• Subscribe
  • Magazine
  • Past Issues
  • Surveys
  • Industry Statistics
  • About Us
  • Members Only
  • Podcasts
    • Crude Oil Refinery 642d9d76d63fb
    1. Home

    Cybersecurity Incident Response for the Oil and Gas Industry: Are You Ready?

    April 5, 2023
    Crude Oil Refinery
    On July 21, 2022, the US Transportation Security Administration (TSA) made a significant change to their security directive for owners and operators of hazardous liquid and natural gas pipeline and liquified natural gas facilities, with the goal “to reduce the risk that cybersecurity threats pose to critical pipeline systems and facilities by implementing layered cybersecurity measures that demonstrate a defense-in-depth approach against such threats.”

    As part of the directive, the TSA is requiring organizations to establish an up-to-date Cybersecurity Incident Response Plan (IRP) to reduce the risk of operational disruption or other significant impacts. However, the TSA does not dictate how to create them.

    What is a Cybersecurity IRP?

    The overall goal of a cybersecurity IRP is to reduce the risk of operational disruption or other significant impacts on necessary capacity, should a pipeline or facility experience a cybersecurity incident. The owner/operator must be able to detect, analyse, mitigate, respond to, and recover from cybersecurity incidents. Additionally, they must have the capability to sustain operations during cybersecurity incidents, proportionate with the risk to critical infrastructure and organizational objectives. This applies to both information technology (IT) and operational technology (OT) systems.

    What’s the Difference between IRPs for OT and IT?

    One of the most important considerations for owners/operators to keep in mind is that OT cyber incident response is not a simple add-on to an existing IT incident response program. The unique nature of OT environments requires an incident response plan and program that are specifically tailored to OT risks, which are significantly different from IT risks. Cyber incidents that impact these OT systems can have very real physical consequences, posing a threat to human and environmental safety. OT cyber incidents can also make a material impact on operational uptime. Consequently, every minute they remain ongoing can directly affect revenue. This means that the risk management goals of an OT incident response team are going to be vastly differentiated from those of an IT-focused team.

    In addition to the goals and risk calculations being different for OT incident response, there are also important differences in the way that teams would assess and respond to an OT incident. Responders must be able to effectively:

    • interact with systems from which forensic data must be collected differently to maintain stricter operational and uptime requirements
    • triage systems without shutting them down or disconnecting them the way IT systems can be disabled during an ongoing incident
    • examine activity for systems that use different protocols and technology into which typical IT forensic tools offer little to no visibility
    • bring enough OT network expertise to the table to understand what abnormal activity looks like and when their actions may do more harm than good for system stability

    What’s Included in an IRP?

    Every organization’s OT IRP will look slightly different, but most plans should offer guidelines, documentation, and best practices for the organization in nine important areas:

    • Roles and responsibilities
    • Risk management, triage, and escalation decision making
    • IR lifecycle model (NIST, SANS, PICERL, etc.)
    • Categories of incidents and workflows
    • Isolation plan
    • Communication plan
    • Regulatory and legal requirements
    • Internal and external resources and contacts
    • Supporting forms and documentation

    Where to Start in Creating an IRP?

    In the first stages of IRP development, organizations shouldn’t try to boil the ocean and create a plan that covers every possible scenario that they can think of. The idea is to tailor a plan to your industry and the most common and dangerous incident risks that organizations like yours are likely to face. Identify the common incidents that are most likely to cause the biggest safety or financial consequences and start with those. Plan the contingencies for these high-impact incidents first and then iterate from there. Some of the risks to consider when thinking through consequences that drive the IRP should include:

    • Environmental and human safety risks
    • Legal considerations
    • Regulatory mandates, like the TSA directive
    • Insurance considerations
    • Supply chain and third-party risks

    For more information on creating an IRP, our incident response experts covered this and more valuable advice in a recent Dragos report  and webinar.

    Footer Ad