INTEGRITY When Life Depends On It
Securing Natural Gas Facilities from Cyber Attack
SCADA systems were never designed to be connected to the Internet. Recent exploits have proven that the "air gap" between SCADA systems and business networks that are connected to the Internet is easily compromised. So while not directly connected, SCADA systems are accessible from the Internet.
FERC and NERC are still trying to play catch-up and tighten up the Critical Infrastructure Protection (CIP) measures mandated by the US government. On January 18, 2008, FERC approved the CIP Reliability Standards developed for the electric industry by NERC and directed NERC to develop modifications to CIP, including:
- Removing the "reasonable business judgment" language and the "acceptance of risk" exceptions
- Developing specific conditions that a responsible entity must satisfy to invoke the "technical feasibility" exception
These tighter standards are being applied throughout the critical industries in the US, including the Natural Gas industry.
SCADA systems are almost NEVER updated for fear that the affected systems won't work properly post-update. This is nothing less than a recipe for a cyber disaster, since cyber holes don't get fixed. How big is the problem? The natural gas industry is massive and complex, just in the US there are:
- 2.2 million mile pipeline system
- 302,000 miles of interstate and intrastate transmission pipelines
- 399 underground storage facilities
- 49 locations where natural gas can be imported/exported via pipelines
- 8 LNG import facilities and 100 LNG peaking facilities
- Natural gas supplies 23% of all energy used in the US
- Consumption of natural gas will increase 20% by 2030 according to DOE
No updates, exposed vulnerabilities in software, systems connected to the Internet. A successful cyber attack on a natural gas facility is not a matter of if; it's only a matter of when.
Sooner or later, cyber security strategies based on ad-hoc, reactive, inconclusive "pierce and patch" security policies will result in:
- Executives not in compliance with Federal laws and facing fines and/or prison sentences
- Loss of crude oil production and/or pipeline transport
- Loss of value market capitalization, revenue, earnings
- Loss of customers
- Millions lost defending or settling class action lawsuits
- Millions of dollars spent on restoring service or refunding money to customers
- Customer health and medical emergencies, including death
- Widespread economic upheaval
- Widespread political and social upheaval
- Compromised national defense
- Environmental disasters of unlimited scope
A cyber security strategy based on "pierce and patch" is
Unfathomable. Unacceptable. Untenable. Uneconomic.
And has largely been unfixable until now.
INTEGRITY the most secure and reliable software ever developed can provide natural gas facilities with certified unbeatable cyber asset security. The National Information Assurance Partnership (NIAP) has awarded INTEGRITY a rating of EAL6+ High Robustness.
With INTEGRITY, mission critical applications stay secure, customer data remains private, and control and command applications work without the possibility of intentional, hostile, well-funded, internal or external attack. And it's been certified not once, but multiple times.
INTEGRITY helps gas companies meet and exceed NERC's Critical Infrastructure Protection requirements:
CIP-001-1 Sabotage Reporting - INTEGRITY eliminates the possibility of cyber sabotage.
CIP-002 Critical Cyber Assets - INTEGRITY makes the risk assessment process simpler by eliminating the risk.
CIP-003 Security Management Controls - INTEGRITY turns the minimum requirement into a "maximum" as the security management controls will be military-grade.
CIP-004 Personnel and Training - INTEGRITY makes cyber awareness easy as access to and control of critical data are allowed based on a comprehensive policy strategy established by the electric utility.
CIP-005 Electronic Security - INTEGRITY protects all the assets regardless of where they reside.
CIP-006 Physical Security - INTEGRITY provides physical security planners with the added benefit of knowing the assets are secure from social hackers.
CIP-007 Systems Security Management - INTEGRITY enables utilities to establish their own enterprise-wide and system-level protocols.
CIP-008 Incident Reporting and Response Planning - INTEGRITY prevents any attack from getting out of the virtual computer involved. Attacks can be eliminated with a single click of a mouse.
CIP-009 Recovery Plans - INTEGRITY ensures that critical cyber assets are always safe and always available from INTEGRITY-enabled data storage facilities should physical damage create the need to rebuild an electric utility command center.
Certified as secure and reliable for both military and non-military use as a result of the most rigorous testing and evaluation possible, INTEGRITY offers:
- True security
Open communication is possible without risk to critical assets
Mission critical assets and applications remain completely safe and secure
- Cost savings
- INTEGRITY Secure Consolidated Client (ISCC)
Simultaneous support of legacy and mission critical applications
- Form flexibility
Protect desktop PCs, servers, Thin-Client Workstations and even PDAs
- Open Standards
Supports Windows and Linux
Ability to create native POSIX applications
- Certified security and reliability no other operating system can offer this level of security and reliability and no other operating system has ever been certified to the levels of INTEGRITY
To learn more about how INTEGRITY Global Security can secure your gas facilities and pipelines, please call 805.882.2500 or send email.