In this month’s edition of the Pipeline Technology Podcast, sponsored by Pipeline & Gas Journal, ICS security expert Marco Ayala joins host Russel Treat to discuss the recent cybersecurity directive issued to oil and gas pipeline operators.

In this episode, you will learn about the key lessons from the high-profile Colonial cybersecurity incident, the two cybersecurity directives issued in the aftermath of Colonial, what’s contained in the newly-revised API 1164 standard for pipeline cybersecurity, the future of pipeline cybersecurity, why all pipeline operators need to start thinking about cybersecurity (not just large, critical operators), and more important security topics.

Pipeline Cybersecurity: Show Notes, Links, and Insider Terms

• Marco Ayala is the Director, Industrial Controls Systems (ICS) Security with 1898 & Co., Burns & McDonnell. Connect with Marco on LinkedIn.
  • Pipeline & Gas Journal is the essential resource for technology, industry information, and analytical trends in the midstream oil and gas industry.  For more information on how to become a subscriber, visit pgjonline.com/subscribe.
  • 1898 & Co. was launched by Burns & McDonnell to help companies future-proof their portfolio and turn data into action across the entire asset life cycle through business, technology, and security consulting.
  • Read Marco’s article: “Cybersecurity Directive for Oil and Gas Pipelines Targets Vulnerabilities.”
• Colonial Pipeline Cybersecurity Incident: In May 2021, a cyber attack was launched against Colonial Pipeline that eventually resulted in the payment of $4.4 million to resolve the attack. The attackers gained access to Colonial’s systems and data through an unmonitored VPN by stealing a single password.
  • Listen to Pipeline Technology Podcast #11 for Niyo “Little Thunder” Pearson discussing why the Colonial attack raises alarms for midstream companies.
• TSA (Transportation Security Administration) is an agency of the U.S. Department of Homeland Security that has authority over the security of the U.S. traveling public.
  • Pipeline Security Directive #1, issued on May 27, 2021, enables the Department to better identify, protect against, and respond to threats to critical companies in the pipeline sector.
  • Pipeline Security Directive #2, issued on July 20, 2021, requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.
• Edge Communications is a method of building out the architecture for structured communication from edge devices in the field to a host server using connectivity to transmit the data.
  • Modbus is an older protocol that enables communication among many devices connected to the same network. The drawback is delays in the communication, oftentimes creating timestamp discrepancies.
• PLCs (Programmable Logic Controllers) are programmable devices placed in the field that take action when certain conditions are met in a pipeline program.
• DCS (Distributed Control Systems) are typically installed at facilities and are distinct from the SCADA system, which monitors and controls a geographically disperse system such as a pipeline.
• SCADA (Supervisory Control and Data Acquisition) is a system of software and technology that allows pipeliners to control processes locally or at remote location. SCADA breaks down into two key functions: supervisory control and data acquisition. Included is managing the field, communication, and control room technology components that send and receive valuable data, allowing users to respond to the data.
• HMI (Human Machine Interface) is the user interface that connects an operator to the controller in pipeline operations. High-performance HMI is the next level of taking available data and presenting it as information that is helpful to the controller to understand the present and future activity in the pipeline.
• VSAT (Very Small Aperture Terminal) is used to transmit and receive data over a satellite communication network.
• LTE (Long-Term Evolution) is the cellular wireless technology bridging today’s 3G to 4G to 5G.
  • 2G was a second-generation cellular network that was designed to bring voice as an HD signal.
  • 3G was the third generation of wireless mobile telecommunications technology.
  • 4G was the fourth generation of broadband cellular network technology, succeeding 3G.
  • 5G is an advanced wireless technology that began wide deployment in 2019.
• MFA (Multifactor Authentication) is a security method to require multiple methods of authentication to ensure that the proper person is obtaining proper access. For example, a username / password and a text message or other form of identification.
• IT/OT convergence is the integration of IT (Information Technology) systems with OT systems used to monitor events, processes, and devices and make adjustments in enterprise and industrial operations.
• API (American Petroleum Institute): Since its formation in 1919 as a standards-setting organization, API has developed more than 700 standards to enhance industry operations. Today, it is the global leader in convening subject matter experts to establish, maintain, and distribute consensus standards for the oil and natural gas industry.
  • API 1164 (Pipeline Control Systems Cybersecurity) 3rd Edition was released in April 2021. The new version of the RP provides a comprehensive approach to cyber defense for critical infrastructure.
• AFPM (American Fuel & Petrochemical Manufacturers) is a leading trade association representing the makers of the fuels that keep Americans moving and the petrochemicals that are the essential building blocks for modern life.

