In the wake of increasing cybersecurity threats, particularly following the Colonial Pipeline ransomware attack in May 2021, government agencies took steps to improve the cybersecurity of pipeline infrastructure within the country. By July 2022, a particular agency revised its directives, shifting focus from prescriptive measures to performance-based approaches. The revised directives created a complex compliance landscape for a natural gas utility, requiring robust cybersecurity measures to meet stringent requirements.

The client needed a strong implementation partner who could lead this program. By leveraging the client infrastructure and security resources, ICS was able to successfully fill that gap. We were able to help the client achieve the required cybersecurity resilience and compliance. 

The Challenges

The utility faced several challenges in aligning with the revised directives:

1.  Urgency and Complexity: The directives were issued in response to the Colonial Pipeline attack, making them reactive, rather than proactive, so they needed immediate and comprehensive cybersecurity enhancements. This required a team with expertise in cybersecurity and SCADA infrastructure to lead the initiative effectively.

2.  Diverse Requirements: The directives included a wide range of domains, including Cybersecurity, Operational Technology (OT) Security, IT and OT Infrastructure, Physical Security, and Application Development. Integrating these elements into a cohesive compliance strategy was a formidable challenge.

3.  Budgeting and Resource Allocation: The utility needed clear guidance on budgeting and resource allocation for both capital and operational expenses. Additionally, they needed to forecast future costs to maintain ongoing compliance. 

4.  Sustained Compliance: Beyond the initial implementation, the utility also needed a strategy to maintain compliance with evolving directives in the future. This meant developing processes and tools to ensure continuous compliance with changing regulations.

5.  Resource Constraints: The utility needed a comprehensive assessment to identify gaps in current resources and determine what augmentations were needed to meet requirements.

The Solutions

The ICS team began by conducting a detailed analysis of the security directive requirements, which allowed us to prioritize remediation efforts. This approach ensured that the most critical vulnerabilities were addressed first, thereby minimizing the risk to the utility. With a clear

understanding of the directives, ICS developed a comprehensive program management framework that integrated multiple related projects.

ICS helped the utility delineate the program’s scope and boundaries to ensure the program was well-defined and manageable. This included identifying all stakeholders to ensure the necessary parties were included in the process. ICS developed an executive dashboard that provided the leadership team with ongoing visibility into the program's progress, risks, and issues.

As new directives continued to be issued annually, ICS played a pivotal role in helping the utility maintain compliance. Our team analyzed each new requirement, identified any changes from previous directives, and provided specific guidance on the actions needed to sustain compliance. Furthermore, ICS provided much-needed support in managing the program’s budget. By categorizing capital and operational expenses and offering accurate forecasting for future costs, ICS was able to ensure the financial sustainability of the program.

The Results

The engagement between ICS and the natural gas utility yielded excellent results, ensuring that the utility not only met but exceeded the new cybersecurity compliance requirements:

Full Compliance: The utility reached and has maintained compliance with security directives 2A, 2B, 2C, and 2D.

Sustained Cybersecurity and Operational Integrity: ICS helped the utility build an ongoing compliance framework, integrating cybersecurity and infrastructure for long-term resilience.

Enhanced Visibility: The balanced scorecard and executive dashboard provided continuous visibility to upper management, facilitating proactive management of cybersecurity risks and compliance status.

Financial Clarity: ICS’s support in budget classification between capital and operational costs provided the utility with financial insights to sustain the program.

Preparedness for Future Regulations: The utility is now well-positioned to adhere to future regulatory processes with minimal effort, ensuring ongoing compliance. 

Conclusion

The partnership between ICS and the natural gas utility not only ensured compliance with changing cybersecurity directives but also established a robust, scalable framework for ongoing resilience. ICS guided the utility in developing and maintaining an enhanced cybersecurity posture, equipping it to adapt confidently to future challenges. This partnership with ICS positioned it to take on future challenges and secure its infrastructure for the years - and challenges - ahead.