Securing the Nation’s pipeline ecosystem from cybersecurity threats depends on a unified effort. CISA’s National Risk Management Center (NRMC) has compiled this library to provide pipeline facilities, companies, and stakeholders with a set of free, voluntary resources to strengthen their cybersecurity posture.
While these resources are available to stakeholders in every critical infrastructure sector, this library is especially useful for:
- Oil and Natural Gas (ONG) Energy Subsector
- Water and Wastewater Sector
- Chemical Sector
- Other sectors/industries that provide support for or rely on pipeline systems
The resources below are primarily focused on improving foundational risk management practices. CISA will update and grow this library as new resources are identified, so visitors should check back regularly.
May 27, 2021: The Department of Homeland Security’s Transportation Security Administration (TSA) announced a Security Directive that will enable DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector. The Security Directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to CISA and to designate a Cybersecurity Coordinator to be available 24/7.
- Read the statement: DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
Assessments, Tools, and Services
- CISA’s Advanced Malware Analysis Center provides 24/7 dynamic analysis of malicious code. Stakeholders can submit samples via online and receive a technical document outlining analysis results. Experts provide detailed recommendations for malware removal and recovery activities. This service can be performed in conjunction with incident response services if required. To learn more, visit CISA’s Detection and Prevention. To submit malware for analysis, visit www.malware.us-cert.gov.
- CISA offers several scanning and testing service (i.e., testing susceptibility to phishing attacks and testing perimeter defense) to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. Services include: Vulnerability Scanning, Phishing Campaign Assessments, Remote Penetration Testing, and Web Application Scanning.
- When a significant cyber incident occurs, CISA provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response in close coordination with other federal agencies, the private sector, and other stakeholders to ensure greater unity of effort and a whole-of-nation response.
- A no-cost, voluntary, non-technical assessment that evaluates an organization’s cybersecurity practices and operational resilience. The Department of Homeland Security (DHS) partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR. This assessment is available as a self-assessment or a CISA-facilitated assessment.
- To learn more, download the CRR Fact Sheet.
- A consolidated location of various cyber assessments to help agencies with making data-informed risk decisions to better protect their networks to include the:
- Cyber Infrastructure Survey: A survey that evaluates the effectiveness of the overall resilience of an organization’s cybersecurity ecosystem. The survey provides an effective assessment of critical cybersecurity controls, interactive dashboard to support planning and resource allocation, and visually depicted peer performance data.
- Cyber Security Evaluation Tool (CSET®): A stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating operational and information technology. The evaluation provides reports that present the assessment results in both a summarized and detailed manner. The organization will be able to manipulate and filter content in order to analyze findings with varying degrees of granularity.
- Risk and Vulnerability Assessment (RVA): RVA combines national threat information with data collected and vulnerabilities identified through on-site assessment activities. RVA provides a tailored risk analysis report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details. An optional debrief presentation summarizing preliminary findings and observations is also available.
- C2M2 is a voluntary tool to help organizations measure the maturity of their cybersecurity capabilities in a consistent manner that focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operational technology (OT) assets and the environments in which they operate. The model can be used to:
- Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
- Share cybersecurity knowledge, best practices, and relevant references across organizations
- Assist organizations prioritize actions and investments to improve cybersecurity capabilities
- The C2M2 is designed for use with a self-evaluation methodology and toolkit (available by request). While a self-evaluation using the toolkit can be completed in one day, the toolkit could be adapted for a more rigorous evaluation effort and/or used to guide the development of a new cybersecurity program.
- Idaho National Laboratory’s Malcolm is a powerful and easily deployable network traffic analysis tool suite (for full packet capture artifacts (PCAP files) and Zeek logs)) designed with the following goals in mind:
- Easy to use
- Powerful traffic analysis
- Streamlined deployment
- Secure communications
- Permissive license
- Expanding control systems visibility
- CISA’s CTEP assists critical infrastructure owners and operators in developing their own tabletop exercises to meet the specific needs of their facilities and stakeholders. Users leverage pre-built exercise templates and vetted scenarios to build tabletop exercises to assess, develop, and update information sharing processes, emergency plans, programs, policies, and procedures.
- CISA’s COVID-19 CTEP assists private sector stakeholders and critical infrastructure owners and operators in assessing short-term, intermediate, and long-term recovery and business continuity plans related to the pandemic. Approved by the White House Task Force, and with input from the Federal interagency, this COVID-19 CTEP also provides organizations the opportunity to discuss how ongoing recovery efforts would be impacted by concurrent response operations to a potential “second wave” of global pandemic infections.
- Training is essential to preparing the cybersecurity workforce of tomorrow, and for keeping current cybersecurity workers up-to-date on skills and evolving threats. CISA is committed to providing cybersecurity training, workforce development, and exercises (which range from full-scale to internationally scoped and operations-based) to develop a more resilient and capable cyber nation.
- CISA’s free AIS capability enables the bidirectional sharing of cyber threat indicators between the Federal government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email. Ultimately, the goal is to commoditize cyber threat indicators to enable everyone to be better protected against cyber attacks.
