Blog

JCDC Builds Foundation for Pipelines Cyber Defense Planning Effort

Released

By Clayton Romans, Associate Director

Businesses, communities, and families across America depend on the reliable availability of oil and natural gas for countless functions of everyday life. Recognizing the criticality of the oil and natural gas (ONG) subsector to our shared security and prosperity, over 25 ONG organizations—with an emphasis on high-throughput midstream natural gas pipeline owner-operators–and their industrial control systems (ICS) vendors convened through the Joint Cyber Defense Collaborative (JCDC) to undertake the 2023 JCDC Pipelines Cyber Defense Planning Effort.

The 2023 JCDC Pipelines Cyber Defense Planning Effort was a novel approach to bring together pipeline owner-operators and their ICS vendors, in partnership with the Transportation Security Administration and Department of Energy, to address shared challenges – whether ransomware incidents like the 2021 intrusion into Colonial Pipeline or persistent targeting by threat actors like the People’s Republic of China who possess the capability to disrupt natural gas pipelines, as highlighted in the ODNI 2023 Annual Threat Assessment. An effective response to these threats demands public-private collaboration efforts to defend pipeline networks against compromise and ensure that they continue to function in a worst-case scenario.

This effort resulted in a detailed by-industry, for industry network architecture diagram and adjoining principles, the ONG Pipelines Reference Architecture. Pipeline owner-operators and ICS vendors built this architecture to serve as a voluntary model to guide their investment, planning, and operations as they work to better segment their networks and mitigate intrusion campaigns. The ONG Pipelines Reference Architecture offers practical guidance for stepping up risk management and showcases the interplay between network segmentation, multi-factor authentication (MFA), external dependencies, and critical field devices. For more information on the ONG Pipelines Reference Architecture, please contact the ONG Sector Coordinating Council .

By organizing collaboration between midstream pipeline owner-operators and ICS vendors, this cyber defense planning effort facilitated a foundation for industry to proactively take transformative steps to harden the digital networks that run our nation’s largest natural gas pipelines against compromises – an example of the vision first established by the Cyberspace Solarium Commission and codified by Congress to catalyze cyber defense planning that yields real change in our nation’s cybersecurity.

Here are some comments from a few organizations that participated in this planning effort:

"Participating on the PRA project was an exciting opportunity to showcase security best practices used by both large and small pipeline operators as well as key vendors in that space. It was a great example of how government and industry collaboration can produce a quality product that can be used by ONG operators and vendors to incorporate sound and tested network design principles into their own environments."

Rob Mims
Director of Security – Gas, Nuclear, and Electric
Southern Company Gas

JCDC genuinely listened to stakeholders and fostered a constructive environment benefitting the common good and advancing our nation’s security posture,”

Kimberly Denbow
Vice President of Security & Operations
American Gas Association

Thanks for inviting Emerson to be a part of the team developing the PRA. The opportunity to work with a diverse group of industry specialists has proven insightful, as well as achieving the primary aims of developing an approach to securing pipeline operations. I think that much of the work that has been done as by this group will have application beyond the pipeline industry. Many thanks to JCDC for facilitating this, and bringing together the team that did it.

Steve Hill
Director of SCADA Solutions
Emerson Automation Solutions

There are many public/private partnerships Kinder Morgan participates in, and our collective efforts between industry, government and vendors on these important initiatives provided meaningful and actionable results. Kinder Morgan is a strong supporter of CISA and JCDC; this was a productive use of our time.

Craig Barrett
Vice President of Cybersecurity
Kinder Morgan

INGAA is grateful for the engagement between our member companies and CISA on this important effort, which we feel confident will support industry-wide collective defense efforts. Many of our members contributed significant time and resources to developing this PRA and we are glad to see those efforts come to fruition.

Maggie O'Connell
Director of Security, Reliability, and Resilience
Interstate Natural Gas Association of America

Disclaimer

CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services referenced or linked to on this page. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.