Pipeline infrastructure—composed of thousands of companies and more than 2.7 million miles of pipelines responsible for transporting oil, natural gas, and other commodities—is a key enabler of our economic and national security. As pipeline owners and operators are increasingly relying on the integration of information and communication technologies (ICT) into information technology (IT) and operational technology (OT) to drive automation, they must also implement security measures to protect pipelines from evolving and emerging cyber risks. The integration of ICT devices into critical pipeline systems creates vulnerabilities that nefarious cyber actors may exploit.
CISA, through the National Risk Management Center (NRMC), is managing the Pipeline Cybersecurity Initiative (PCI), by leveraging expertise from government and private partners to identify and address cybersecurity risks to enhance the security and resiliency of the Nation’s pipeline infrastructure.
May 27, 2021: The Department of Homeland Security’s Transportation Security Administration (TSA) announced a Security Directive that will enable DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector. The Security Directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to CISA and to designate a Cybersecurity Coordinator to be available 24/7.
- Read the statement: DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
Pipeline infrastructure in the United States has become increasingly dependent on automation such as remote access and internet-connected devices to drive their operations. While automation provides efficiency and reliability of services, the inherent vulnerabilities in pipeline IT and OT (e.g., industrial control systems) present opportunities for malicious actors to exploit. A compromise of pipeline systems could result in explosions, equipment destruction, unanticipated shutdowns or sabotage, theft of intellectual property, and downstream impacts to National Critical Functions (NCF) and therefore, impact our national safety and prosperity.
In October 2018, the U.S. Department of Homeland Security (DHS) created the Pipeline Cybersecurity Initiative (PCI) and charged CISA with addressing cybersecurity risks to the Nation’s pipeline infrastructure—with a focus on oil and natural gas (ONG) pipelines. CISA is working to help pipeline owners and operators prepare for, respond to, and mitigate significant cyber events. Three primary functions of the PCI include:
- Assessing the cybersecurity posture and preparedness of pipeline companies to identify significant vulnerabilities that increase the risk to key systems and reliable operations;
- Analyzing assessment findings to develop risk mitigation strategies and informational tools that companies may use to address the identified risks; and
- Engaging with interagency partners and industry stakeholders to share information, raise awareness of critical issues, and inform pipeline cybersecurity activities.
Across these three functions, CISA is working with stakeholders—the Transportation Security Administration (TSA), National Laboratories, and federal and industry partners—to foster stronger relationships with pipeline owners and operators. This holistic collaboration provides a platform to share information and expertise on pipeline vulnerabilities and risks and coordinate the development of actionable risk mitigation strategies and security measures.
Assessing Pipeline Cybersecurity Posture
To build a better understanding of the OT and IT cybersecurity environment, CISA and TSA are working with owners and operators of oil and natural and gas (ONG) infrastructure to conduct Validated Architecture Design Reviews (VADR). These no-cost assessments are a voluntary, in-depth review of network architecture design, system configuration and logs, and network traffic using tools and processes based on federal and industry standards, guidelines, and best practices.
Pipeline companies benefit from the assessment by gaining a better understanding of vulnerabilities within their systems and building relationships with the federal cyber response community. Following each VADR, companies are provided a detailed overview of findings, including notable strengths, vulnerabilities, and strategies for addressing any identified gaps specific to their systems.
Pipeline companies volunteering for these architecture assessments help bolster the strong partnerships necessary for building a culture of resiliency for securing the Nation’s pipelines.
Analyzing Assessment Findings
With the threat environment changing as quickly as ideas spread or technology evolves, no single entity in government or industry has the whole threat picture. To build a comprehensive a view of the pipeline cybersecurity posture, CISA collects and aggregates information from cybersecurity assessments and classified intelligence, and actively engages with industry to identify cost-effective security measures that achieve the desired level of security.
CISA also partners with the National Laboratories and the Department of Energy (DOE), through the National Infrastructure Simulation and Analysis Center (NISAC), to identify threats to pipeline systems and understand the criticality of system components. Through this partnership, several activities are being conducted, including:
- Analyzing pipeline OT infrastructure to identify vulnerabilities with the highest risk,
- Determining the cascading impacts of a successful attack within and across sectors,
- Engineering solutions to reduce the likelihood of a successful attack, and
- Developing a roadmap for improving pipeline cyber resilience.
This multi-faceted approach will drive improvements to the security of those critical systems that, if adversely affected, would impact services used or supported by the National Critical Functions (NCFs) .
Assessments and engagements so far have already illuminated a number of consistent risk management takeaways that can be broadly applied for effective pipeline cybersecurity risk management. These include concepts like boundary protect and network segmentation and are shown in more detail in materials outlined in the PCI Resources section below.
Engaging with Partners and Stakeholders
Pipeline operations rely on and impact many critical infrastructure sectors including energy, water and wastewater systems, chemical, and transportation systems. The manipulation of a pipeline system may result in consequences within a sector as well as across other, dependent sectors. For example, the cyber sabotage of OT in a vital natural gas compressor station could result in downstream impacts to residential and industrial distribution, a halt in upstream extraction and processing operations, and the interruption of fuel supplies needed for electrical generation.
The Agency’s approach for risk management relies on effective collaboration to ensure a unity of effort toward improving pipeline cybersecurity. The Agency is working with Sector-Specific Agencies (SSAS) to coordinate information sharing, awareness, and risk-reduction activities to ensure a unified effort to secure all aspects of pipeline infrastructure. Additionally, the Agency is also engaging with the private industry through a partnership such as with the ONG Subsector Coordinating Council (SCC)—made up of pipeline owners, operators, and other key stakeholders—to ensure that its activities are informed not only through internal analysis and priority setting, but also through stakeholders’ self-identified needs.
The goal of this collaborative engagement is to ensure that industry and government activities are coordinated, stakeholders have access to timely information, and work is conducted efficiently.
- Pipeline Cybersecurity Initiative (PCI) Fact Sheet
- Pipeline Cyber Risk Mitigation Infographic
- Pipeline Cybersecurity Resources Library
- TSA Pipeline Security Guidelines
For questions or comments about the PCI, email NRMC@hq.dhs.gov.