Tuesday, February 18, 2020

Pipeline Safety and Cybersecurity

The Pipeline and Hazardous Material Safety Administration (PHMSA) has increasingly begun to require technological solutions to on going safety problems with both gas transmission and hazardous material pipelines. A good example of that reliance can be found in the notice of proposed rulemaking (NPRM) that PHMSA issued earlier this month requiring the use of automated valves to limit the damage caused when pipelines rupture. Unfortunately, PHMSA’s failure to address cybersecurity issues related to the sensors and control systems associated with such technological solutions reduces the effectiveness of those measures.

Part of the reason that PHMSA has failed to act is that Congress has not provided PHMSA or DOT in general with specific authority to regulate the cybersecurity of pipeline infrastructure. The primary responsibility for pipeline security rests with the under funded and woefully understaffed surface transportation security folks within the Transportation Security Administration (TSA). But TSA has been both unwilling and unable to address cybersecurity issues beyond issuing broad guidelines and hoping for industry voluntary compliance with those guidelines.

The time has come for PHMSA to realize that it has an inherent responsibility to ensure that the technologies that it mandates for pipeline safety purposes are specifically protected against cyberattacks and that the failure of cybersecurity protections should trigger the same reporting requirements that accompany the failure of physical controls.

For example, in the current NPRM PHMSA could change the wording of the new §192.745(c) to read:

(c )For each valve installed under § 192.179(e) and each rupture-mitigation valve under § 192.634 that is a remote control shut-off or automatic shut-off valve, or that is based on alternative equivalent technology, the operator must:

(1) conduct a point-to-point verification between SCADA displays and the mainline valve, sensors, and communications equipment in accordance with § 192.631(c) and (e);

(2) demonstrate that the SCADA system, the mainline valve, sensors, and communications equipment are covered under a written cybersecurity plan that identifies:

(A) each of the open ports on each component and the processes, controls or devices protecting each open port against unauthorized communications attempts;

(B) procedures that are in place to ensure that all vendor security notices and advisories for each device are:

(I) reviewed in a timely manner, and
(II) the subject of a subsequent security risk assessment where appropriately adopted risk mitigation measures are implemented in a timely manner;

(C) the reporting processes that will be used to notify management of any incidents, equipment failures or loss of process view or control that might indicate a cyber intrusion or attack, and

(D) how the organization will respond to vulnerability reports from both within and outside of the organization.

NOTE: A copy of this post will be submitted as a comment on the NPRM in question.

No comments:

/* Use this with templates/template-twocol.html */