Natural gas organizations are starting to integrate cybersecurity with other programs or applications as opposed to ad hoc or bolt-on fixes, according to Black & Veatch’s 2014 Strategic Directions: U.S. Natural Gas Industry report.

The renewed focus on both physical and cyber security can be understood, in part, as a function of the continued rise in connected devices and the data they emit, collect and transfer. Respondents to the survey agree and their organizations are acting. According to the report, 75 percent indicate that their organizations have established or are planning to implement a formal enterprise-wide cybersecurity program.

“Planned integration is important because, in many cases, bolt-on fixes, such as third-party solutions, are not scalable,” said Dan Rueckert, head of the Security & Compliance practice for Black & Veatch’s management consulting business. “Ad hoc solutions usually only work in single instances or are application-specific, and they result in increased overhead management and costs.”

Today’s more comprehensive approach incorporates a sustainable “defense in depth” program that considers enterprise maturity, business and technology issues, and security spend for the organization.

This new industry’s focus hews more closely to that of the electric utility industry, Rueckert said, with new mandates reflecting an increased awareness of physical threats to natural gas pipeline infrastructure.

Continued Spotlight on Security

While recent announcements of pipeline projects signal optimism about the industry, much discussion has also focused on the fuel’s potential security risks and compliance requirements. Moreover, the risks are not limited to the pipelines themselves – a 2014 Government Accountability Office (GAO) report addressed vulnerabilities to oil- and gas-bearing vessels at national ports.

“Security planning must keep pace with operational shifts precipitated by the inclusion of interconnected tools, processes, devices and evolving compliance mandates,” Rueckert said. He noted that these changes are reflected in the trend toward industrywide convergence of information technology (IT) and operations technologies (OT).

“Year over year, survey respondents have shown an increase in the integration of cybersecurity and physical security and overall assimilation of cybersecurity in enterprise operations programming,” he stated.

A Marked Change in Behavior

Tom Strickland, Director, Cyber, Compliance and Critical Infrastructure practice for Black & Veatch’s management consulting business, said the increased focus on including IT infrastructure securitization marks a change in industry behavior. Historically, he said, priority was given to industrial control and supervisory control and data acquisition (SCADA) systems.

“With the evolution of the integrated enterprise network, the next frontier will be addressing the security risks of the IT/OT convergence,” Strickland said. “As diverse enterprise environments merge, so will the challenges and risks in the natural gas environment.”

Source: Black & Veatch
Respondents were asked to identify programs that were integrated or inter-related with their organization’s enterprise-wide cybersecurity programs.

Security managers will have to address divergent solution philosophies, technologies, risk profiles and assessment and risk modeling issues, Strickland said. For example, some non-IP based SCADA systems become unstable or reset and shut down because new IP-based codes essentially represent a foreign language to the environment. These systems may not be capable of handling the increased traffic or required protocol responses.

From an operational perspective, safety systems must be assessed as well, Strickland said. Traditionally, security fell under the safety umbrella, but now cybersecurity and physical security fall into their own category. This evolution can be attributed to the fact that many natural gas safety systems are now data-related and not necessarily just kinetic or physical safety devices, he said.

“Organizations can mitigate overall risk by delineating safety control systems and data networks,” Strickland said. “Potential solutions include properly aligned and managed technologies such as DMZs, data diodes, protocol/media converters, and segmented networks.”

Understanding Regulatory Mandates

Securing natural gas infrastructure will also require organizations to be fully versed in regulatory mandates, Rueckert said. For some, this can prove challenging because requirements have not fully evolved with the potential risks presented by technology.

Tackling this lag is top of mind for regulators and utilities alike, Rueckert said. A recent report,Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat from the Bipartisan Policy Center included retired Gen. Michael Hayden among its authors. In it, Hayden, the former Central Intelligence Agency (CIA) and National Security Agency (NSA) director, proposes federally guaranteed cybersecurity insurance, saying, “A federal backstop would increase carriers’ willingness to offer cyber insurance and lower the cost of doing so.”

Source: Black & Veatch
Respondents were asked if their organization had a formal, enterprise-wide cybersecurity program.

Just as the industry is working to provide greater security for its assets, so are regulators and key industry groups. Last year the National Institute of Standards and Technology (NIST) submitted a request for increased funding, specifically targeting physical security as a priority. NIST said the funds would be used to “improve the design, performance and integration of cyber-physical systems that can reduce costs, increase efficiency and reliability, improve safety and provide security in national priorities for advanced manufacturing, health care, energy, defense, homeland security and transportation.”

Assistance with Implementation

Some organizations recognize the need for a third-party liaison to assist both sides in communication and planning.

“In our experience, for many organizations, their actual vulnerability is far greater than the organizations perceive,” Strickland said. “This delta in awareness can be mitigated via education and preparedness. We believe that risk assessments and planning allow organizations to act with confidence and achieve compliance more economically and quickly.”

Published originally on Black & Veatch Solutions