Expanding Pipeline Cybersecurity Regulations Drives Performance Management
Publication: Pipelines 2024
ABSTRACT
A range of cyber attacks on oil and natural gas infrastructure have occurred over the past decade showing a range of capability and potential impact across critical infrastructure. These attacks showcase the potential of adversaries to disrupt the delivery of oil and gas products, highlighting the need for enhanced cyber risk management across oil and gas infrastructure networks. Since the Colonial Pipeline cyber attack in May of 2021, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has provided and updated several security directives regarding physical and cyber security for pipeline and rail systems, driving the need to measure baseline and improvements to cybersecurity performance. In order to implement a comprehensive approach to cybersecurity, an owner or operator must first measure their baseline vulnerabilities and risks, develop a set of cybersecurity controls and metrics, and regularly measure the implementation, effectiveness, and impact of controls. This paper will discuss cybersecurity performance metrics and methods for measuring and managing cybersecurity performance for pipeline owners and operators.
Get full access to this chapter
View all available purchase options and get full access to this chapter.
REFERENCES
49 Code of Federal Regulation, Docket No. TSA-2022-0001. (2022, November 30).
88 Federal Regulation 36919. (2023, June 6).
Alberts, C., Allen, J., and Stoddard, R. (2012). Risk-Based Measurement and Analysis: Application to Software Security. Carnegie Mellon University Software Engineering Institute.
Anderson, E. (2023, July 19). Red teaming 101: What is red teaming? Retrieved from IBM: https://www.ibm.com/blog/red-teaming-101-what-is-red-teaming/.
Center for Internet Security. (2018, March). CIS Critical Security Controls V7 Measures & Metrics. East Greenbrush, NY.
Cybersecurity and Infrastructure Security Agency. (2020, October 24). Ransomware Impacting Pipeline Operations. Retrieved from Cybersecurity Advisories: https://www.cisa.gov/news-events.cybersecurity-advisories/aa20-049a.
Cybersecurity and Infrastructure Security Agency. (2022, February). Cyber Assessment Fact Sheet: Risk and Vulnerability Assessment. Retrieved from https://www.cisa.gov/sites/default/files/publications/VM_Assessments_Fact_Sheet_RVA_508C.pdf.
Cybersecurity and Infrastructure Security Agency. (2023, March). Cross-Sector Cybersecurity Performance Goals. Retrieved from https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_Report_v1.0.1_FINAL.pdf.
Cybersecurity and Infrastructure Security Agency. (2023, June). FY 2023 CIO FISMA Metrics Version 2.0. United States Department of Homeland Security.
Cybersecurity and Infrastructure Security Agency. (n.d.). CISA Vulnerability Scanning. Retrieved December 15, 2023, from CISA Services: https://www.cisa.gov/resources-tools/services/cisa-vulnerability-scanning.
Department of Homeland Security. (2021, May 27). DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators. Retrieved from Press Releases: https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.
Department of Homeland Security. (2021, July 20). DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators. Retrieved from Press Releases: https://www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.
Federal Bureau of Investigation. (2022, March 24). TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS). Retrieved from FBI Private Industry Notifications: https://docs.house.gov/meetings/JU/JU00/20220329/114533/HHRG-117-JU00-20220329-SD009.pdf.
Giles, M. (2019, March 15). Triton is the world’s most murderous malware, and it’s spreading. Retrieved from MIT Technology Review: https://www.technologyreview.com/2019/03/05/1033https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malware/.
Hearing Before the United States Senate Committee on Homeland Security and Governmental Affairs, 117th Congress (2021) (Testimony of Joseph Blount, President and Chief Executive Officer Colonial Pipeline Company).
MITRE Engenuity. (2022, January 13). NIST 800-53 Controls to ATT&CK Mappings. Retrieved from https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/nist-800-53-control-mappings/.
National Institute of Standards and Technology. (2018, April 16). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1.
National Institute of Standards and Technology. (2020, September). NIST SP 800-53 Rev.5 Security and Privacy Controls for Information Systems and Organizations.
Office of Cybersecurity, Energy Security, and Emergency Response. (2021, May). Colonial Pipeline Cyber Incident. Retrieved from Department of Energy: https://www.energy.gov/ceser/colonial-pipeline-cyber-incident.
Office of Cybersecurity, Energy Security, and Emergency Response. (2022, June). Cybersecurity Capability Maturity Model (C2M2, Version 2.1.
Security Directive Pipeline-2021-02C. (2022, July 27). Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing.
Standard CIP-002-1 – Cyber Security – Critical Cyber Asset Identification. (2006, May 2). North American Electric Reliability Corporation.
Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., and Thomas, C. B. (2020). MITRE ATT&CK®: Design and Philosophy. McLean, VA: MITRE Corporation.
The White House. (2021, May 11). Fact Sheet: The Biden-Harris Administration Has Launched an All-of-Government Effort to Address Colonial Pipeline Incident. https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/11/fact-sheet-the-biden-harris-administration-has-launched-an-all-of-government-effort-to-address-colonial-pipeline-incident/.
Information & Authors
Information
Published In
History
Published online: Aug 30, 2024
ASCE Technical Topics:
Authors
Metrics & Citations
Metrics
Citations
Download citation
If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.