According to a CISA security alert, a ransomware attack has hit a natural gas compression facility in the U.S., resulting in a two-day pipeline shutdown as the unnamed victim worked to bring systems back online from backups.
The attackers were able to penetrate the IT portion of the facility’s network and then move beyond that to eventually infiltrate the control and communication assets on the operational technology (OT) side of the natural gas compression facility. This initial compromise to the IT network led to the cyber attacker deploying a “commodity ransomware” to encrypt data on both the IT and the OT networks. The ability to pivot was thanks to a lack of network segmentation between the IT and the OT portions of the infrastructure, CISA said.
“The breach stemmed from a spearfishing link that first provided access to the IT network before allowing a pivot to the OT network. This specific breach was avoidable,” says Michael Sanchez, President at ITEGRITI. The CISA alert provides several operational as well as technical mitigation guides. “These mitigation measures are largely hygiene-control related and include network segmentation, MFA, backup, access management, anti-virus, and user training,” notes Sanchez. “CISA provided great guidance that should be applied across all critical infrastructure, and we further suggest that all organizations who want reliable and available systems follow suit,” concludes Michael Sanchez.
The above incident is a first-class opportunity to review what regulations dictate about pipeline security.
The API 1164 Standard
The overarching document in pipeline cybersecurity is American Petroleum Industry Standard 1164 (API 1164), titled “Pipeline SCADA Security”. The first edition of the document was released in 2004, while the effective edition is the second from June 2009.
The standard “provides guidance to the operators of oil and gas liquids pipeline systems for managing SCADA system integrity and security.” The goal of the standard is to ensure that there are “no adverse effects on employees, the environment, the public or the customers” as a result of cyber-criminal activities. To achieve its goal, the primary objectives of the standard are to:
- Analyze vulnerabilities that can be further exploited
- List the processes to identify these system vulnerabilities
- Provide a list of best practices to harden the core architecture
- Provide examples of industry best practices
According to API 1164, the first step to address system vulnerabilities is to develop “a security management program with defined policies and procedures that complements the pipeline security plan.” The security plan itself is centered on people, processes and technology. The management plan should include provisions for establishing a Business Continuity Plan (BCP) and an Incident Response Plan (IRP), developing a change management plan, restricting the installation and use of non-authorized software and applications, and having a vulnerability management program to address risks of applying patches and updates to real-time systems.
On a technical level, the standard calls for implementing system access control procedures for user authentication and authorization. In addition, the document provides practices for achieving secure interconnectivity between the SCADA systems and other corporate business systems. The standard dictates the use of:
- Demilitarized Zones (DMZ)
- Network management / visibility
- Network monitoring
- Network security using IDPS and file audit and control
Finally, API 1164 provides guidance on developing procedures for data interchange between SCADA systems and business networks, between partners’ SCADA systems, and to third parties for the provision of support.
It is easily understood that the current version of the API 1164 standard is outdated. This fact has been acknowledged by the American Petroleum Industry in a joint report with the Oil and Natural Gas Subsector Coordinating Council (ONG SCC). The report, titled as Defense-in-Depth: Cybersecurity in the Natural Gas and Oil Industry, reads: “API Standard 1164, is specific to pipeline cybersecurity. Subject matter experts from natural gas and oil companies, as well as cybersecurity vendors, are currently working to update API 1164 to make it complementary to the NIST CSF [Cybersecurity Framework] and other applicable cybersecurity standards, such as ISA/IEC 62443 while still providing pipeline-specific cybersecurity guidance.”
The decision to update API 1164 stems from the fact that “natural gas and oil companies’ assets are the targets of a growing number of increasingly sophisticated cyberattacks perpetrated by a variety of attackers including nation-states and organized international criminals.” API and ONG SCC have jointly stated that “cybersecurity is a top priority for the natural gas and oil industry,” because these attacks or severe cyber incidents may result in “energy disruptions that can impact national security and public safety.”
Since cyberattacks are also “enterprise risks”, oil and gas companies are willing to develop “comprehensive approaches to cybersecurity similar to industry’s approach to managing safety: robust governance, systematic risk-based management, and multi-dimensional programs based on proven frameworks including the NIST Cybersecurity Framework (NIST CSF), best-in-class international cybersecurity standards including ISA/IEC 62443,” says the Defense-in-Depth report.
