Locking the door doesn’t work where there is no door. Unintentional cyber accidents or malicious cyberattacks can cause kinetic damage and there are no cyber forensics, training, or cyber security requirements for addressing these incidents. The TSA Pipeline cyber security requirements (and corresponding requirements for other infrastructure sectors) need to be more control system-focused. That is, pipelines and pipeline critical control equipment such as compressors, process sensors, motors, actuators, and analyzers need to be explicitly included. Because many of the control system cyber incidents weren’t viewed as malicious cyberattacks, they have been largely ignored by the cyber security community.
This is despite the latest TSA (and other infrastructure) requirements for reporting pipeline (and other infrastructure) cyber security cyber incidents. There are also no requirements that engineers and technicians who are knowledgeable about pipeline (or other critical infrastructure) operations be included in the cyber security team. The same engineering vs networking gaps continues to occur across all critical infrastructure sectors even though it is the engineers that are familiar with “plant-level” vulnerabilities in compressor stations, distillation columns, digester systems, boiler control systems, etc. As the same or similar equipment and control system devices are used in other critical infrastructures, the Stuxnet approach can be used against pipeline compressor stations and other critical infrastructures.
These staffing and training issues were not addressed by the CISA Advisory Committee at the April 4, 2022 CISA Advisory Committee meetings.