Analysis
Attacks and Vulnerabilities
Critical infrastructure
Mining, Oil & Gas
News
NIST

NCCoE publishes LNG Cybersecurity Framework Profile based on prioritized mission objectives

June 09, 2023
NCCoE publishes LNG Cybersecurity Framework Profile based on prioritized mission objectives

The National Cybersecurity Center of Excellence (NCCoE) published Thursday finalized guidance for the Liquefied Natural Gas (LNG) industry and subsidiary functions that support the overarching liquefaction process, transport, and distribution of LNG. The LNG Cybersecurity Framework (CSF) Profile was developed to take a broad look at the LNG industry’s infrastructure and engage with LNG industry stakeholders to identify their mission objectives and priorities.  

Titled, ‘NIST Interagency Report (NIST IR) 8406, Cybersecurity Framework Profile for Liquefied Natural Gas,’ the document provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to the overall LNG process. The guidance document supplements current cybersecurity standards, regulations, and industry guidelines that are already being used by the LNG industry. The LNG CSF profile is not intended to replace any existing cybersecurity guidance or policy but rather to complement existing best practices by helping stakeholders prioritize the recommendations provided by LNG organizations.

The LNG CSF profile can be used by entities that are part of the LNG industry to address and mitigate cybersecurity risks associated with LNG processes and systems. It also helps organizations identify opportunities for managing cybersecurity risks in the LNG lifecycle; provide a baseline of the mission objectives for LNG operations that were identified and prioritized by LNG industry stakeholders; and build on the identified mission objectives to develop a prioritized list of CSF categories. 

It also includes a table of prioritized CSF subcategories based on identified CSF categories. These prioritizations of mission objectives, CSF categories, and CSF subcategories may serve as a useful starting point to identify cybersecurity activities and outcomes that may be important to members of the LNG industry. Additionally, prioritizations can be tailored to account for specific mission objectives or operational considerations.

Participants from the oil and natural gas industry participated in the online workshops and identified nine mission objectives for the LNG industry. They provided descriptions of and summarized rationales for the ranked mission objectives during workshop exercises and discussions. These mission objectives were prioritized by the participants, and their prioritization is meant to be informative rather than prescriptive. Each organization should consider its own goals and priorities when consulting this Profile and adjust how the organization may apply guidance accordingly.

The mission objectives include maintaining safe and secure operations; ensuring the operational integrity of plant systems and processes, controlling operational and enterprise security and access, and monitoring, detecting, and responding to anomalous behavior. It also covers safeguarding the environment, defining policy and governance actions that capture/protect the mission, maintaining regulatory compliance, continuously optimizing and maintaining the current operational state by establishing baselines and measures; and validating and optimizing the supply chain. 

The document was prepared for the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) as part of an inter-agency agreement with the Department of Commerce’s National Institute of Standards and Technology (NIST) to research and develop tools and practices that will strengthen the cybersecurity of maritime transportation systems within the Nation’s energy sector, focusing on LNG. CESER and NIST developed the profile through a collaborative process, driven by LNG industry stakeholders, which resulted in tailored guidance for the LNG industry to implement the NIST Cybersecurity Framework.

The NCCoE document was developed to take a broad look at the LNG industry’s infrastructure and engage with LNG industry stakeholders to identify their mission objectives and priorities. “With any risk management process or when making cybersecurity decisions, an organization must consider its own specific needs. This profile demonstrates one aspect of how cybersecurity activities can be prioritized based on LNG-specific mission objectives,” it added.

The profile can be used in several ways, including highlighting high-priority security expectations, performing a self-assessment comparison of current risk management practices, or as a baseline profile or example profile to reference when developing one’s own.

“Organizations across the energy sector place a high priority on mitigating risks to operational technologies (OT)—the systems used to monitor and control physical processes. These systems manage critical energy sector processes that, if damaged or disrupted, could impact energy delivery, public safety, and national security,” the NCCoE document said. “This Profile focuses on managing risks to OT systems in LNG operations, including onboard monitoring and control technologies and remotely managed, third-party systems. In addition to the recommendations for LNG organizations offered in this Profile, additional high-level OT-specific issues should be considered when reviewing this Profile and the CSF.” 

OT environments typically encompass expansive and diverse assets that may not be controllable through conventional information technology (IT)-based cybersecurity tools, techniques, and methods due to the design and architecture of some OT assets, it added. “These assets also have a high potential for operational disruption when cybersecurity monitoring or scanning tools are applied to OT environments. Implementing ‘separate-but-connected’ IT and OT networks is an effective way to mitigate various risks, including the impact that tools designed for IT networks may have on OT assets.” 

The profile also identified that organizations may also face additional supply chain-related challenges as many field assets are vendor-supplied and operational needs may drive acquisition decisions. “Procurement and change management processes that engage engineering and IT stakeholders can help to mitigate some of this risk. Given that OT assets drive core business processes for LNG organizations, additional consideration can be given to these issues when applying the guidance in this Profile.”

The document also said that developing a profile is a collaborative, stakeholder-driven process. “To ensure that the profile aligns cybersecurity outcomes with mission requirements, input from stakeholders and experts in a particular field is critical. This methodology lays out how NIST gathered input and garnered consensus from a group of LNG industry stakeholders to produce this Profile. This methodology is one approach to achieving consensus among stakeholders but is not the only way to do so,” it added. 

Profile workshops are conducted with stakeholders to establish agreed-on mission objectives, prioritize those mission objectives, and identify priority CSF categories for each mission objective. Workshop participants were asked to identify categories most relevant to each mission objective, and then to prioritize those categories as high-priority, medium-priority, or starred-priority. 

High-priority categories were considered the most critical for accomplishing a mission objective; medium-priority categories were considered important to a mission objective, although not as important as high-priority categories; while starred-priority categories were identified as being relevant to a mission objective, but not with the same urgency as other priority categories. 

Following the workshops, the participants determined which CSF subcategories were most relevant to each mission objective, the document said. “Users of the Profile working to improve the security of the LNG industry should conduct activities in support of all applicable Subcategories of the CSF. This Profile recognizes and specifies a subset of those CSF Subcategories to help organizations prioritize cybersecurity risk mitigations they have yet to address.” 

It added that the profile was developed to serve most of the LNG industry’s needs and, as such, was not developed to guide any action to be taken by an LNG organization. “Those consulting this document should, as appropriate or necessary, emphasize (or de-emphasize) the importance of Subcategories depending on the unique needs of their organizations,” it added.

Last October, the NCCoE released a draft LNG CSF profile to supplement existing directives, which was developed for the LNG industry and the subsidiary functions that support the overarching liquefaction process, transport, and distribution of LNG. The LNG CSF profile identifies and prioritizes opportunities for improving the cybersecurity posture of the LNG supply chain.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation