It’s interesting that I had been preparing a webinar on pipeline safety and security since there have already been numerous incidents reported regarding pipeline accidents and leakage. Now the latest incident concerning Colonial Pipeline and the ransomware attack by Darkside, a so-called extortion group, believed to be operating out of Russia or eastern Europe, has highlighted the urgent need to address this.
Given that cybersecurity attacks on US infrastructure are not new and the fact that there have been several successful attacks, Solar-Winds being one of them, why are we not implementing the correct safeguards? We at exida have been presenting webinars, blogs, and papers on the importance of cybersecurity, not just from a financial aspect but also from a safety perspective. Is it a case of companies thinking “we’ve never had a problem before, so why worry?” or is it just complacency, when it comes to companies not taking Operational Technology Cybersecurity seriously?
In our experience, the majority of cybersecurity incidents are as a result of what we call, the stumbling, bumbling and fumbling, which is a result of internal personnel not truly understanding the implications and consequences of their actions (e.g. using infected media). It is what we refer to as having the basic “Cyber Hygiene” to ensure staff are informed about the trip falls of not adopting good cyber hygiene. Granted, not all companies would be a target of groups like Darkside or nation-state sponsored organizations, but when it comes to infrastructure, we should be extra vigilante. The Not Petya attack on the Ukraine a couple of years back didn’t just affect the Ukraine but also affected many companies in the US, costing billions of dollars in lost production and recovery.
Companies can easily take the first steps towards implementing cybersecurity, as defined in IEC62443, by starting with a High-Level Risk Assessment to identify the critical assets that need to be safeguarded. In the process industries, the IEC61511 standard requires measures to be taken to secure Safety Instrumented Systems (SIS) from a cybersecurity perspective (under Clause 8.2.4), referencing IEC62443 and TR.84.09. IEC62443 could also be applied to pipeline facilities too. We at exida have undertaken several projects with pipeline companies to help them implement an IEC62443 approach.
If this blog has piqued, your interest, then look out for the upcoming webinar on pipeline cybersecurity and safety.