Pipeline Cybersecurity: Full Episode Transcript

Announcer:  The Pipeline Technology Podcast, brought to you by Pipeline & Gas Journal, the decision-making resource for pipeline and midstream professionals. Now your host, Russel Treat.

Russel Treat:  Welcome to the Pipeline Technology Podcast, episode 20. This month, we are going to do a replay, by popular demand. We are going to replay episode 13, with Marco Ayala, with 1898 & Co., where we discuss the TSA cybersecurity directive for oil and gas, and how that is targeting pipeline vulnerabilities.

Marco, welcome to the Pipeline Technology Podcast.

Marco Ayala:  Hey. Thanks for having me.

Russel:  Marco, this is your first time on. Why don’t you tell us a little bit about your background and how you go into pipeline cybersecurity.

Marco:  I come from a long line of pipeliners, chemical plant and refinery workers, so I tell you that I got into pipelining from the automation side of the house. I’m an automation professional with a little over 25 years of experience.

I actually started in the chemical industry, moved over into more of the oil and gas, upstream and midstream, and then got into offshore and maritime side of the house, from MTSA to TSA. I actually started out in the automation field.

Security came to me in the early 2000s, post-Y2K, and I think we all remember Y2K pretty vividly for those that had to live through it. For some of the younger bucks that may not have known what that was like, it was interesting, to say the least.

Right after that is where we started to realize that we were connecting our control systems up to process historians and were getting links into the enterprise. That’s really where we started to see where there could be possibilities or avenues for security issues at the factory floor.

I got into pipelines, worked for some pipeline companies as a third-party contractor for rolling out automation here in the U.S., and also started to walk down security assessments and risk workshops for some of the clients. That’s how I got into it. Thanks for having me on.

Russel:  You certainly got into cybersecurity before cybersecurity was cool.

Marco:  I was what they call an early adopter.

Russel:  Yeah, no doubt. I think a good way to tee this conversation up is to talk about where we’ve come from, because I trod through the same mud as you. I grew up as a measurement guy. I started in doing back-office measurement accounting, and then moved from there to the field, and then to automation and so forth.

We’ve certainly trod through some of the same mud. I can certainly remember conversations about, “Well, you can’t hack this, because it’s Modbus, and Modbus is secure. You can’t hack this, because it’s wireless radio, and how are you going to hack a wireless radio?”

At this point, there’s plenty of people that not only have demonstrated that you can hack that, but if you know where to go on the dark web, you could download stuff and execute those hacks in half an hour.

Marco:  We’re still talking to folks out there, “Why would we be a target? Who would want to target us? Why would anybody want to impact our operations? We’re just a small corporation or a small pipeline booster station or compressor station down the road.”

There’s still a lot of that same mentality out there across industries, across sectors. Yeah, we’ve come a long way. I could tell you, we’ve really moved the needle the last seven years by going towards enterprise SCADA and doing a lot of other things. 20 years ago, 25 years ago, we were honestly still in proprietary networks. Once we hit Y2K or right before that, we started getting into more Windows-based systems. We had dumb hubs, which then got into smart hubs, which then got into smart switches.

We just kept moving the needle, and we went the path from Windows NT, XP, Vista, for those that remember Vista, in the control rooms, but all the way up into where we’re at today. I can tell you that it’s connectivity, the power of computing, and the mobile worker. The mobile workforce of today has also increased that connectivity, which is again very helpful for getting data analytics, understanding your operations. I could tell you, those are great things, and the optimization is real.

Getting as near to real-time data analytics for, for example, vibration analysis or any kind of measurement diagnostics coming out of your asset management system, it’s good that we have that. The flipside to that, the double-edged sword, is can an actor, a cyber actor, internal or external, be able to use those same means and measures of connectivity to pivot down to those systems and manipulate or cause havoc? That’s the real issue, the real problem.

