Pipeline Cybersecurity

The Pipeline Cybersecurity Initiative (PCI) was established to help CISA, the Transportation Security Administration (TSA), and interagency partners build a better understanding of the cybersecurity posture of America's oil and natural gas (ONG) pipeline industry. Since its inception in 2018, the PCI has worked closely with pipeline stakeholders to identify key vulnerabilities within ONG pipeline operational technology systems, raise awareness of trends across the industry, and collaborate with government and private sector partners to identify and implement actionable mitigation measures to address known issues.

The PCI has successfully driven demonstrable change across the industry, empowering government action and helping the ONG owner/operators to justify improvements to pipeline cybersecurity. As government departments and agencies take a more active role in pipeline cybersecurity, the PCI and its activities are transitioning to enduring programs in TSA and CISA to build on the success of the initiative.

PCI Overview

Pipeline infrastructure in the United States has become increasingly dependent on automation such as remote access and internet-connected devices to drive their operations. While automation provides efficiency and reliability of services, the inherent vulnerabilities in pipeline IT and OT (e.g., industrial control systems) present opportunities for malicious actors to exploit. A compromise of pipeline systems could result in explosions, equipment destruction, unanticipated shutdowns or sabotage, theft of intellectual property, and downstream impacts to National Critical Functions (NCF) and therefore, impact our national safety and prosperity.

In October 2018, the U.S. Department of Homeland Security (DHS) created the Pipeline Cybersecurity Initiative (PCI) and charged CISA with addressing cybersecurity risks to the Nation's pipeline infrastructure with a focus on oil and natural gas (ONG) pipelines. CISA is working to help pipeline owners and operators prepare for, respond to, and mitigate significant cyber events. Three primary functions of the PCI include:

• Assessing the cybersecurity posture and preparedness of pipeline companies to identify significant vulnerabilities that increase the risk to key systems and reliable operations.
• Analyzing assessment findings to develop risk mitigation strategies and informational tools that companies may use to address the identified risks.
• Engaging with interagency partners and industry stakeholders to share information, raise awareness of critical issues, and inform pipeline cybersecurity activities.

Across these three functions, CISA is working with stakeholders: (the Transportation Security Administration (TSA), National Laboratories, and federal and industry partners) to foster stronger relationships with pipeline owners and operators. This holistic collaboration provides a platform to share information and expertise on pipeline vulnerabilities and risks and coordinate the development of actionable risk mitigation strategies and security measures.

Analyzing Assessment Findings

With the threat environment changing as quickly as ideas spread or technology evolves, no single entity in government or industry has the whole threat picture. To build a comprehensive a view of the pipeline cybersecurity posture, CISA collects and aggregates information from cybersecurity assessments and classified intelligence, and actively engages with industry to identify cost-effective security measures that achieve the desired level of security.

CISA also partners with the National Laboratories and the Department of Energy (DOE), through the National Infrastructure Simulation and Analysis Center (NISAC), to identify threats to pipeline systems and understand the criticality of system components. Through this partnership, several activities are being conducted, including:

• Analyzing pipeline OT infrastructure to identify vulnerabilities with the highest risk,
• Determining the cascading impacts of a successful attack within and across sectors,
• Engineering solutions to reduce the likelihood of a successful attack, and
• Developing a roadmap for improving pipeline cyber resilience.

This multi-faceted approach will drive improvements to the security of those critical systems that, if adversely affected, would impact services used or supported by the National Critical Functions (NCFs).

Assessments and engagements so far have already illuminated a number of consistent risk management takeaways that can be broadly applied for effective pipeline cybersecurity risk management. These include concepts like boundary protect and network segmentation and are shown in more detail in materials outlined in the PCI Resources section below.

Engaging with Partners and Stakeholders

Pipeline operations rely on and impact many critical infrastructure sectors including energy, water and wastewater systems, chemical, and transportation systems. The manipulation of a pipeline system may result in consequences within a sector as well as across other, dependent sectors. For example, the cyber sabotage of OT in a vital natural gas compressor station could result in downstream impacts to residential and industrial distribution, a halt in upstream extraction and processing operations, and the interruption of fuel supplies needed for electrical generation.

The Agency's approach for risk management relies on effective collaboration to ensure a unity of effort toward improving pipeline cybersecurity. The Agency is working with Sector-Specific Agencies (SSAS) to coordinate information sharing, awareness, and risk-reduction activities to ensure a unified effort to secure all aspects of pipeline infrastructure. Additionally, the Agency is also engaging with the private industry through a partnership such as with the ONG Subsector Coordinating Council (SCC) - made up of pipeline owners, operators, and other key stakeholders - to ensure that its activities are informed not only through internal analysis and priority setting, but also through stakeholders' self-identified needs.

The goal of this collaborative engagement is to ensure that industry and government activities are coordinated, stakeholders have access to timely information, and work is conducted efficiently.