Summary: The growing importance of liquified natural gas (LNG) not only to the US economy but also to global economies, has increased the need to protect LNG infrastructure from emerging cyber threats. The National Cybersecurity Center of Excellence (NCCoE) has partnered with industry professionals to develop a Cybersecurity Framework Profile to help businesses build their defenses.

Liquified Natural Gas (LNG) is natural gas that has been supercooled to liquid form and transported to terminals and ports throughout the world in specialized tankers. The production and transport of LNG rely on sophisticated, integrated, and interdependent IT, OT, and communications networks, from the liquefaction facilities to the marine transportation systems, vessels, and LNG terminals. The safety of workers, vessels, cargo, and ports could be compromised by a cybersecurity event involving any component of the LNG lifecycle.

The need for LNG cybersecurity

Today, oil and natural gas account for 55% of the world’s energy consumption, and the United States is the greatest natural gas producer in the world. Natural gas is an essential energy source for the United States, supplying over one-third of the nation’s primary energy and acting as the principal heating fuel for roughly half of all American households. In the United States, most natural gas is transmitted in its gaseous form through pipelines. However, the increasing demand for natural gas on the international market has led to its use in a liquefied form.

To assist U.S. jurisdictions in securing LNG, the National Cybersecurity Center of Excellence (NCCoE) and industry stakeholders established the Cybersecurity Framework Profile for LNG (Profile) based on mission-oriented, high-level objectives of LNG infrastructure. The Profile offers a voluntary, risk-based strategy for managing cybersecurity activities and minimizing cyber risk to the whole LNG process. The Profile is an addition to the LNG industry’s previously existing cybersecurity standards, laws, and industry recommendations.

Purpose of the NIST LNG profile

This Profile will assist in identifying possibilities for addressing cybersecurity threats across the LNG lifecycle. Due to inherent system vulnerabilities, such as remotely managed third-party systems and vulnerable onboard technology like Programmable Logic Controllers (PLCs), Global Positioning System (GPS), and Automatic Identification System (AIS), LNG systems may be susceptible to cyberattacks. This could result in overflowing fuel tanks, the unintentional release of LNG, and other problems that render LNG unavailable or have severe repercussions when it returns to its gaseous condition.

In online workshops, participants from the oil and natural gas industries defined nine Mission Objectives for the LNG business. These Mission Objectives do not include every technical aspect of the LNG process, as the technical components of LNG, systems vary greatly and cannot be completely covered in a single Profile. Nonetheless, the Profile will assist the LNG industry in focusing on operations that require immediate attention, while leaving it to individual stakeholders to implement the cybersecurity measures that are most appropriate for their needs.

The LNG Mission Objectives

Throughout the workshop’s exercises and discussions, participants offered descriptions and rationales for the prioritized Mission objectives. The participants ranked these Mission objectives, and their ranking is intended to be instructive rather than prescriptive. When reviewing this Profile, each business should evaluate its particular objectives and priorities and adapt its application of guidelines accordingly.

The prioritization of the Mission Objectives is shown in the table below.

Table 1: Liquified Natural Gas Mission Objectives. Source: NIS/NCCoE

Gas

Mission Objective 1: Maintain Safe and Secure Operations

Organizations identify operational and cybersecurity vulnerabilities and threats that may impact personnel safety and operations continuity. Methods for maintaining regulatory compliance and safeguarding the multi-operator environment are factors to consider. This mission objective results in the adoption of procedures to prevent the loss of plant control, infrastructure and system visibility, and confidential data.

Mission Objective 2: Ensure Operational Integrity of Plant Systems and Processes

The integrity of hardware, software, and procedures is maintained by LNG operators to prevent loss of control and maintain facility operation. This involves the management of product and system lifecycles to ensure continued functionality, as well as the validation of applied processes to achieve desired results.

Mission Objective 3: Control Operational and Enterprise Security and Access

Partners in the LNG business maintain their security profiles by identifying security risks and implementing procedures to mitigate them to prevent security breaches that have an impact on operations. This can be accomplished by comprehending business activity; monitoring, detecting, and logging events; controlling physical and remote access to sites, systems, and assets; and modifying existing security rules based on continuous risk evaluation and insights.

Mission Objective 4: Monitor, Detect, and Respond to Anomalous Behavior

To maintain situational awareness, LNG operations must include monitoring for abnormal behavior. The operation may require security baselines to detect irregularities. Correlating detected behavior with other occurrences in order to identify indicators of compromise aids an organization’s capacity to interrupt the cyber kill chain.

Mission Objective 5: Safeguard the Environment

To preserve the viability of operations and the organization’s mission, environmental integrity must be preserved. Malicious cyber actions affecting process control systems can have a substantial impact on the environment.

Mission Objective 6: Define Policy and Governance Actions that Capture/Protect the Mission

The development of written cybersecurity strategies, processes, and procedures should be a requirement of policy and governance actions.

Mission Objective 7: Maintain Regulatory Compliance

To maintain operations, organizations ensure operational plans and procedures comply with regulatory standards and best practices. At the organizational level, protocols and processes are defined and coordinated to support regulatory compliance.

Mission Objective 8: Continuously Optimize and Maintain the Current Operational State by Establishing Baselines and Measures

Organizations function iteratively to elevate the “actual state” to the “desired state” by specifying clearly in corporate policies events, threshold triggers, and remedial actions.

Mission Objective 9: Validate and Optimize the Supply Chain

Organizations reduce supply chain risks in the acquisition of IT technology and services through the use of clear vendor agreements and established processes and procedures (including testing) prior to the installation and updating of these technologies and services.

The public comment period for this draft NIST publication is open through November 17, 2022.

Want to discuss this topic with one of our experts? “Please visit our Contact Us page to request more information or connect with a Subject Matter Expert (SME).