Securing pipeline and gas companies’ critical infrastructure is an evolving process. Embracing that fact is a key element in the development of a logical program that will ensure safety, security and effectiveness. There are four logical phases in this process with defined actions that can be measured and coordinated.
Understanding risks and vulnerabilities, along with how to address them, is the first step in customizing the phases to meet a company’s particular requirements. In this article, I discuss the four phases — assess, remediate, manage and assure — and give examples of how this approach, with the assistance of a trusted advisor, can ensure the security of an organization’s critical infrastructure.
In 2011, the Transportation Security Administration released an updated TSA Pipeline Security Guidelines. This update incorporated recommendations for improving pipeline security practices, encouraging the implementation of a risk-based, cybersecurity plan.
Information Technology For Control Systems
In recent years, cybersecurity concerns in industrial environments have significantly increased. The shift from proprietary, isolated control systems to open standards and interconnected networks has increased cybersecurity threat exposure.
Control systems running on top of typical business IT platforms are an integral part of the industrial infrastructure today around the world. We have come to understand that control systems share many IT similarities with corporate business systems. However, control systems are technically, administratively and functionally more complex than business IT systems. This difference represents a real challenge. Control networks have all the risk of modern IT technologies without being able to apply or manage typical security controls available to corporate IT departments.
Vulnerabilities, particularly cybersecurity, affect the safe, functional performance of control systems and business IT systems. Since mainstream IT is quite knowledgeable and experienced with the threats and management of the security environment – perhaps years ahead of the current status of control systems –
we have the opportunity to learn from the experience of business IT and shorten the time span for control systems to acquire the same level of security awareness.
One of the main reasons for this difference in cybersecurity maturity is the difference in focus between business IT and control systems. Control systems have focused on equipment efficiency and reliability while cybersecurity was left to the business IT organizations. However, this situation is changing. And, we see that the convergence of IT and control systems requires expertise from both business IT and industrial control systems. We call this convergence “industrial IT.”
It is interesting to note that, in a 2012 article in Pipeline & Gas Journal, company management of many organizations thought the IT group was automatically looking after the control systems IT needs–but they weren’t really sure.
Ongoing Process Requires Logical Approach
The control systems environment has been changing before us with some subtle nuances and other more dramatic developments. The security of the system is something that we took for granted for many years, when proprietary hardware and software were the norm, but the landscape has changed! Security by obscurity, once enjoyed in production environments, has been traded for advancements in technology available in a more open environment.
Ongoing advances in hardware and software are opening up more ways to advantageously use automation technology. Meeting today’s exacting automation challenges means being knowledgeable about what is possible. Change can be good, and our ability to evolve with it and to extract the most value from it is the measure of our creativity and dedication – and perhaps in our application of a logical approach to this evolution. However, success in this endeavor is usually only brought about by a deep understanding of both process automation environments and IT technology.
Pipeline and gas companies face a number of industrial IT challenges. These challenges manifest as increased risk (Figure 1).
To achieve a sustainable competitive advantage, pipeline and gas companies must be able to adapt to change quickly. Reduced time for decision and action is critical for improving quality and productivity, making the timely collection, manipulation and distribution of reliable information a significant issue. In today’s business environment, electronic data needs to be presented as information to operations, engineering and management in the context most meaningful to them.
Historical, process and business data is collected from disparate sources and stored securely. The business requirement is to transform that data into meaningful information, which is presented in a manner that is easy to understand, providing important support at every level to improve efficiency and profitability. As a result, most organizations are faced with requirements to increase accessibility to the system. While this tighter linkage between business and process information is necessary, it opens the door to intrusions – whether unintentional or targeted.
Complex Array Of Tools, Standards, Best Practices
With the proliferation of open systems, the complexity of plant networks and the need to support legacy systems, more tools are available to address requirements and exposures with the attendant standards and best practices that follow. Understanding which tools best fit an environment can be a rigorous task requiring broad experience and vendor neutrality. Since safe, reliable, expected operation of your facility is paramount, an approach that is deep in process safety and then coupled with technological capabilities is the most effective option.
