, North America at DNV.

Despite being confined to IT systems, the Colonial Pipeline incident has upped the stakes in the daily battle that energy infrastructure operators worldwide are waging against malicious cyber-attacks, he added: “Even though the attackers did not access Colonial’s OT, the perceived risk that it might was sufficient in itself for the company to follow its own protocol by immediately ordering the precautionary shutdown of pipelines vital to a large population and many industries.”

Pipeline operators worldwide see with increasing clarity that greater connectivity between IT and OT for operational efficiency brings more complex and greater cyber security challenges, he continued: ”The pipeline industry needs to be sure that its approaches, tools, and resources for cyber security at least comply with regulations. Regulators naturally react to incidents by tightening up on compliance checks. A good example is the publication of the new Directive in response to the Colonial Pipeline attack. Some operators will find it necessary to go beyond basic compliance with regulations to implement best practice for some degree of future-proofing for their cyber security.”

Complying with US pipeline cybersecurity regulations

Under the Directive from the US Transportation Security Administration (TSA), TSA-specified pipeline owner/operators must:

• review their current activities against TSA recommendations for pipeline cyber security to assess cyber risks, identify any gaps, and develop remediation measures
• report the results of these actions to the TSA and the DHS Cybersecurity and Infrastructure Security Agency (CISA)
• report cybersecurity incidents to CISA
• designate a cybersecurity coordinator who is required to be available to TSA and CISA 24 hours a day, seven days a week, to coordinate cybersecurity practices and address any incidents that arise.

“The good news is that several risk assessment frameworks and models can help to perform the cyber security gap analysis now required under the TSA’s Directive,” Ness commented.

Assessing pipeline cybersecurity risk

DNV Recommended Practice (RP) DNVGL-RP-G108 Cyber security in the oil and gas industry based on IEC 62443 focuses on how to achieve cyber security in critical oil and gas infrastructure. It is intended for all the people, processes, and technologies involved in ensuring that cyber security is taken care of in the industrial automation and control systems (IACSs). The people include asset owners, system integrators, product suppliers, service providers, and compliance authorities. The RP clarifies the responsibilities shared between these parties, and describes who performs the activities, who should be involved, and the expected inputs and outputs.

As its title suggests, DNVGL-RP-G108 is based on applying IEC 62443, a series of standards adopted by the International Electrotechnical Commission (IEC) as a framework to address and mitigate current and future security vulnerabilities in IACSs. The DNV RP also incorporates aspects of NIST SP 800 standards from the US National Institute of Standards and Technology. IEC 62433 itself evolved from the ISA99 standards developed by the US-based International Society of Automation (ISA).

“Our RP guides the reader through all aspects of IEC 62443 that are relevant to oil and gas critical infrastructure. In generic terms the IEC and NIST standards have common goals, so we tend to work with the methodology that fits most closely with our customers when advising them on cyber security governance, risk and compliance issues,” explained Ness.

Using the DNV Recommended Practice to assess pipeline cyber security

The DNV RP and IEC 62443 standard cover the full life cycle of a cyber asset as illustrated in Fig 1, which is from DNVGL-RP-G108.

The risk assessment elements of DNVGL-RP-G108 make use of well-known methodologies applied in process safety analysis. While Figure 1 is intended for capital projects, the principles can also be applied for assets in operation.

Consequently, DNVGL-RP-G108 can be applied for cyber security gap assessment of existing pipeline systems, as the TSA Directive requires. DNV has applied the DNV RP and IEC 62443 for the oil and gas sector on several greenfield and brownfield installations, onshore and offshore. The company also uses these frameworks in sectors such as maritime, and power and utilities.

Proposing alternative measures to the US pipeline regulator

In publishing the new Directive, the TSA has also told pipeline owner/operators unable to implement the measures prescribed that they may seek approval both for proposed alternative measures and for the basis for submitting such measures.

“I suspect many pipeline operators will struggle to meet the 25 June 2021 deadline to fulfil the cyber risk and gaps assessment part of the Directive if they do not already have many of the underlying data sets in place,” said Ness. This data could include, among others, asset inventories, up-to-date network drawings, supporting policies and procedures, training programmes, drills schedules, risk assessments, response plans, and identification of the responsibilities of key cyber security roles.

“In cases where gaps are too significant to address by the deadline, all operators should focus on developing practical, risk based gap closure plans, prioritizing areas of greatest risk reduction,” he added.

Resourcing better pipeline cyber security

Appendix A of the TSA guidelines lists information that must be refreshed and reassessed periodically. Its requirements highlight information that the Board/C-Suite of a pipeline operator/owner will regularly require from chief information security officers (CISOs) or their equivalent.

Ness said: “For Boards and C-Suites to be confident that activities to collect this information are being performed, CISOs will need to verify that company policies and procedures reflect the requirements. CISOs will also have to ensure that verification/audit activities are happening at appropriate intervals, and that these confirm the effectiveness of the company’s cyber security programmes.”

Read more about DNV cyber security services

REFERENCES

1 ‘The Colonial Pipeline CEO Explains The Decision To Pay Hackers A $4.4 Million Ransom’, MR Kelly, J Fuller, J Kenin, National Public Radio, 3 June 2021.

2 ‘Market Guide for Operational Technology Security’, K Thielemann, W Voster, B Pace, R Contu, Gartner, 13 January 2021, report ID: G00737759.