Russel:  I think you make a really good point, Marco, because the reality is that we’ve been driven in the last 20 years to improve connectivity, to improve the ability to get data, get more data, get data more frequently.

The nature of the field worker, when I started in the business, a lot of the controls and things were still pneumatic. Nowadays, all of that control is digital. The nature of the field work has become less mechanical and more digital.

Marco:  That’s right.

Russel:  All of that drives the need for me to just be able to drive up, turn on my laptop, and start doing whatever I need to do at the field site. That capability creates a vehicle or a vector for bad actors, potentially.

Marco:  That’s right.

Russel:  That’s the thing we’ve missed. In our business, I think, we’ve been operating in this assumption that, well, they can’t get to it at the edge. The reality is the Internet’s at the edge, and if the Internet’s at the edge, they can get to it at the edge.

Marco:  That’s just it, to be straight with you, is that a public network was never really designed to run critical infrastructure, whether that’s power distribution, power stations, refineries. Traversing that public network, even encrypted, you’re still traversing a public network wherever you’re at in the world.

Those are the things that we’ve done over many, many years, is added more things that have either direct connectivity or indirect connectivity. Some of the things that we’ve seen in the industry have been indirect consequences of compromise that still have impact from an operational standpoint.

We went from the days of having fax ticket orders come across from fax machine to fax machine to where people don’t have fax machines anymore. We went into this full digitalized system to where we need to know how much product to put in the pipe, we need to know what the actual product is, the formulas.

All these things are now coming from the enterprise systems, the ERP systems and the MEAS systems, that allow this ticketing to come in. We’re so intertwined and interconnected. Plus, we went a step further from an automation standpoint.

We took historically what was separate safety-critical systems, safety systems, or ESD systems, and we’ve added technology to them to be able to manage projects, manage programs from the same engineering environment of that of the basic process controls.

Whether it’s PLCs or a Distributed Control System, you also have the same window in, the same platform into your safety instrumented systems. That also, again, a lot of optimization, being able to streamline backups. We get that.

The convenience of being able to do it helps optimize the operations, but at the same time, can also be used as pivot down into our most critical systems. That is something that we need as an industry, whether you’re pipeline sector, whether you’re maritime industry.

You need to make sure that you’re rolling out proper segmented networks and doing what you can from a security standpoint.

Russel:  No doubt, no doubt. Certainly, and this is really what I brought you on to talk about, but certainly the Colonial incident…I think what a lot of people don’t realize about the Colonial incident is that the Colonial incident is not really that unique.

I’m certainly aware, and I know you’re aware, of a number of incidents where elements of energy infrastructure have been shut down for days or weeks as a result of cyber intrusions. I think the thing that was unique about Colonial is the nature of the economic impact by taking those systems offline.

We immediately started having runs on gas stations and all that kind of stuff in the Northeast where Colonial delivers fuels. Consequently, pipelines got national attention because of a cyber incident. That national attention, the public attention, that’s the part that’s new or unique, versus what I have seen historically.

That obviously caused Congress and the Executive Branch to get active, if you will, about taking action. I think most pipeline operators know that the TSA put out some recommendations. Maybe we ought to talk a little bit about what’s the nature of the security directives that have come out of TSA? Start with the first one.

Marco:  The first one was just a real generalization of, “Hey, these are the things to come. These are the things we’re looking at from not just your IT infrastructure and your enterprise systems, but also from your operational technology side,” which includes your SCADA systems, your PLCs, your human-machine interfaces (HMIs) out in the field. Heck, even your remote IO, a lot of this is carrier-based. You may have cell modems. You may have a lot of different things out there across the pipe.

What’s different with pipeline, as we know, is compared to a refinery or a chemical plant, is that within those plants, you’ve got four walls. You have many units. You’ve got many systems. You’ve got different levels of security, but within different parts of the plant. Within the pipeline, though, you’re really spread out geographically.

Russel:  Generally, you have to make much bigger use of the public network than you do in a plant. In a plant, you can isolate the entire plant from the public network. You can’t really do that in a pipeline world.