Pipeline Cybersecurity Initiative
Acknowledging the importance of having a strategic approach to securing the oil and gas industry, the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) and the Department of Homeland Security (DHS) decided to launch the Pipeline Cybersecurity Initiative “in order to identify and mitigate vulnerabilities to the pipeline ecosystem.”
The initiative enables pipeline owners and operators to identify and mitigate potential vulnerabilities through assessments. These assessments will provide invaluable information on pipeline assets and can be used to “further enhance long-term pipeline cybersecurity risk analysis, planning, and coordination efforts between the public and private sectors.”
Pipeline Security Guidelines
As part of the Pipeline Cybersecurity Initiative, DHS Transportation Security Administration (TSA) released revised Pipeline Security Guidelines, which serve as the governance framework for the update of API 1164 standard. These guidelines are applicable to “operational natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and liquefied natural gas facility operators. Additionally, they apply to operational pipeline systems that transport materials categorized as toxic inhalation hazards (TIH)”.
The guidelines call for a risk-based approach and asks pipeline operators to develop corporate security programs and plans. The security plan should be tailored to the operator’s needs and appropriate to the risk environment. The security plan should:
- Assign roles and responsibilities
- Document policies and procedures for conducting criticality assessments, risk assessments, and security vulnerability assessments (SVAs)
- Be in harmony with other corporate plans, such as the business continuity plan and the incident response plan.
Based on the risk assessment, pipeline operators should develop baseline and enhanced security measures. The baseline measures are to be applied at all pipeline cyber assets, while both baseline and enhanced measures must be applied to all critical pipeline cyber assets. “Pipeline cyber assets” are OT systems such as control systems (SCADA, process control systems (PCS), distributed control systems (DCS)), measurement systems and telemetry systems. According to the guidelines, “critical pipeline cyber assets are OT systems that can control operations on the pipeline”, while “non-critical pipeline cyber assets are OT systems that monitor operations on the pipeline.”
The TSA Pipeline Security Guidelines is the first approach to harmonize the actions required to mitigate cybersecurity challenges and vulnerabilities with the NIST Cybersecurity Framework. In fact, the guidelines suggest that “to implement an effective cybersecurity strategy, pipeline operators should consider the approach outlined in the NIST Framework.” Therefore, the cybersecurity guidelines are organized according to the NIST Cybersecurity Framework functions of Identify, Protect, Detect, Respond, and Recover.
Weaknesses In TSA Pipeline Security Program
In May 2019, the US Government Accountability Office (GAO) performed a study to identify any weaknesses in the TSA Pipeline Security Guidelines. According to the GAO report, although the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) had revised its pipeline security guidelines to reflect changes in the threat environment and incorporate most of the principles and practices from the NIST Cybersecurity Framework, the revisions do not include all elements of the current NIST framework and TSA does not have a documented process for reviewing and revising its guidelines on a regular basis.
In addition, TSA had failed to update the pipeline risk assessment to reflect current threats to the pipeline industry. Further, its sources of data and underlying assumptions and judgments regarding certain threat and vulnerability inputs are not fully documented.
As a result, GAO has recommended for TSA to revise and document its pipeline security guidelines and to update the pipeline cyber risk assessment.
Updated API 1164: Works in Progress
As a result of the above recommendations and considerations, API 1164 is now being revised. The revised version 3 will be put in the ballot during Q1 2020 and will be fully harmonized with NIST Cybersecurity Framework and ISA/IEC 62443 standard. The revised standard will cover all pipeline OT environments (SCADA, local controls and IIoT) for both oil and natural gas pipelines.
According to a presentation from SANS Cyber Security Summit, the new API 1164 will be a broad Oil and Natural Gas (ONG) industry consensus standard, marking a great improvement from the previous version which was of limited scope, applicability and enforcement. It will be a risk vs impact based standard, providing tailored industry guidance and covering the entire supply chain – operators, integrators and system technology.
More than 2.7 million miles of pipeline transport and distribute natural gas, oil, and other hazardous products throughout the United States. Interstate pipelines run through remote areas and highly populated urban areas and are vulnerable to accidents, operating errors, and malicious physical and cyber-based attacks or intrusion. Pipeline system disruptions could result in commodity price increases or widespread energy shortages.
Under the auspices of DHS TSA, the ONG industry is about to witness the biggest revision in pipeline security guidelines of the decade. If you want to stay ahead of the news and be informed of the latest developments in ONG pipeline security, follow ITEGRITI or contact the experts.