Several years ago I was doing a control system cyber risk assessment for a regional transit agency. The most significant safety issue was the Liquified Natural Gas (LNG) transit bus refueling facility. The LNG facility was on the transit agency property and was for use for the LNG-powered transit buses and other LNG-powered agency vehicles. The transit facility was built and operated by a third-party LNG refueling company that does this for many transit agencies. By contract, the transit agency was not allowed into the LNG facility without approvals from the LNG facility operator.
When we contacted the LNG facility organization about their control systems, we were informed they had IT network (not control system) cyber security policies and had standardized on a specific control system supplier who met their cyber security requirements. Consequently, the LNG operator felt their cyber risk was addressed. As these policies had not been shared with the transit agency, the transit agency could not validate the actual risk and therefore assumed the cyber risk was adequately addressed.
After getting permission from the LNG facility operator, we did a walkdown of the LNG facility and found a control system major supply chain issue that didn’t involve foreign malicious actors. As part of the design of the LNG facility, the LNG facility operator had contracted for what is called “skid-mounted” equipment for a critical part of the LNG production operation. The skid-mounted equipment included the large hardware as well as the control systems for the hardware.
In this case, the skid-mounted vendor had selected a different control system supplier than the one the LNG operator had selected. Consequently, from a cyber-perspective, the LNG operator was unaware of the “foreign” control system equipment in their LNG process and the “foreign” control system vendor did not necessarily conform to the LNG facility operator’s cybersecurity policies. The transit agency was totally in the dark. At that time, we weren’t looking to find if there were Chinese-made control system devices in this facility. From a risk perspective, the LNG facility is sited near a diesel storage tank for the site emergency diesel, close to a very busy freeway, and near other industrial businesses which made it an attractive target.
This type of third-party risk for skid-mounted equipment is common to every industrial and manufacturing facility.
(cross-posted on CONTROL’s website: https://www.controlglobal.com/blogs/unfettered/another-view-of-control-system-supply-chain-risks-third-party-equipment-suppliers)