Cybersecurity is increasingly critical in pipeline operations. In February 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an industry-specific report about ransomware targeting pipeline operators. The report encouraged pipeline operators to review the techniques of bad actors included in the report and to ensure they have corresponding mitigation efforts in place.
The goal of the report is to help administrators and network defenders protect their operation against ransomware attacks. CISA then updated their report in July, coinciding with a rise in cyber attacks affecting all industries during the global pandemic.
Now, there is increased attention on cybersecurity in pipeline operations coming from the regulatory side. Specifically, PHMSA is seeking to have conversations with operators about the cybersecurity components of their pipeline control room.
PHMSA Adding Cyber Safeguarding Awareness to Inspections
For pipeline operators whose assets are under federal jurisdiction, we have become aware that upcoming PHMSA inspections may include discussions about the cybersecurity of industrial control systems.
From our understanding, control room management inspectors will seek to discuss cybersecurity during the course of their routine control room inspections. The cybersecurity component is voluntary.
PHMSA is referring to this portion of the inspection as Cyber Safeguarding Awareness. This voluntary discussion will be based on a Cyber Safeguarding Discussion Form that will be used by the PHMSA inspectors during the cyber portion of the review.
To stress, the elements in the form will be reviewed in a discussion format between the operator and the inspector, and this will not be regulatory in nature.
We recommend that pipeline operators who are subject to an upcoming PHMSA audit of their control room reach out to PHMSA directly to request a copy of the questionnaire. Having access to this form prior to the audit will help you determine how to engage in the discussion with the inspector should you choose to participate.
Find Support for PHMSA Inspection and Cybersecurity Concerns
Every pipeline operation is different. Perhaps you have been directly targeted by a cybersecurity attack. Or, your operation may not have experienced a cyber attack and you want to keep it that way.
For other operators, cybersecurity may be a secondary issue. Instead, you are more concerned about gathering documentation that proves alignment with the Control Room Management Rule (CRM Rule) to satisfy the PHMSA inspection. We can help your operation with cybersecurity efforts and the control room inspection:
- Industrial control systems: our technology experts understand the security measures required in a pipeline SCADA system. We can assess your systems to identify vulnerabilities that need to be addressed.
- Control room inspection: our control room experts understand the unique needs of satisfying a PHMSA control room audit. We can perform a CRM Compliance review and mock audit to identify gaps that need to be addressed to improve audit readiness.