Pipelines Benefit by Uniting Around Pipeline Cybersecurity and IPRO

Written By James Hoecker

1. CYBERSECURITY IS A STRATEGIC BUSINESS ENABLER. Security is more than an IT issue and business risk are about more than security. Strong and effective cyber security adds value to the business, and avoids loss of production, ransom demands, loss of reputation, undue delays in recovery, and other business risks. Controlling cyber-risk requires coordination and collaboration with business units throughout the enterprise. OT is part of the cash register of the pipeline business and requires more attention than it typically receives. IPRO will support a culture of compliance that models good business decision making. 


2. PIPELINES NEED A SHARED INSTITUTIONAL APPROACH TO UPGRADING SECURITY AND MANAGING RISK. Regulators and pipeline companies need assurance that they are employing state-of-the-art controls and education to ward off attacks on operations, security, and their customers. IPRO is designed to provide an independent assessment of OT assets so that management can ensure process integrity and digital safety. It enables sharing of costs and expertise across the sector. 

3. IPRO DELIVERS BENEFITS THROUGH COLLECTIVE ACTION. Attaining cyber “maturity” in operational technology is a critical business objective. Budgeted protections for IT alone will not be sufficient to mitigate business risk. A systemic assessment of OT preparedness by IPRO and installation of controls that meet industry standards and best practices will: 

  • Mitigate risk and reduce insurance and other costs 

  • Reduce the risk of moving operational controls (ICS) from the plant floor to the cloud 

  • Provide enterprise wide, system-level insights into critical infrastructure 

  • Build confidence among regulators and policy makers that industry is pursuing state-of-the-art solutions, thereby minimizing duplicative auditing procedures 

  • Improve safety and security for employees, stakeholders, and community 

  • Develop continuous improvement and training strategies (Plan, Act, Check, and Do

  • Embody a comprehensive cybersecurity strategy for the Midstream industry 

  • Help address chronic weaknesses in information security programs 


4. IPRO WILL WORK WITH BUSINESS LEADERS TO ALIGN BUSINESS NEEDS AND CYBER-RISK MANAGEMENT. As part of any significant business decision, pipelines must focus on accepting, transferring, avoiding, or mitigating the impacts of cyber-risk on business and responses to them. Executives must: 

  • UNDERSTAND THE ECONOMIC IMPACT OF CYBER-RISK. Organizational risk assessments should weigh costs against strategic objectives, regulatory requirements, business outcomes, and the management costs. What are the costs of compromise on security? 

  • DESIGN PIPELINE ORGANIZATIONS TO SUPPORT CYBERSECURITY. Internal structures should define who’s accountable for critical actions and design cybersecurity practices into how the business operates.

  • INCORPORATE CYBERSECURITY EXPERTISE INTO GOVERNANCE, INCLUDING THE BOARD. IPRO can help pipelines build a cybersecurity knowledge base inside and between organizations. C-Suite involvement is crucial. 

  • FOSTER RESILIENCE AND COLLABORATION. Knowing that it is a matter of when, not if, attackers will be successful, it is important to be ready to respond and to know how to limit the damage of an attack. It is likewise important to foster industry-wide resilience, since the entire energy sector (and beyond) could be affected by an attack. Stress-testing each company’s defenses and capabilities will be invaluable. 

James Hoecker
Previous

Facing Down the Management Challenges of Cybersecurity
Next

Is The TSA Security Directive A Harbinger Of Oil And Gas Cybersecurity Regulations?