Security

INGAA Members drive vendor accountability in critical infrastructure security

INGAA members are leaders in the safe, secure, reliable transportation of natural gas throughout the nation, and our members’ primary purpose is to keep energy moving. INGAA operators utilize technologies and deploy software throughout their organizations to facilitate the flow of gas, monitor pressure, detect leaks, and secure their networks. These systems are high-value targets for attacks, and operators routinely defend against intrusions by sophisticated adversaries.

To ensure that these software, hardware, and technology components operate efficiently, effectively, and – most importantly – securely, INGAA members  implement a “defense-in-depth” approach to managing security. Defense-in-depth is a risk-based strategy that protects the entire enterprise from various threats and includes robust security controls, such as measures for securing and defending edge devices, network segmentation, access control measures, patch management procedures, and continuous monitoring and detection programs.

However, security can’t simply rest in the hands of the operators; it must be a shared responsibility between operators, vendors and suppliers, and the federal government. High-profile software compromises, including from vulnerabilities in products that help organizations manage security and system access, are becoming alarmingly frequent, and recent reporting from the Office of the Director of National Intelligence (ODNI) underscores that nation-state adversaries have a keen interest in gaining access to and, in some cases, manipulating industrial control systems (ICS) across U.S. critical infrastructure.

A combination of operator-led risk-based controls, efficient exchange of threat intelligence, and securely built devices are critical to ensuring security efforts remain meaningful and our nation’s infrastructure is protected from attacks. In fact, the Biden Administration’s National Cybersecurity Strategy calls for this very approach.

Smartly constructed, nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile can improve the consistency of cybersecurity outcomes, and enhanced sharing of threat intelligence between the private sector and federal government improves collaborative efforts to dismantle our adversaries. Importantly, shifting responsibility onto those who fail to take reasonable precautions to secure their software, hardware, and other technology from the outset so that end-users aren’t left to bear the consequences will drive the market to produce more secure products for critical infrastructure operators.

To that end, the Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Energy (DOE) are paving a clear path for operators, vendors, and the federal government to work together to secure our nation’s critical energy infrastructure. CISA’s efforts to develop a threat awareness ecosystem between Secure by Design and the Joint Cyber Defense Collaborative (JCDC) demonstrates that broad private-public partnerships can reduce critical infrastructure cybersecurity risks, including to pipeline systems. The prioritization of threat-informed product development practices from the outset that are at the core of Secure by Design are a tremendous value to critical infrastructure operators. “Insecure software makes it easy for nation-state adversaries and criminals alike to compromise our critical infrastructure and put Americans at unacceptable risk. The good news is that we can do something about it now that will benefit generations to come,” said CISA Cybersecurity Executive Assistant Director Jeff Greene. “The energy sector has a long history of leading the way on early adoption of security practices and this is just another example of that leadership. CISA applauds the companies that have taken action and signed the Secure by Design pledge, publicly committing to take actions that will raise our global cybersecurity posture.”

Learn more: WHAT IS SECURE BY DESIGN?

Similarly, DOE’s Supply Chain Cybersecurity Principles align best practices and identify opportunities for the industrial control system vendor community to strengthen the manufacturing supply chain of key technologies that manage and operate our pipeline systems. These Principles are a foundational step toward securing critical forms of equipment and technology before they can be exploited. “The Department of Energy applauds the global manufacturers serving the U.S. energy sector who have endorsed the Supply Chain Cybersecurity Principles. These Principles represent a commitment by the vendor community to take accountability for reducing cybersecurity risk across the sector by driving and advancing cybersecurity for industrial control system security,” said DOE Cybersecurity, Energy Security, and Emergency Response Director Puesh M. Kumar. Notably, DOE’s model of vendor-to-operator engagement throughout the lifecycle of the product is essential for operator risk management.

Learn more: WHAT ARE SUPPLY CHAIN CYBERSECURITY PRINCIPLES?

Owners and operators have an opportunity to add another layer of defense and efficacy by leveraging vendors who follow Secure by Design and Supply Chain Cybersecurity Principles in their supply and procurement processes, and we believe the concepts should become a powerful demand-side program. As Paul Ruppert, President of Berkshire Hathaway Energy Gas Transmission & Storage (GT&S) and current INGAA Chair, put it: “Our industry fully supports Secure By Design and the Supply Chain Cybersecurity Principles. We are committed to defending against adversarial cyber actors, and part of that process is ensuring that the products deployed in our pipeline networks are built with security in mind from the design phase through the product’s lifecycle. We strongly encourage software, hardware, and other technology vendors to sign onto these respective pledges to help secure our nation’s energy infrastructure.”

To that end, and in our continued commitment to the security of our assets, the INGAA Board of Directors approved a letter (below) endorsing the CISA and DOE concepts, applauding those organizations that have already taken the commitments to engineer their products securely each step of the way, and encouraging all technology and equipment providers – particularly those with a strong market share in critical infrastructure operations – to pledge and certify that their products are secure throughout the entire systems’ engineering lifecycle.

INGAA members believe that by leveraging our collective voice, more vendors will voluntarily hold themselves accountable to employ smart security practices, including engaging directly with their customers when security concerns or vulnerabilities arise. “We greatly appreciate organizations like INGAA, whose members provide critical energy services throughout the nation, for their partnership in raising awareness to industry’s demand for strong cybersecurity protections across the supply chain,” stated Director Kumar. By raising the bar for the vendor community, we are demonstrating that supply chain security is a top priority for the natural gas pipeline industry.