Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1
Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where failure or exploitation could potentially impact pipeline safety or reliability. Holistic Approach: o Centralized Cyber Security department and coordination with Corporate Security department on intelligence and government liaisons. o Physical Risk Assessments - based on Transportation Security Administration (TSA) Pipeline Security Guidelines. Leadership Commitment: o Senior Kinder Morgan management (CEO, CFO, CIO, General Counsel, Presidents of business segments, and Corporate Security) are briefed on a quarterly basis concerning cyber security status and initiatives. 2
Security Guidelines Framework for Improving Critical Infrastructure Security, National Institute of Standards and Technology (NIST) Pipeline Security Guidelines, by U.S. Transportation Security Administration (TSA) Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry, Interstate Natural Gas Association of America (INGAA) API Standard 1164 - Pipeline SCADA Security, American Petroleum Institute (API) Security Guidelines for the Petroleum Industry, American Petroleum Institute (API) 3
Threat and Information Sharing Intelligence Sources: o Kinder Morgan participates and receives threat information through various sources, including: A partnership between the FBI and the private sector (FBI-InfraGard), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Fusion Centers, Oil and Gas Sector, and Vendors Classified Briefings with the Federal Intelligence Community (CIA, DHS, DOE, FBI, and NSA) Secret Clearances held by various individuals in various groups: IT (4), Corp Security (2), and Operations (4) Information Sharing: o Joining the Downstream Natural Gas Information Sharing Analysis Center (ISAC) o Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) or other Federal Partners Federal Partner and Industry Engagement: o Active participant in Sector Coordinating Councils (SCC) to remain connected to government and industry initiatives on cyber security o Industry Organizations include: American Petroleum Institute (API) Interstate Natural Gas Association of America (INGAA) International Liquid Terminals Association (ILTA) Association of Oil Pipelines (AOPL) Energy Security Council (ESC) o Federal Partners include: Department of Homeland Security (DHS) Transportation Security Administration (TSA) Department of Energy (DOE) Department of Transportation (DOT) United States Coast Guard (USCG) Federal Bureau of Investigation (FBI) Office of the Director of National Intelligence (ODNI) 4
Awareness, Exercises, and Testing User Awareness o Email campaigns designed to educate users on the spread of malware through email Response Exercises with Operations o Physical and Cyber security scenarios conducted with live action field response Penetration Testing o Performed annually o Variety of 3 rd Parties Used Interstate Natural Gas Association of America (INGAA) Cyber Tabletop Exercise o Conducted joint tabletop exercise with other pipeline companies, Federal Energy Regulatory Commission (FERC), Transportation Security Administration (TSA), and Department of Homeland Security (DHS) o Tested response, recovery, notifications, and coordination with government agencies 5
Cyber Security Measures Supervisory Control and Data Acquisition (SCADA) Security o Separation: SCADA systems have been separated from the business network (i.e., No direct path to the business network or the Internet) o SCADA systems have been separated from each other Enhanced Access Control o Unique ID s for each domain o Two Factor Authentication (2FA) o Administrative controls Audit logging and monitoring o Intrusion Detection System o Full Packet Capture monitoring for forensic analysis o Third party APT (Advanced Persistent Threat) and malware notifications o Centralized enterprise logging Distributed Denial of Service (DDOS) mitigation solution Investigating Dark WEB monitoring Asset management o Improve asset inventories o If you don t know what you own, you cannot manage it. If you don t manage it, you cannot secure it. 6
Cyber Security Measures - Continued Network Operations Center (24 X 7: 365) o Monitors critical SCADA systems and Telecommunications circuits o Communicates Directly with Control Centers o Call out support staff o Escalate to Management o Monitor Environmental Systems Physical Security of IT Infrastructure o Data Centers and SCADA (Supervisory Control and Data Acquisition) system servers are maintained in a secure environment o Access is restricted to authorized personnel only and reviewed quarterly Password management o Centralized password management solutions Configuration and Patch management o Increase coverage of patch and configuration management solutions System Security o Increase coverage of security endpoint solutions (e.g,. Anti-Virus) o Endpoint segregation o Implementation of application white/black listing solution o Filter WEB traffic o Filter Email traffic 7
Response and Recovery Incident Response Plan: o Graduated response plan based on incident type and impact Business Continuity Plans and Crisis Management Team o Priority classification for systems and corporate resources to assist KM entities Communications: o Emergency Response Line (ERL) Communication process for engaging decision makers and support staff to manage incidents, issues, and responses; Process is part of KM culture Incidents are communicated to the appropriate people via text and email A description of the incident, location, and conference call information (if needed) Elevation to Senior Kinder Morgan management members (if needed) o Information Technology Service Notification (ITSN) Similar to the ERL process, but specific to Information Technology Incidents are communicated to the appropriate people via text and email A description of the incident, location, and conference call information (if needed) 8
Redundancy and Restoration Data Centers: o SCADA (Supervisory Control and Data Acquisition) systems and Data Centers are located in geographically diverse locations o Fail over between primary and secondary systems are tested annually o Multiple sites have backup telecommunications circuits in place Control Rooms: o Control Centers are located in geographically diverse locations o Fail over between primary and secondary control center s are tested at least annually Environmental Security o Redundant energy supply at primary/secondary data centers o Fire suppression o Building engineers (24 X 7: 365) 9