INGAA Members drive vendor accountability in critical infrastructure security

INGAA members are leaders in the safe, secure, reliable transportation of natural gasthroughout the nation, and our members' primary purpose is to keep energymoving. INGAA operators utilize technologies and deploy software throughout their organizations to facilitate the flowof gas, monitor pressure, detect leaks, and secure their networks. These systems are high-value targets for attacks, and operators routinely defend against intrusions by sophisticated adversaries.

To ensure that these software, hardware, and technology components operate efficiently, effectively, and - most importantly - securely, INGAA members implement a "defense-in-depth" approach to managing security. Defense-in-depth is a risk-based strategy that protects the entire enterprise from various threats and includes robust securitycontrols, such as measures for securing and defending edge devices, networksegmentation, accesscontrol measures, patch management procedures, and continuous monitoring and detection programs.

However, securitycan't simply rest in the hands of the operators; it must be a shared responsibility between operators, vendors and suppliers, and the federal government. High-profile software compromises, including from vulnerabilities in products that help organizations manage securityand systemaccess, are becoming alarmingly frequent, and recent reporting from the Office of the Director of National Intelligence (ODNI) underscores that nation-state adversaries have a keen interest in gaining accessto and, in some cases, manipulating industrial control systems (ICS) across U.S. critical infrastructure.

A combination of operator-led risk-based controls, efficient exchangeof threat intelligence, and securely built devices are critical to ensuring securityefforts remain meaningful and our nation's infrastructure is protected from attacks. In fact, the Biden Administration's National Cybersecurity Strategy calls for this very approach.

Smartly constructed, nimble regulatory frameworks for cybersecurity tailored for each sector's risk profile can improve the consistency of cybersecurity outcomes, and enhanced sharing of threat intelligence between the private sector and federal government improves collaborative efforts to dismantle our adversaries. Importantly, shifting responsibility onto those who fail to take reasonable precautions to secure their software, hardware, and other technology from the outset so that end-users aren't left to bear the consequences will drive the market to produce more secure products for critical infrastructure operators.

To that end, the Cybersecurity & Infrastructure SecurityAgency (CISA) and the Department of Energy(DOE) are paving a clear path for operators, vendors, and the federal government to work together to secure our nation's critical energyinfrastructure. CISA's efforts to develop a threat awareness ecosystem between Secure by Design and the Joint Cyber Defense Collaborative (JCDC) demonstrates that broad private-public partnerships can reduce critical infrastructure cybersecurity risks, including to pipelinesystems. The prioritization of threat-informed product development practices from the outset that are at the core of Secure by Design are a tremendous value to critical infrastructure operators. "Insecure software makes it easy for nation-state adversaries and criminals alike to compromise our critical infrastructure and put Americans at unacceptable risk. The good news is that we can do something about it now that will benefit generations to come," said CISA Cybersecurity Executive Assistant Director Jeff Greene. "The energysector has a long history of leading the way on early adoption of securitypractices and this is just another example of that leadership. CISA applauds the companies that have taken action and signed the Secure by Design pledge, publicly committing to take actions that will raise our global cybersecurity posture."

Learn more: WHAT IS SECURE BY DESIGN?

Similarly, DOE's Supply Chain Cybersecurity Principles align best practices and identify opportunities for the industrial control systemvendor community to strengthen the manufacturing supply chain of key technologies that manage and operate our pipelinesystems. These Principles are a foundational step toward securing critical forms of equipment and technology before they can be exploited. "The Department of Energyapplauds the global manufacturers serving the U.S. energysector who have endorsed the Supply Chain Cybersecurity Principles. These Principles represent a commitment by the vendor community to take accountability for reducing cybersecurity risk across the sector by driving and advancing cybersecurity for industrial control systemsecurity," said DOECybersecurity, EnergySecurity, and Emergency Response Director Puesh M. Kumar. Notably, DOE's model of vendor-to-operatorengagement throughout the lifecycle of the product is essential for operatorrisk management.

Learn more: WHAT ARE SUPPLY CHAIN CYBERSECURITY PRINCIPLES?

Owners and operators have an opportunity to add another layer of defense and efficacy by leveraging vendors who follow Secure by Design and Supply Chain Cybersecurity Principles in their supply and procurement processes, and we believe the concepts should become a powerful demand-side program. As Paul Ruppert, President of Berkshire Hathaway EnergyGasTransmission& Storage (GT&S) and current INGAA Chair, put it: "Our industry fully supports Secure By Design and the Supply Chain Cybersecurity Principles. We are committed to defending against adversarial cyber actors, and part of that process is ensuring that the products deployed in our pipelinenetworks are built with securityin mind from the design phase through the product's lifecycle. We strongly encourage software, hardware, and other technology vendors to sign onto these respective pledges to help secure our nation's energyinfrastructure."

To that end, and in our continued commitment to the securityof our assets, the INGAA Board of Directors approved a letter (below) endorsing the CISA and DOEconcepts, applauding those organizations that have already taken the commitments to engineer their products securely each step of the way, and encouraging all technology and equipment providers - particularly those with a strong market share in critical infrastructure operations - to pledge and certify that their products are secure throughout the entire systems' engineering lifecycle.

INGAA members believe that by leveraging our collective voice, more vendors will voluntarily hold themselves accountable to employ smart securitypractices, including engaging directly with their customers when securityconcerns or vulnerabilities arise. "We greatly appreciate organizations like INGAA, whose members provide critical energyservices throughout the nation, for their partnership in raising awareness to industry's demandfor strong cybersecurity protections across the supply chain," stated Director Kumar. By raising the bar for the vendor community, we are demonstrating that supply chain securityis a top priority for the natural gaspipelineindustry.

Related