Marco:  Back in the day, they were peer to peer, point to point, whether they were microwave or radio points. Now that we’ve gotten rid of dial-up modems, and some of the locations have VSAT. Some of them have still some dial-up, but we’ve moved away from that as an industry the last 10 years, because the cellular modems have gotten so much faster and better.

We went from 2G all the way up to 4G LTE, and now even 5G. Some of these locations where these compressor stations are at and skids may have that type of technology. You’re right. Those are traversing public infrastructure. I’ve done a lot of walk downs — some companies do provision private networks, private cellular bands for that. There’s different avenues into it. Going back to the security directive, when it comes down to securing the systems, this has been something we’ve been dealing with for decades now. Just making sure the right people have access to systems.

Security Directive 1, which is open-source, by the way, was the set-up for the Security Directive Number 2. Security Directive 1 really talked about the actions required. It talked about actually designating a cybersecurity coordinator, and making sure that coordinator is a citizen of the U.S. as the primary contact, and is accessible 24/7/365 by TSA or CSA, and basically is responsible for all the coordination of cybersecurity. Now, I can tell you that that, when it came out, some of the companies, the asset or the pipeline companies, were like, “Well, we have cybersecurity folks, but we don’t necessarily have cybersecurity coordinators.”

A lot of companies have actually gone out and hired or put positions out for the cybersecurity coordinator position. I could tell you that we’re still seeing people putting out stuff like that. Some of the other things, too, is making sure that you’re trying to track any authorized access into these systems. Within that first directive, again, it was really just going out and talking about vulnerability assessments, procedures, and it gave a list of definitions.

Russel:  I would characterize that first SD as an administrative action, right?

Marco:  Yeah, exactly.

Russel:  Put somebody in charge. Let us know who we need to talk and who needs to talk to us.

Marco:  Laying the groundwork, as we say.

Russel:  Tell us what you think the nature of your threat environment is. That’s what I think that that first security directive was. I think what most people scrambled about is how are we going to do this 24/7 single point of contact thing? Which tended to get a lot of the control centers involved, because that’s where 24/7 contact tends to come from, anyways.

Marco:  No, you’re right with that. I think it was laying the groundwork as to what was to come, but making sure the pipeline operators understand that they need to identify someone within the organization that would be that, I like to say, one throat to choke that’s responsible for that sector.

Russel:  Here’s the next question, and this is kind of a trick question. What’s in Security Directive Number 2?

Marco:  Well, great question. Security Directive Number 2 is protected. It’s considered SSI, which is sensitive and secure information. That falls under 49 CFR, part 15 and 1520. I can’t get into the specifics of it, but from a generality standpoint, many of the things that are in here that are especially targeted towards cybersecurity are not new to industry or by any sector.

If you look at other industries, like power, utilities, they’ve got NERC CIP. You look at industries that have been following standards such as NIST 800.82, 800.53, and even the ISA/IEC 62443 set of standards, many of these are already captured.

What is actually publicly known now, at least from SD2, without getting into the weeds, is that it has information in there that talks specifically on securing your assets. It talks detailed technology in regards to what should be rolled out.

Again, these are things that are common amongst systems that are already in use in certain industries. If we look at password protection, password complexity, separation of duties…

Russel:  Two-factor authentication.

Marco:  Yeah, multi-factor authentication, some type of zero trust type fabric. Think about it. It’s just really trying to minimize who is in and monitoring who is in. Also, the other part of that is just are you even monitoring your network? Do you even know what’s on your network?

Russel:  [laughs] I laughed at that comment. It’s only because I have a little knowledge about what the reality on the ground is.

Marco:  That’s right.

Russel:  I think particularly the larger operators are monitoring their networks, but the part that gets a little bit funny is do you even know what’s on your network? I think that’s one of the real challenges, because the pressure in the field to operate is, “Look, get that thing on the system. Let’s go.”

Marco:  Yeah, let’s get it.

Russel:  Right? The easiest thing to do is buy a cell modem, hang it, turn it on, get it connected, and leave it, which basically, immediately, the moment you did that, it’s wide open to the Internet, you don’t have to have something like that up very long, and people identify it and start checking it out.

