At Tripwire's recent Energy and NERC Compliance Working Group, we had the opportunity to speak with the Manager of Gas Measurement, Controls, & Cybersecurity at a large energy company. More specifically, we focused on SCADA and field assets of gas Operational Technology. The experience at the management level of such an organization provided a wealth of knowledge for the attendees.
SCADA Environment and the Cloud
Most SCADA infrastructure remains on-premises. This is true of many Energy sector entities and it is more than simply being "old-fashioned." The very hardware-focused implementation helps with cybersecurity in general. Cloud-based SCADA is not unheard of, but it is uncommon in the gas industry. At the event, it was described this way: "I don't know what the industry thinks in general, but we will continue to have an on-premise hardware infrastructure." For some organizations, even a SCADA upgrade project is still designed the same way. Many peers in the energy industry would agree, as they are keenly aware of the risks posed by connecting an OT environment to the internet. Actions such as removing browsers from our machines are only one way to control this. It is clear that cloud-based SCADA doesn't seem to be happening anytime soon.
The TSA as a Collaborator for Better Pipeline Security
Most folks recognize the Transportation Safety Administration (TSA) as the people who screen passengers at airports. However, most energy sector professionals know that the TSA has broad oversight of many critical infrastructure components, such as railways, water plants, and liquid and gas pipelines. Gas pipelines are regulated very differently than utility companies under NERC CIP. For example, the TSA came up with Security Directive-01, which focused on physical security. After the Colonial Pipeline incident, the TSA issued Security Directive-02, which focused on cybersecurity and targeted the country's top 100 pipeline operators. Every July, a new version of the Security Directive is issued, and the current version, version "D" is the fourth iteration. Although the yearly updates of the directives point towards improving security posture, the directives and overall compliance requirements are in their infancy when compared to NERC CIP requirements and regulation.
Part of the early hurdles for companies that had to comply with the first version of the Directive was that it was very prescriptive, making it difficult to implement. However, over time, the TSA listened to the industry's requests and created a more collaborative approach to developing subsequent versions of the Directive. They also leveraged help from CISA and some of the other agencies.
Validated Architecture Design Review (VADR)
One challenge for utilities under the new Directive is how to address security with third-party contractors. It is easy to understand how challenging architecture can be. Elements of how you design, manage, and bring external data into your network all factor into security. Every company is trying to interpret and make sense towards the best way to balance business sense versus cybersecurity sense.
Overlapping NERC CIP and TSA compliance
It would seem that there should be an overlap between NERC CIP and the TSA requirements. However, they are not easily joined. NERC CIP is applicable to the electrical side of the business, while the TSA Directive is specific to the gas side, and the expectations from NERC versus TSA are quite different. However, within our guest speaker's organization, they conduct regular touchpoints with each area of the company to learn from each other. The electricity area is further ahead because NERC came about many years ago, and they have a head start. The gas side of the business continues to benchmark and learn, but it cannot take whatever is done on the electric side and just bring it over as is. Each aspect has to be carefully considered to think through and modify what works for the gas company, what TSA requires, and then implement the tools.
There are synergies because of how the business is structured. While the TSA and NERC seek the same controls, the way they are implemented may differ because the assets and the business areas are different. The organization is also part of the American Gas Association (AGA), which conducted weekly calls with other gas companies to learn how others are addressing the TSA requirements. As with most industries, this collaborative exchange is important to understand what other utilities are struggling with, lending itself to better external benchmarking, as well as following up with a deep dive into a particular topic.
Within the organization, collaboration happens in two ways. All compliance rolls up to one director. If the director comes off of a NERC call, he will share something just because it's at the top of his mind. That connects the gas and NERC sides, enabling full departmental awareness. It's valuable to learn about lessons from the NERC side of the house and apply them where possible on the electric side.
Sometimes, there is a natural need to work across the departments. For example, when there are shared accounts between the electric and gas sides. Similarly, if a new process, such as adding multi-factor authentication on the field side of the operation, it easily matches with the distribution operations on the electric side. That seamlessly drives collaboration with the other side. These affiliations will strengthen as the TSA tightens the requirements and expectations of the gas industry.
"We use Tripwire to monitor device communications. Tripwire is implemented in SCADA, and on the field side, listening passively to about 1,500 assets and gathering information. This is something that we didn't have any insight into before."
Non-Competing Creates Better Information Sharing
As members of the AGA, there is a great amount of information sharing. There are two possible reasons for this. The first is that energy companies are not competing with each other, so there is nothing to lose from helping a neighboring organization. Second, this collaborative approach better serves the community as a whole, leading to more security for the entire industry.
At this point, the AGA is issuing some findings rather than strong recommendations. They are asking operators to integrate these findings into their Cybersecurity Implementation Plan. This is a plan that every operator needs to create to meet the requirements of the security Directive. The plan has a very detailed schedule of what we are going to perform. TSA holds gas companies to that schedule, so if a date is missed, or if a project is finished ahead of schedule, they want to know about it. All those findings and recommendation that are included in the plan becomes a formal document. But that's the extent of the report that is issued. There has been a mention of penalties here and there at some inspections, but nothing has been enforced so far.
The Future of TSA Assessments
The Manger with whom we spoke is confident that the TSA assessment process will move towards a similar process as the NERC CIP assessments. At this point, it is still a very friendly, collaborative relationship between the TSA and the energy companies. "There is no financial impact but we know it's coming. As an industry, we are prepared, and our organization is preparing for that. It's not too far away in the future that there will be penalties issued."
Experts like our guest speaker are what helped to make Tripwire's Energy Working Group virtual event successful. Vast knowledge, and a generous spirit are exactly what is needed to make the energy sector a safer place. If you would like to find out more about how Tripwire can help make your critical infrastructure safer, contact us here.
Achieving Resilience with NERC CIP
Explore the critical role of cybersecurity in protecting national Bulk Electric Systems. Tripwire's NERC CIP Solution Suite offers advanced tools for continuous monitoring and automation solutions, ensuring compliance with evolving standards and enhancing overall security resilience.