It used to be safe to assume that pipelines would fly under the radar for cyberattacks. Even though they are a critical infrastructure element, they weren’t something hackers focused on. However, a recent series of high-profile attacks on pipeline infrastructure has changed that outlook, and today, the organizations that operate them must spend more effort and resources actively securing their operations.
As Eric Cytrynowicz and Martin Johnson explain in their recent article in Pipeline and Gas Journal, the concern for pipeline security has increased so much that the U.S. Transportation and Security Agency (TSA) has stepped in to issue mandatory security directives for pipeline owners and operators. While every organization will secure their infrastructure differently, there are some similarities for every pipeline. Eric and Martin explain,
“To accomplish this shift to increased cybersecurity, companies must focus on building layers of defense from the supervisory control and data acquisition (SCADA) system all the way down to the individual field devices.”
To help companies meet this goal, Eric and Martin have put together three key guidelines to help teams create more secure operations.
Tip One: Develop Secure Practices
When companies were less worried about cyberattacks, many organizations simply left remote terminal units (RTUs) with default usernames and passwords. In fact, the RTUs themselves often had limitations on password complexity that prevented teams from setting requirements that would meet today’s higher standards. But now, RTUs should be able to handle more robust password standards. Eric and Martin suggest that—at the bare minimum—teams implement unique passwords, following common complexity guidelines. Moreover,
“Today’s high-performing organizations are ensuring each person on the network has an individual username and password. In addition, role-based security measures are recommended to ensure each person is assigned access rights based on his or her role or function.”
Tip Two: Enact Solutions to Ensure Compliance
Not only does a company need a cybersecurity plan, but they also need concentrated effort to keep that plan alive. One key element of this plan is to designate a cybersecurity coordinator. In fact, having a coordinator is a requirement under the TSA guidelines. However, as Eric and Martin share,
“Many organizations have thousands of miles of pipelines, so managing the security of RTUs and flow computers in the field often requires sending engineers or field technicians hundreds of miles to remote sites to check on equipment, perform calibration, or collect data”
Even with a cybersecurity champion, this amount of travel often becomes untenable, especially if the primary need is to change a password or manage an account. But industrial software applications like Emerson’s credential management tools enable field managers to handle account control from a central location. With the push of a button, teams can update credentials and instantly replicate those changes across any device in the fleet.
Tip Three: Use More Secure Protocols
Better passwords and account management are not the only way to help secure a SCADA infrastructure. Modbus, the most well-known protocol used in pipeline systems is an insecure protocol, providing no protection against unauthorized control actions. To provide better protection, many organizations are looking to Distributed Network Protocol 3 (DNP3), a more modern, more secure protocol for pipeline communication. Martin and Eric explain,
“DNP3 offers operators the best of both worlds: improved cybersecurity across the pipeline’s SCADA system and field equipment, but without the overhead and delays that come with increased network traffic.”
A Deeper Dive
There are many things a pipeline company can do to help ensure operation continues without incident 24/7. In the full article, Eric and Martin go into much more detail, providing additional tools and strategies to better secure pipeline operations.