Targeted Malicious Cybersecurity Threats
The impact of a cybersecurity breach within the pipeline environment is far-reaching and can include: unauthorized access, theft, or misuse of SCADA information ; communication failure/lines down, resulting in loss of transportation capacity; equipment damage; environmental damage; public health and safety issues; personal injury; and violation of legal and regulatory requirements.
With the increasing demand for accessibility and sharing of information, we see the number of targeted malicious cybersecurity threats increasing as well. Being the subject of the next big story in the press is not advantageous. When P.T. Barnum said, “I don’t care what you say about me, just spell my name right,” he was not living in the age of cybersecurity threats, the Internet and widespread access to technology!
Increase In Industry, Government Regulations Or Standards
Based on the industry, companies are faced with directives to adopt standards and, in some situations, adhere to regulatory guidelines. There is an attendant uncertainty about interpreting or applying regulatory and best practice controls. Partnering with an organization that has helped to drive the development of these standards and to build those regulations into next generation offerings is the fastest and most effective way to build a robust, compliant and manageable program.
Pipeline operators need to recognize the most important part of a security program is not the specific standard used, but rather the importance of understanding business risks, being proactive, embracing a security philosophy and developing a long-term security strategy that eliminates or reduces risk. Pipeline operators can use the TSA guidelines and other similar standard to create their own best practices.
With all of these challenges comes the demand for increased uptime, availability and reliability. Many an organization finds itself without the required people assets to manage a security program that meets the high standards required by industrial information technology. The lack of IT “know-how” in the plant is problematic with a priority placed on availability over confidentiality. The question, then, that we need to answer is: How do we respond to this increased risk level?
Organized, Logical Approach
To address industrial IT challenges, a logical, organized approach is needed to discover vulnerabilities and evaluate risk level. In this way, we can ensure that appropriate steps are taken at the appropriate time – and that the process is repeatable. This phased approach, the industrial IT lifecycle, is ongoing, consisting of four phases: assess, remediate, manage and assure.
While each of these phases is important, the one that is likely to be most revealing is the assess phase. In a 2011 article that appeared in Pipeline & Gas Journal, the results of a survey revealed almost half of the respondents felt that hackers are the source of most security incidents. The results of the assess phase will most likely change this position.
In the assess phase, installation assets are evaluated and vulnerabilities are uncovered. Comparisons are made with industry standards and best practices. It is necessary to understand what is broken or vulnerable in order to be logical and focused in fixing problems or removing vulnerabilities.
With an understanding of the results of the assessment, the remediate phase begins – addressing the vulnerabilities and misalignment with industry standards and best practices. To keep the network and security program at its optimum level, the manage phase addresses the services and training required to preserve and enhance the investment an installation has made in industrial IT, primarily network security. Next, the assure phase focuses on program monitoring to assure the program is functioning as designed.
Following is a quick summary of the four phases:
• Assess your assets against industry standards, regulatory requirements and best practices
• Remediate the issues identified in the assess phase with a custom-designed industrial IT program
• Manage the industrial IT investment over time, including network security, with support and training
• Assure that the industrial IT solutions are functioning as designed
The assess phase is very important in the industrial IT lifecycle. During this phase, overall shortcomings and vulnerabilities are compared with the desired result. Of the four phases, this one is perhaps the most important and enlightening, requiring expert certified security professionals who are able to balance unique process control environment requirements against regulatory requirements.
Assessments should follow up with actionable recommendations that, when implemented, will improve reliability and system management. The recommendations should be prioritized to aid in logically addressing the identified vulnerabilities. In addition, budgetary guidelines will be helpful in assisting with the size and scope of the effort required in the remediate phase.