- HSIN is the Department of Homeland Security's official system for trusted sharing of Sensitive But Unclassified information between federal, state, local, territorial, tribal, international and private sector partners. The Critical Infrastructure community on HSIN (HSIN-CI) is the primary system through which DHS, private sector owners and operators, and other government agencies collaborate to protect the nation’s critical infrastructure. HSIN-CI provides real-time collaboration tools including a virtual meeting space, document sharing, alerts, and instant messaging at no charge.
- Through HSIN-CI, you can:
- Receive, submit, and discuss timely, actionable, and accurate information.
- Maintain a direct, trusted channel with DHS and other vetted sector stakeholders.
- Communicate information pertaining to threats, vulnerabilities, security, and response and recovery activities affecting sector and cross-sector operations.
- CISA provides secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities. Types of activity that may qualify as an incident include but are not limited to:
- Attempts to gain unauthorized access to a system or its data,
- Unwanted disruption or denial of service, or
- Abuse or misuse of a system or data in violation of policy.
Risk Awareness and Reduction Information
- CISA products (i.e., fact sheets, guidance, infographics, reports, etc.) organized in 22 categories with 700+ entries.
- A guide on protecting networks from ransomware that can be used to develop or update a city’s standard operating procedures for combatting ransomware attacks.
- The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.
- CISA’s Cyber Essentials Toolkit is a set of modules designed to breakdown the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential. Each chapter focuses on recommended actions to build cyber readiness into the six interrelated aspects of an organizational culture of cyber readiness.
- CISA developed this resource in an ongoing effort to reduce risks within and across all critical infrastructure sectors and to share common ICS-related security mitigation recommendations. This page provides abstracts for existing recommended practices, such as Defense in Depth strategies, and links to the source documents.
- CISA’s programs to develop partnerships and shares substantive information with the private sector. Since the private sector owns and operates the majority of the nation’s critical infrastructure, CISA shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries.
- CISA offers no-cost, subscription-based information products to stakeholders through the us-cert.gov and ics-cert.gov websites. CISA designed these products—part of the NCAS—to improve situational awareness among technical and non-technical audiences by providing timely information about cybersecurity threats and general security topics.
- CISA and the Transportation Security Administration (TSA) developed this infographic to outline activities that pipeline operators can undertake to improve the cybersecurity of their information technology (IT) and operational technology (OT) systems, and mitigate their exposure to some common risks.
- A technical guidance document to inform Chief Information Officers and Chief Information Security Officers at critical infrastructure entities and organizations about industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents.
- A national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. The Campaign provides free resources available to everyone that are tailored to multiple demographics, including small businesses, students, educators and parents, and many others.
Standards and Guidance
- This framework is a voluntary guidance, based on existing standards, guidelines, and practices to help critical infrastructure owners and operators reduce cybersecurity risk by providing a prioritized, flexible, repeatable, performance-based, and cost-effective approach to help identify, assess, and manage cyber risks.
- This National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) publication provides a catalog of security and privacy controls for organizations to protect operations and assets, individuals, and information systems from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible, customizable, and implemented as part of an organization-wide process to manage risk. The consolidated control catalog addresses security and privacy from a functionality and assurance perspective to ensure that IT products and the systems that rely on those products are sufficiently trustworthy.
- This NIST ITL publication provides guidance on how to secure ICS, including upervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate associated risks.
- In collaboration with industry and government, TSA developed these voluntary guidelines for pipeline industry partners to increase their security awareness for operational natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, liquefied natural gas facility operators, and operational pipeline systems that transport materials categorized as toxic inhalation hazards (TIH).
- This interactive training explains what phishing is and provides examples of the different types of phishing to include spear phishing (which targets specific groups or individuals), whaling (which targets senior officials), and other phishing tactics such as deceptive e-mails and websites and browser "tab nabbing".
- CISA offers various training courses at no tuition cost via the CISA Virtual Learning Portal (VLP). Web-based courses range from 1-1.5 hours. Instructor training range from one to five days and a Certificate of Completion will be provided at the conclusion of the course, with some providing Continuing Education Units (CEUs) upon completion. Topics include: Cybersecurity for Industrial Control Systems (ICS), Cybersecurity within IT & ICS Domains, Attack Methodologies in IT & ICS, and more.
- Federal Virtual Training Environment (FedVTE) is an online and on-demand cybersecurity training system. Courses range from beginner to advanced levels to strengthen or build expertise and cybersecurity skillsets at your own pace and schedule.
- A Regional Director leads a cadre of security professionals located throughout the ten CISA regions. Strategically located regional personnel manage mission execution through steady state and incident operations, critical infrastructure analysis, and strategic outreach to critical infrastructure partners.
- Protective Security Advisors (PSAs), located throughout the ten CISA regions, and Cybersecurity Advisors (CSAs) advise and assist state, local, and private sector officials and critical infrastructure facility owners (through site visits, vulnerability assessments, and trainings) on how to enhance their infrastructure and cybersecurity. Visit each of their pages to learn more about their services. The Cyber Resilience Review (CRR) and Remote Penetration Testing (RPT) (listed under Cyber Hygiene Services) are just two of the services they can provide.
The PCII program protects the critical infrastructure information voluntarily shared with the government and established uniform procedures on the receipt, validation, handling, storage, marking, and use of that critical infrastructure information. The protections offered by the PCII Program enhance the voluntary sharing of critical infrastructure information between infrastructure owners and operators and the government