Cybersecurity Framework Profile for Liquefied Natural Gas

Liquefied natural gas, or LNG, is natural gas that is supercooled to liquid form and shipped in specialized tankers to terminals and ports throughout the world. From the liquefaction facilities to the marine transportation systems, vessels, and LNG terminals, the production and transport of LNG relies on complex, interconnected, and interdependent IT, OT, and communications networks. A cybersecurity incident involving any aspect of the LNG lifecycle has the potential to affect the safety of the crews, vessels, cargo, and ports.

A risk-based approach to help the LNG industry prioritize their cybersecurity activities

The Cybersecurity Framework Profile for LNG (Profile) provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to the overall LNG process. The Profile is a supplement to current cybersecurity standards, regulations, and industry guidelines that are already being used by the LNG industry. 
Status: Finalized Guidance

This publication was developed for the Liquefied Natural Gas (LNG) industry and the subsidiary functions that support the overarching liquefaction process, transport, and distribution of LNG. The LNG Cybersecurity Framework Profile can be used by entities who are part of the LNG industry to address and mitigate cybersecurity risks associated with LNG processes and systems.

NIST IR 8406 Cybersecurity Framework Profile for Liquefied Natural GasWeb Version NIST IR 8406 Cybersecurity Framework Profile for Liquefied Natural Gas

LNG is natural gas that has been cooled to a liquid state—at about -260° Fahrenheit—for shipping and storage. Liquefying natural gas makes it possible to transport natural gas to places where pipelines cannot reach.

This Profile will help identify opportunities for managing cybersecurity risks in the LNG lifecycle. LNG systems may be vulnerable to cyber-attacks due to intrinsic system risks, which include remotely managed third-party systems and vulnerable onboard technologies (e.g., Programmable Logic Controllers (PLCs), Global Positioning System (GPS), and Automatic Identification System (AIS)). This could lead to overflowing fuel tanks, accidental release of LNG, and other risks that make LNG inaccessible, or cause serious impacts when returned to its gaseous state.

To help jurisdictions across the United States safeguard LNG, the NCCoE together with industry stakeholders developed the Profile around high-level, mission-oriented goals (“Mission Objectives”) of LNG infrastructure. These Mission Objectives do not address every technical aspect of the LNG process since technical components of LNG systems vary widely and cannot be captured in their entirety within a single Profile. However, the Profile will help the LNG sector focus on critical operations that require attention and leave the individual stakeholders to implement specific cybersecurity controls that are best suited for their circumstances.

To help LNG organizations across the United States provide cybersecurity for their systems, the NCCoE working with industry stakeholders developed a CSF Profile to help the LNG Industry manage its cybersecurity based on prioritized mission objectives.