Marco:  Yeah. Well, I always like to say safety’s number one. Production and product movement is number 1.1. It falls right after safety, because you’ve got to get things going. That is a problem. The other part of it, too, especially with the pipeline industry, is you’ve got field technicians that need to do their job. They’re going to have configurations on their engineering or their technician laptops to field service the devices. Well, heck, you came from the flow computing.

Russel:  Oh, yeah, and that is such a big deal, because these guys are generally disconnected from the network, so when they go out to the field to work, if there’s anything that happens with their laptop, then they’re stuck.

Marco:  That’s it.

Russel:  Some of these sites, they’ve got to drive, if they’re just going straight from the house or straight from the shop out to these sites. Some of these sites are a 2-4-hour drive.

Marco:  That’s right.

Russel:  You can drive all the way out to a site, and if your laptop doesn’t do what you need it to do, and you can’t get back to IT to get support to get it fixed, well, you just lost a day and didn’t get any work done, because your laptop didn’t work. That’s the cold, cruel reality on the ground.

Marco:  Security is great, but if you start locking things down to the point to where you can’t even maintain it effectively and timely, then that’s going to cause further impacts. The most secure control system I’ve ever seen is the one that doesn’t exist.

Russel:  [laughs] Most secure one I ever saw was pneumatic.

Marco:  [laughs] Yeah, well, I did an assessment once where it was a pneumatics plant in Kansas, but the compressor was brand new. It had a cellular link back up to the cloud for analytics, and you could load and unload the compressor. You couldn’t hack the pneumatic instruments, but you could hack the compressor.

Russel:  It’s like for anybody who knows control systems, and when you’re looking at reliability, you look at, well, where are my potential points of failure? Then you start eliminating those, and you do cost-benefit analysis and all that to figure out how to invest your time and money to improve reliability. Well, security is the same kind of thing. It’s a reliability thing. It’s a safety thing.

Marco:  Not just that. The other thing, too, on top of this that cascades on top of Security Directive 2 that TSA may not have even thought about is that many of the pipeline operators are under the constraints of the OEM [original equipment manufacturer], whoever developed, deployed that system.

If you’re actually changing a password or something within that system, that could affect the operations of that gear. There’s some reliability and safety implications that, before you roll it out, what’s in the directive, you need to really look at this to see does this impact our safe and reliable operations?

If any of those is a checkmark of yes or maybe, then you need to stop before rolling it out. You really need to work with TSA and say, “Hey, here’s our predicament, and here’s our situation. We’re trying to meet the intent of what you put out in these 180-day, 90-day directives, with it being prescriptive. Here’s what we’re doing. We think we’re meeting this. We’re trying to meet the intent of it, but we feel that, if we do this, we could impact operations.” You just need to be open and lay it all on the table with TSA to say, “Here’s where we’re at with this. Come out to the facility. We’ll show you what this means.”

Russel:  I want to come back to this SD2 for a second, because I haven’t had an opportunity to look at it. What I’m understanding you to say is it’s fairly prescriptive and directive in terms of these are the tools, technologies, and approaches you should be using for mitigating these specific kinds of threats and vectors.

Marco:  That is correct.

Russel:  Okay, that’s interesting, because the TSA has been avoiding getting prescriptive. Why do you think that shifted?

Marco:  I think the TSA is an area with their, I guess, oversight and from regulatory to be able to roll out initiatives as they see fit. The industry is challenging them on the security directives. This is not news. This is something that’s been going on for some time within the actual industry community, such as API, AFPM, and many others that have written and have provided draft comments to TSA.

TSA said, “Yeah, well, here’s some new timelines for you,” but really didn’t work with the industry in regards to some of this. Yeah, they’re prescriptive. I really can’t tell you from an answer of why or what kind of stick that they walk around with, but I can tell you that this thing is out there, and the dates are there.

As far as punitive or compliance costs and what have you, I really haven’t seen anything provisioned from TSA that says, “These are the fines in a quantitative number that you’re going to be paying per finding if we go out and inspect.”

Now, I know I’ve seen other industries, like MTSA facilities for MTSA [​​Maritime Transportation Security Act] with Coast Guard to where they’ve defined each variance could be $25K per violation. I haven’t seen that on the pipeline side of it yet. I’m not saying it’s not out there, but maybe I’m just not looking in the right places.

