C2M2 Case Study — Lone Star Midstream LLC

🏢

Company Overview

PROFILE ▼

Company Name

Lone Star Midstream LLC

LSML

Legal Status

Privately Held LLC

Texas Limited Liability Company

Founded

1987

Midland, Texas

Headquarters

Midland, TX 79701

1402 W. Texas Ave., Suite 300

Annual Revenue

$94.2 Million

FY 2024 (unaudited)

Total Employees

112 Full-Time

+ 18 Active Contractors

Pipeline Miles

~847 Miles

Gathering & Transmission

Compressor Stations

6 Stations

West TX / SE New Mexico

C2M2 Score Range

MIL 0–1

Baseline assessment (most domains)

Primary Regulation

TSA SD-02C

DOT PHMSA 49 CFR Part 192 · EPA RMP

Primary Contact

Sandra Reyes

VP of Operations

IT Staff

3 FTE

IT Manager + 2 Generalist Technicians

Company Description

Lone Star Midstream LLC (LSML) is a privately held midstream energy company operating approximately 847 miles of natural gas gathering and transmission pipeline across the Permian Basin in West Texas and southeastern New Mexico. Founded in 1987 to serve the growing upstream production base in the Midland and Delaware sub-basins, LSML provides gathering, compression, dehydration, and limited processing services to independent oil and gas producers, transporting natural gas to downstream interstate pipeline interconnects operated by third-party transmission companies. LSML also operates two natural gas liquids (NGL) processing facilities that extract ethane, propane, and natural gas liquids from the raw gas stream before redelivery.

LSML's customer base consists primarily of small to mid-size upstream operators, and the company holds long-term firm capacity agreements with six producers accounting for approximately 80% of throughput. The company is subject to DOT Pipeline and Hazardous Materials Safety Administration (PHMSA) integrity management requirements under 49 CFR Part 192, EPA Risk Management Program (RMP) obligations at its NGL processing facilities, and TSA Pipeline Security Directive SD-02C cybersecurity requirements. LSML has a three-person IT department and zero dedicated cybersecurity staff — cybersecurity responsibilities are informally assigned as a collateral duty to the IT Manager, Marcus Webb.

🏭

Facilities & Physical Infrastructure

8 SITES ▼

Facility	Location	Function	Physical Security	IT / OT Presence
Midland Control Room (HQ)	Midland, TX 79701	SCADA control room, corporate IT, administrative offices, 24/7 operations staff	Card Access CCTV No Mantrap	Domain controller, SCADA master, historian, corporate LAN, HMI workstations
Odessa Compressor Station	Ector County, TX	Natural gas compression (4 × Caterpillar G3616 engines), custody transfer metering	Perimeter Fence Padlock Gate No CCTV	Allen-Bradley ControlLogix PLC, Fisher ROC RTU, local HMI panel, Cisco IW3702 wireless
Pecos River Compressor Station	Reeves County, TX	Mid-line compression, pig launcher/receiver, emergency shutdown system	Perimeter Fence No Lock Alarm No CCTV	Allen-Bradley ControlLogix PLC, Fisher ROC RTU, dial-up modem backup, Hirschmann unmanaged switch
Hobbs Compressor Station	Lea County, NM	Natural gas compression, interconnect with interstate pipeline, gas quality monitoring	Perimeter Fence Card Access (single door)	Allen-Bradley ControlLogix PLC, Fisher ROC RTU, Cisco IW3702 wireless, local historian node
Permian North M&R Station	Andrews County, TX	Gas measurement, pressure regulation, odorization injection, custody transfer	Padlock Only No CCTV Unmanned 24/7	Fisher ROC809 RTU (default credentials), Emerson Daniel flow computer, Hirschmann unmanaged switch
Permian South M&R Station	Midland County, TX	Gas measurement, pressure regulation, custody transfer metering for two producers	Padlock Only No CCTV Unmanned 24/7	Fisher ROC809 RTU (default credentials), Emerson Daniel flow computer, dial-up modem backup
Winkler NGL Processing Facility	Winkler County, TX	NGL extraction, ethane/propane separation, NGL storage, EPA RMP covered process	Card Access CCTV (partial) No Visitor Log Policy	Honeywell Experion PKS DCS, Safety Instrumented System (SIS), corporate network extension via T1 line
Loving County NGL Processing Facility	Loving County, TX	NGL extraction and condensate stabilization, gas sweetening (amine unit)	Perimeter Fence Card Access (main gate only)	Honeywell Experion PKS DCS, Safety Instrumented System (SIS), Cisco IE-4000 industrial switches

👥

Organizational Structure & Staffing

10 KEY ROLES ▼

Critical Gap — No Dedicated Cybersecurity Staff LSML has zero dedicated cybersecurity full-time employees. Cybersecurity responsibilities are assigned as a collateral duty to IT Manager Marcus Webb, who estimates he spends less than 10% of his time on security-related tasks. There is no CISO, no security analyst, and no formal security operations function. TSA SD-02C requires designation of a Cybersecurity Coordinator — LSML has designated Webb in this role, but he has not received formal cybersecurity training or certification.

