The Pipeline and Hazardous Material Safety Administration
(PHMSA) has increasingly begun to require technological solutions to on going safety
problems with both gas transmission and hazardous material pipelines. A good
example of that reliance can be found in the notice of proposed rulemaking
(NPRM) that PHMSA issued
earlier this month requiring the use of automated valves to limit the
damage caused when pipelines rupture. Unfortunately, PHMSA’s failure to address
cybersecurity issues related to the sensors and control systems associated with
such technological solutions reduces the effectiveness of those measures.
Part of the reason that PHMSA has failed to act is that
Congress has not provided PHMSA or DOT in general with specific authority to
regulate the cybersecurity of pipeline infrastructure. The primary
responsibility for pipeline security rests with the under funded and woefully
understaffed surface transportation security folks within the Transportation Security
Administration (TSA). But TSA has been both unwilling and unable to address cybersecurity
issues beyond issuing broad guidelines and hoping for industry voluntary
compliance with those guidelines.
The time has come for PHMSA to realize that it has an inherent
responsibility to ensure that the technologies that it mandates for pipeline
safety purposes are specifically protected against cyberattacks and that the
failure of cybersecurity protections should trigger the same reporting
requirements that accompany the failure of physical controls.
For example, in the current NPRM PHMSA could change the
wording of the new §192.745(c)
to read:
(c )For each valve installed
under § 192.179(e) and each rupture-mitigation valve under § 192.634 that is a
remote control shut-off or automatic shut-off valve, or that is based on
alternative equivalent technology, the operator must:
(1) conduct a point-to-point verification
between SCADA displays and the mainline valve, sensors, and communications
equipment in accordance with § 192.631(c) and (e);
(2) demonstrate that the SCADA
system, the mainline valve, sensors, and communications equipment are covered
under a written cybersecurity plan that identifies:
(A) each of the open ports on
each component and the processes, controls or devices protecting each open port
against unauthorized communications attempts;
(B) procedures that are in
place to ensure that all vendor security notices and advisories for each device
are:
(I) reviewed in a timely manner,
and
(II) the subject of a
subsequent security risk assessment where appropriately adopted risk mitigation
measures are implemented in a timely manner;
(C) the reporting processes
that will be used to notify management of any incidents, equipment failures or
loss of process view or control that might indicate a cyber intrusion or
attack, and
(D) how the organization will
respond to vulnerability reports from both within and outside of the
organization.
NOTE: A copy of this post will be submitted as a comment on
the NPRM in question.
Posts
No comments:
Post a Comment