Where to Start to Improve Pipeline Security and Fortify OT Networks

Last year, there were 21 global ransomware attacks on the oil and gas industry. This makes oil and gas one of the top 5 industries most impacted by ransomware. The U.S. Government Accountability Office also released a report announcing that offshore oil and gas infrastructure is up against significant cybersecurity risks.

When most people hear “cyberattack,” they think about threats to IT networks, but OT network vulnerability can cause just as much—if not more—damage. After all, OT networks and devices are responsible for producing or delivering the goods and services people depend on.

With 2.6 million miles of pipelines transporting natural gas, oil and other hazardous materials across the country, cyber threats can impact oil and gas companies of all sizes.

While big companies can be attractive to bad actors because they can inflict more potential damage across wider areas, small oil and gas companies are vulnerable simply because they often lack the resources and staff to stay on top of threats. If they’re in growth mode, or part of acquisitions and mergers, they may also be more vulnerable due to disparate assets and systems that aren’t easily integrated or managed.

Helpful pipeline security advice for oil and gas companies

As threats continue to rise, more resources are being made available to help pipeline owners and operators navigate this changing landscape.

One example: the Pipeline Security Guidelines, created by the Transportation Security Administration (TSA). The agency is responsible for securing U.S. transportation systems, which includes oil and natural gas pipelines.

The living guidelines were originally created in 2018, but significant updates were made after the 2021 attack on Colonial Pipeline. Although this particular attack was on the pipeline’s IT system, TSA issued new pipeline security directives shortly after to encourage owners and operators to fortify OT infrastructure as well. These directives included:

• Policies and controls for IT and OT network segmentation to ensure that OT networks and systems can continue to operate if the IT network is under attack—and vice versa.
  
  
• Access control to prevent unauthorized access to critical systems.
  
  
• Monitoring and detection policies and procedures to check for and address threats that may affect operations.
  
  
• Applying OT security patches and updates in a timely manner.

This year, TSA made more additions to the Pipeline Security Guidelines. These recommendations encourage owners and operators to complete the following tasks each year:

• Submit a Cybersecurity Assessment Plan to TSA for approval.
• Report the previous year’s assessment results, along with a schedule that outlines when specific cybersecurity measures will be assessed and audited to adhere to TSA’s requirement that they be evaluated every three years.
• Test at least two Cybersecurity Incident Response Plan (CIRP) objectives and include relevant stakeholders (as identified in the CIRP) in these tests.

While participation in these guidelines is voluntary, they serve as an excellent starting point for risk assessment, access control, pipeline security, emergency response planning and even employee training.

Security recommendations beyond oil and gas

TSA isn’t the only agency taking steps to improve cybersecurity efforts. The U.S. Environmental Protection Agency (EPA) created the Cybersecurity Resources for Drinking Water and Wastewater Systems guidelines, which provide basic cyber hygiene practices for owners and operators in areas like:

• Assessments
• Funding
• Response planning
• Training and education

The EPA continues to stress the need for U.S. states to assess cybersecurity risk within public water systems after a recent survey revealed that many of these systems still lack basic cybersecurity best practices, which places them at higher risk of attack.

We anticipate that these recommendations and guidelines will eventually trickle down from oil and gas companies to influence other areas of process manufacturing as well, such as chemical and mining.

Belden’s cybersecurity expertise supports oil & gas operations

Whether your business is the size of Exxon Mobil or a small oil and gas company that relies solely on integrators or other outside parties, Belden and its partner network has resources to help you fortify your infrastructure.

From assessing pipeline security baselines to creating roadmaps to address your network and security challenges, we can help each step of the way. Because Belden is vendor agnostic and follows and participates in organizations that drive OT standards, you’re never locked in to one automation vendor or forced to use proprietary protocols.

Belden also understands the vital role that both IT and OT play in operations, helping you shrink the convergence learning curve so both groups can experience better monitoring, control, analytics and efficiency.

Our team of specialists and advisors knows how to design, connect and protect oil and gas networks, offering the industry’s most complete suite of end-to-end networking solutions available. When you work with our Customer Innovation Center, you get to co-innovate with our experts to develop, test, document and deploy vendor-agnostic solutions to make your efficiency, security and innovation goals attainable. Along the way, you also get to see how the solutions we design will work in your environment before they go live.

Learn more about how we help process manufacturers accelerate digitization.

Related links:

• Future-Proofing Oil and Gas Networks: Four Things to Look For
• Getting Started with Industrial Cybersecurity: How to Take the First Few Steps
• OT Cybersecurity in Three Steps