NCCoE rolls out draft LNG Cybersecurity Framework Profile to supplement existing directives, calls for comments

The National Cybersecurity Center of Excellence (NCCoE) released a Cybersecurity Framework Profile on Monday developed for the Liquefied Natural Gas (LNG) industry and the subsidiary functions that support the overarching liquefaction process, transport, and distribution of LNG. The LNG Cybersecurity Framework Profile identifies and prioritizes opportunities for improving the cybersecurity posture of the LNG supply chain identifies and prioritizes opportunities for improving the cybersecurity posture of the LNG supply chain. It also seeks to supplement but not replace current cybersecurity standards, regulations, and industry guidelines already being used by the LNG industry. 

The LNG Cybersecurity Framework Profile has been created in collaboration with the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). It comes as part of an inter-agency agreement with NIST’s NCCoE to research and develops tools and practices that will strengthen the cybersecurity of the systems that handle energy resources within the nation’s marine transportation system (MTS). The profile focuses on the LNG energy resource. 

The agencies – CESER and NIST’s NCCOE – developed the profile through a collaborative process driven by LNG asset owners and operators. They also worked with LNG security experts, providing a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to all components of the LNG supply chain. 

The comment period for the initial public draft of NIST Interagency Report (IR) 8406, Cybersecurity Framework Profile for Liquefied Natural Gas, is open through Nov. 17.  

The NCCoE document comes when the U.S. administration is working towards securing cyberspace and strengthening critical infrastructure. Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging threats, confirmed last week that the communications, water, and healthcare sectors are looking at new cybersecurity standards.

The LNG Cybersecurity Framework Profile explores the industry’s unique alignment of its organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the cybersecurity framework core. It can be used by liquefaction facilities, LNG vessels, and other supporting entities of the LNG life cycle so that cybersecurity risks associated with these critical processes and systems can be minimized. The LNG Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to the overall LNG process. 

Organizations across the energy sector prioritize mitigating risks to operational technologies (OT) systems, typically used to monitor and control physical processes. These systems also manage critical energy sector processes that, if damaged or disrupted, could impact energy delivery, public safety, and national security. 

The LNG Cybersecurity Framework Profile focuses on managing risks to OT systems in LNG operations, including onboard monitoring and control technologies and remotely managed, third-party systems, the NCCoE draft said. In addition to the recommendations for LNG organizations offered in the profile, additional high-level OT-specific issues should be considered when reviewing the profile and the CSF. 

The draft said that OT environments typically encompass expansive and diverse assets that may not be controllable through conventional information technology (IT)- based cybersecurity tools, techniques, and methods due to the design and architecture of some OT assets. These assets also have a high potential for operational disruption when cybersecurity monitoring or scanning tools are applied to OT environments. Implementing separate but connected IT and OT networks is an effective way to mitigate various risks, including the impact that tools designed for IT networks may have on OT assets.

Organizations may also face additional supply chain-related challenges as many field assets are vendor-supplied and operational needs may drive acquisition decisions, the NCCoE document said. “Procurement and change management processes that engage engineering and IT stakeholders can help to mitigate some of this risk. Given that OT assets drive core business processes for LNG organizations, additional consideration can be given to these issues when applying the guidance in this Profile,” it adds. 

The CSF uses business drivers to guide cybersecurity activities within an organization, enabling organizations—regardless of size, degree of cybersecurity risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improve security and resilience. In addition, it provides a common language for understanding, managing, and expressing cybersecurity risk and cybersecurity management communications among internal and external stakeholders and across an organization, regardless of cybersecurity expertise.

The CSF consists of three main components – the Core, Profiles, and Implementation Tiers. The Core is a catalog of desired cybersecurity activities and outcomes using a common language that is easy to understand. A CSF profile is an alignment of organizational requirements, objectives, risk appetite, and resources against the desired outcomes of the CSF Core. 

Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization. Implementation Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and can be used as a communication tool to discuss risk appetite, mission priority, and budget.

The NCCoE draft said developing a profile is a collaborative, stakeholder-driven process. To ensure that the LNG Cybersecurity Framework Profile aligns with mission requirements, input from stakeholders and experts is critical. The methodology lays out how NIST gathered input and garnered consensus from a group of LNG industry stakeholders to produce the profile. It identifies the methodology as one approach to achieving consensus among stakeholders.

The draft said participants from the oil and natural gas industry participated in the online workshops and identified nine mission objectives for the LNG industry. During workshop exercises, participants provided descriptions and summarized rationales for the ranked mission objectives. The participants prioritized the mission objectives, and their prioritization was meant to be informative. Each organization should consider its own goals and priorities when consulting the LNG Cybersecurity Framework Profile and adjust how the organization may apply guidance accordingly.

Workshop participants were asked to identify categories most relevant to each mission objective and then to prioritize those categories as high-priority, medium-priority, or starred-priority, the NCCoE draft said. In addition, profiles should be tailored to individual operating environments and organizational risk tolerances. Following the workshops, the participants determined which CSF subcategories were most relevant to each mission objective, it added.

Last week, the American Gas Association (AGA) announced that it carried out a nationwide tabletop drill focused on natural gas distribution and transmission cybersecurity, physical security, and business continuity last month. The Natural Gas Exercise (NGX) covered nearly 300 industry professionals representing 50 natural gas utilities, transmission companies, and municipalities participating in the inaugural event.

While natural gas companies conduct security exercises internally and are invited to other energy-related exercises, the AGA said there had not been a nationwide exercise focused on natural gas until now.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.