Russel:  I think it’s probably a little early in the whole regulatory cycle for that type of thing. I think what you have going on — this is true in all regulatory environments — I think that the nature of cybersecurity is a little different. We had an event, got national attention. Consequently, Washington reacted, and what we’re seeing is the nature of that reaction. What’s unique here versus other kinds of rulemaking is the speed at which they’re asking people to respond. I think that goes largely to the nature of the threat.

I recently did an episode with a guy named Niyo Pearson on the Colonial attack, the nature of the threat environment, and such. One of the things that was my key takeaway from that conversation is the nature of the threat is no longer just individual nefarious actors. It’s nation-states and nation-state resources trying to…I don’t know that I can say what I think the objectives are, but there’s nation-state actors that are trying to gain access to and control of critical infrastructure.

We saw some of this in the Ukraine a couple of years ago, and it’s the same kind of thing. There’s a need to be able to act and react quickly in this environment. It’s more of a warfighting environment than it is a typical safety environment, which is new and different for pipeline operators that are risk-averse and don’t like change.

Marco:  Well, Russel, I’ve got to be straight with you. The one common denominator for all of this is connectivity. There’s one thing that we’ve done even the last seven years is really pushed the envelope into enterprise SCADA, having more of a converged IT and OT fabric within our own systems.

The reliance, there’s so many links and reliance between the systems that nation-state actors, just as you said, are wanting and banking on that we have that connectivity, because everybody else is doing it. If they could figure out a way to get in to impact our nation, and by doing that through either power grid or through pipelines, refineries, maritime industries, ports, terminals, they’re going to do that.

They’re going to have teams working on that to do that. If we’re not connected, it’s a much more different story, and you’re back to the older days in the ’50s and ’60s, where they had to do it on foot to try to go in and do espionage and sabotage.

Where now, it’s just mouse clicks away or pivots down into these systems. We have to get serious, and we have to get real. I think the directives are just trying to really prod to say, “Hey, we need to get serious on the pipeline side of it,” and rightfully so.

Like you said, you came from the pipeline side, and I’ve done a lot of work on pipelines. We know what that industry is, what it’s like, and some of the things they could be doing better. There’s industries that can be doing better.

Russel:  We have a fiduciary responsibility to safety, but we also have a fiduciary responsibility to the national economy.

Marco:  Absolutely.

Russel:  People rely on what we do. Whether they realize it or not, they rely on it to drive their cars. They rely on it to heat their homes. They rely on it for electronic power, all those things. If you’ve ever been in a part of the country right after a big storm, when all the power’s out and all of that, it’s very interesting just how quickly things can break down. The first few days is one thing, but if you think about, well, what if that happened, and it lasted more than a couple of weeks, right?

Marco:  Oh, yeah.

Russel:  It starts becoming a big deal really quick.

Marco:  We’ve seen people tried to carry gasoline in plastic bags. We’ve even seen outputs of gasoline that is mixed with water, ruining engines. The petroleum and the refined side of it and the gasoline is very important to our national infrastructure. That’s how we get vehicles on the road. That’s how we get emergency response vehicles out into facilities. Yes, it is very important.

Russel:  Where do you think all this is going, Marco? Where do you think we’re headed? Probably ought to talk a little bit, too, about what’s going to happen with rule-making and that sort of thing. Do you any opinions about all that in terms of where we’re going?

Marco:  Well, I do know that there are some bills that are on the Hill in D.C. regarding cybersecurity for pipeline stuff for the pipeline industry. I don’t know a whole lot about them. I just know that I think there was one recently that was put out by Senator Cornyn in regards to pipeline cybersecurity. I haven’t had a chance to fully read it, but I think it just resolidifies the need to protect our critical national infrastructure, our pipeline assets, that I think extends well and beyond just the top 100 deemed critical now.

As far as the future, what I see is that I think that the pipeline companies that TSA hasn’t notified — in other words, they’re not the top critical — I think that they should be starting today, looking at their systems, get an idea on segmentation between operations in IT or enterprise. I think they need to start today. Even though they’re not falling under this security directive today, there’s nothing that says that a year from now, maybe, or even two years from now, that they will be under regulatory requirements.

It’s best to start now. It’s best to get an idea of what assets you do have. Making sure that you have good architectural design internal documents of your systems, whether it’s a spur, a hop, a compressor station, or a block valve site, making sure that you have identified that and try to identify who has access to those sites and systems, and really figure out your full architecture.

That will be looking at the requirement, making sure that you’ve captured that, you have a handle on what you have, do you have an asset inventory of your devices. Those are key critical things that I think companies down the road will need to make sure that they have and capture.

Russel:  The other thing I wanted to ask you about, one of the things that occurred as a direct result of Colonial, API had been working for a while on a revision to its standard for pipeline cybersecurity, 1164.

Marco:  Yes sir.

Russel:  The Colonial incident caused renewed attention and commitment to completion, [laughs] I’ll say it that way.

Marco:  It is complete, and it’s available for purchase. It’s revision three.

Russel:  Yeah, and as we’re recording this, it’s just been complete within the last week or so.

Marco:  Excellent.

Russel:  What’s your take on that as a place to start for pipeline operators?

Marco:  I think it’s a great place to start, and here’s why. It takes in some of our best national standards, so it does reflect NIST, your special publications, 800.82. It references 800.53, but it also has put in the ISA and ANSI — American National Standards Institute    62443 standards which are dedicated as well for control systems, regardless of sector.

They were able to use the NIST cybersecurity framework. They’ve used the SP, the special publications, of 800, and they’ve used 62443. That is very meaningful. I’m a longstanding, roughly 20-year member of ISA and sit on some of the committees with folks that are from industry to help write cybersecurity standards and directives internally. I can tell you that these were well thought out and well built, so I think it’s a great start.

Russel:  I absolutely concur with that, Marco. I was involved in 1164. Not as much as I’ve been in some other standards. I just didn’t have the bandwidth, particularly when they picked up the pace, because it was a pretty significant commitment from all the players in terms of their time commitment to do all that.

What I will say they did a really good job of is that a lot of folks on that committee, they spent a lot of hours, and they really looked hard at all the available industry cybersecurity standards. That’s one of the challenges in this domain. There’s so many of them.

Marco:  Exactly.

Russel:  They said, “Let’s figure out how to decode all of this stuff that’s out there and apply it to pipeline.” If you start with 1164, you’re really getting the best of everything as it’s applied to pipeline.

Marco:  I agree with that.

Russel:  For anybody who doesn’t have a program in place, I would point them to version three of 1164 as the place to start.

Marco:  Absolutely, and I think that’s a well-written document. I’ve had a chance to look at it and view it. Again, as you said, it has parts of some of the best industry standards. It really is a good collective. Knowing some of the folks that were actually on the R3 group, I know that it was well written as well, because they really have a lot of skin in the game, as we say.

Russel:  Oh, yeah, there was a lot of passion in the discussion about what should and shouldn’t be in that standard, and a lot of pedantic detail, I guess is the way I would say it.

Marco:  I guess the key things from Security Directive 2 is just making sure…Again, a lot of the stuff that’s in there that’s prescriptive are not new concepts to the cybersecurity world from operations side. What is specific is the timelines to achieve those. That is what’s being discussed heatedly at some boardroom meetings and engineering rooms across the U.S.

Russel:  Yeah, yeah, no doubt. Well, listen, Marco, this has been great. I really appreciate you coming on.

Marco:  Glad to be here, and hey, hopefully, I get an invite back sometime.

Russel:  Well, we’d like to have you back. We’d like to have you back.

Marco:  Well, Russel, it’s been a pleasure.

Russel:  I hope you enjoyed this month’s episode of the Pipeliners Podcast and our conversation with Marco. If you would like to support this podcast, the best thing to do is to leave us a review on Apple Podcast, Google Play, or on your smart device podcast app. You could find instructions at pipelinerspodcast.com.

If there is a Pipeline & Gas Journal article where you’d like to hear from the author, please let me know either on the Contact Us page of pipelinerspodcast.com or reach out to me on LinkedIn. Thanks for listening. I’ll talk to you next month.

[music]

Transcription by CastingWords