The types of assessment will likely be varied, depending on the immediate and long-term needs of the installation. For some installations, regulatory assessments are at the forefront. If there are immediate concerns regarding network vulnerabilities, a network assessment would be the ideal starting point.
While the assess phase may be the most enlightening, the remediate phase may be the most intense and diverse since it addresses risk management from the perspectives of process, technology and people. Process is important in the overall view of remediation, particularly as it applies to security. Process includes procedural development, such as:
• Patch management
• Secure remote access
• Backup and restoration
• Change management
• Perimeter security
From a people perspective, each individual who affects the security of the process control environment must be made aware of the risks and considerations that apply to security. For this purpose, a security awareness program is very important. It is not unusual to find individuals who are ignorant of the security exposure potential. Additional training may be required. Within each organization, it is best to develop and document policies and governances that apply to this key area. Plus, as organizations change through addition or attrition and movements to other positions, security awareness is an ongoing process.
In general, the people perspective includes such elements as:
• Security awareness program
• Security training
• Policy and governance development
• Design and implementation resources
The technology perspective is one that will endure many changes – just as technology changes. Determining and documenting such things as network architecture, topology and physical network diagrams of the process control network design, and technology requirements are necessary and important.
Technology extends to the selection of server and software, deployment and configuration. System hardening and virtualization requirements and implementation considerations would be included. Then, there is the wide selection of commercial off-the-shelf (COTS) products, and the determination of which are the best fit for a given area. COTS product selection would include tools that perform functions, such as anti-virus, patch management, whitelisting, intrusion detection system, vulnerability, network monitoring and log analysis.
A successful remediate phase results in a custom-designed industrial IT program that may include multi-layer secure defense in-depth network design, system hardening testing and redundancy solutions, compliance and governance development, and security awareness programs.
This phase addresses the management of the installation’s industrial IT investment, including network security, with support and training. Specifics may include:
• Ongoing management of systems and technology: workflow implementation, anti-virus and patch management, and perimeter management.
• Support services: regular tuning of security tools, system health and performance monitoring, and ad-hoc support.
This phase addresses methods to assure the industrial IT solutions are functioning as designed. Program monitoring may include:
• Change management
• Verification of patch installation and anti-virus updates
• Using a compliance dashboard
• Monthly reporting
• System health and performance reporting
• For some, recurring annual ISA99, NERC CIP Cyber Security Vulnerability Assessments (CSVA)
From a regulatory and compliance perspective, the pipeline industry seems to be following in the footsteps of the power industry (with NERC CIP) – and, as a result, mandatory compliance may be looming. Pipeline operators have a tremendous opportunity to think beyond the bureaucracy of compliance and regulation and understand that cybersecurity is really about ensuring sage, reliable and expected system behavior.
The benefits of a long-term security strategy allows pipeline operators time to socialize the concept of security, increase employee support, induce a security culture and spread the costs and effort over a greater length of time. The process is ongoing, with regular assessments, and the attendant remediation activities, managed to continue the industrial IT investment with additional services and training, and assurance that the critical infrastructure is protected. And the process continues.
In selecting resources to assist in the industrial IT lifecycle, there are some best practices to follow. Your partner in the industrial IT lifecycle process should be vendor-neutral in scope. After all, your security program spans your entire install base, so your partner should be able to assist with an entire program. It is also important that you work with people who are network- and security-certified with documented experience. If you are a global organization, it is important that your partner have a global reach in providing service, training and support. Regulatory compliance expertise is another key attribute of the best partner. As for products, end-to-end scalability is important, along with services that are tailored to meet specific needs.
You should feel comfortable with the partner you select – a partner with both control systems knowledge and IT expertise. The logical, phased approach discussed here is one designed to secure your critical infrastructure and is an evolving process that is mindful of the changing environment in which we operate.
1.Testimony of Joseph M. Weiss Control Systems Cyber Security Expert before the Committee on Commerce, Science, and Transportation, U.S. Senate, March 19, 2009.