Washington Gas is a local delivery company (LDC) that provides natural gas via a 300-square-mile network of high-pressure lines to more than 1 million residential and commercial customers in Washington, D.C., and surrounding communities. This transmission network traditionally used microwave rings as its data backbone, along with stationary and mobile radios, to deliver pressure and other readings. The network, which includes a 300-psi line under the National Mall, also employs pneumatic backup controllers in case any electronics or PLCs fail, and they're monitored by a parallel, Verizon-based alarm management system from tattletale, which queries standalone devices and generates reports.
However, when the FBI identified unauthorized monitoring of one of its SQL systems several years ago, Washington Gas began working with the FBI and the U.S. Department of Homeland Security (DHS) to redesign its data infrastructure, according to Craig Lightner, automation and control manager at Washington Gas, who spoke at the ARC Industry Forum 2017 in Orlando. "We previously had a standard, corporate IT environment with servers, apps and authentication to an active directory, while the plant had a separate, standalone system," says Lightner. "So, with DHS help, we built a new infrastructure with multiple demilitarized zones (DMZ) between each network layer, and put improved security polices and procedures in place. For us, this was also a good example of a successful IT/OT convergence."
Though it provides natural gas and not electricity, Lightner adds that Washington Gas was also guided by the North American Electric Reliability Corp.'s Critical Infrastructure Protection (NERC CIP) standards. "If taken to heart, NERC CIP is a method for process control system security, and we took it to heart," explains Lightner. "I believe the American Gas Association will be coming out with similar best practices soon."
Beyond following standards, Washington Gas also adopted IT-based, managed security services from SecureWorks. "It streams all our network traffic, loss-of-service and other data, and analyzes it to find intrusions, bad actors and resources that are out, and lets us know in 15 minutes if anything is happening, such as suspicious traffic, unauthorized logins, attempted intrusions or malware. After examining our traffic for three weeks, it can identify what's regular and what's new." In addition, the utility's networked equipment also communicates outward through data diodes that don't allow any data or other communications to come back in.
"Related to our IT/OT convergence, we learned it was part of our cybersecurity journey, which isn't going to end," adds Lightner. "We can secure our network as best we can and keep it up to date, but we're going to have to keep doing analytics on our disparate data sources, including process inputs, phones, radios and video feeds. There are different types of communication, such as operations reporting that pressure is down or residents reporting that they smell gas, but where these sources were previously separate, we're saying they should all be unified, so we can get alerts sooner and respond more quickly. In fact, we working on reducing our situation identification time from 15 or 20 minutes down to 3 minutes."