Role	Name	Department	Cybersecurity Responsibility	System Access Level
VP of Operations	Sandra Reyes	Executive	TSA Cybersecurity Coordinator (backup); incident escalation approval	Executive — Read-Only SCADA
IT Manager (Cybersecurity Coordinator)	Marcus Webb	Information Technology	Primary TSA Cybersecurity Coordinator; all IT/OT security decisions; patch management; vendor access	Domain Admin + SCADA Admin
IT Technician I	Javier Morales	Information Technology	Workstation support; basic network troubleshooting; backup monitoring	Helpdesk Admin
IT Technician II	Amber Liu	Information Technology	Server patching support; Office 365 administration; user account provisioning	Server Local Admin
Field Operations Supervisor	Dale Hutchins	Operations	Approves field technician access to OT panels; reports equipment anomalies	OT Local Panel Access
Control Room Operator (Lead)	Rosa Trevino	Operations	Monitors SCADA; reports abnormal readings; executes shutdown procedures	SCADA Operator (Read/Control)
Control Room Operator	Kevin Park	Operations	SCADA monitoring; shift reports; alarm response	SCADA Operator (Read/Control)
Control Room Operator	Tanya Osei	Operations	SCADA monitoring; shift reports; alarm response	SCADA Operator (Read/Control)
Control Room Operator	Bill Ferris	Operations	SCADA monitoring; shift reports; alarm response	SCADA Operator (Read/Control)
SCADA Engineer (Contractor)	Emerson Field Services	Contractor — Emerson Automation Solutions	SCADA application maintenance; configuration changes; software updates; remote troubleshooting	Remote VPN — SCADA Full Admin

💻

IT Asset Inventory

SERVERS & WORKSTATIONS ▼

Server Inventory

Asset ID	Description	Hardware	Operating System	Location	Key Gaps / Notes
SRV-001	Primary Domain Controller	Dell PowerEdge R640	Windows Server 2019 Standard	Midland HQ Server Room	Patched Current No Privileged Access Workstation
SRV-002	SCADA Application Server (Emerson Ovation)	HP ProLiant DL380 G10	Windows Server 2016 Standard	Midland HQ Server Room	CRITICAL: No MFA on SCADA HMI Domain-joined OT server
SRV-003	Process Data Historian (OSIsoft PI)	Dell PowerEdge R430	Windows Server 2012 R2 — EOL	Midland HQ Server Room	EOL OS — No Security Patches Since 2023 IT/OT Bridge Risk
SRV-004	Corporate File & Print Server	Dell PowerEdge R340	Windows Server 2019 Standard	Midland HQ Server Room	Patched Current No DLP Controls
SRV-005	Azure AD Connect / Office 365 Proxy	Virtual (VMware ESXi 7.0)	Windows Server 2019 Standard	Midland HQ Server Room (VM)	MFA enabled for O365 only — not internal AD
SRV-006	ERP Server (SAP Business One — Accounting & HR)	Dell PowerEdge R540	Windows Server 2019 Standard	Midland HQ Server Room	SAP B1 v10.0 — Vendor remote access quarterly
SRV-007	Engineering Workstation Server (AutoCAD, GIS)	Virtual (VMware ESXi 7.0)	Windows Server 2016 Standard	Midland HQ Server Room (VM)	GIS pipeline mapping data — no data classification

Workstation Inventory

Asset ID	Description	Hardware	OS	Location	Key Gaps / Notes
WS-001 through WS-004	Control Room HMI Workstations (4 units)	Dell OptiPlex 7090 (hardened)	Windows 10 LTSC 2021	Midland Control Room	No MFA Shared Operator Credentials on 2 units
WS-005	SCADA / OT Engineering Workstation	Dell Precision 3650	Windows 10 Pro	Midland HQ — IT Office	Dual-homed: IT LAN + SCADA network USB ports unrestricted
WS-006	IT Admin Workstation	Dell Precision 3450	Windows 10 Pro	Midland HQ — IT Office	Local admin only No PAM tool — direct RDP to servers

⚙️

OT / ICS / SCADA Asset Inventory

PIPELINE & PROCESS CONTROL ▼

Critical Finding — Default Credentials on Field RTUs Five (5) of fourteen Fisher ROC809 remote terminal units deployed at unmanned M&R stations and remote valve sites are still configured with factory-default usernames and passwords. Additionally, three of these units retain a legacy dial-up modem connection originally installed in 2003 as a backup communication path. These modems have never been disabled and are not monitored. An attacker with knowledge of the dial-up number and default credentials could issue control commands to these RTUs without traversing the corporate network.

Asset ID	Description	Vendor / Model	Firmware / Version	Location	Security Notes
OT-001	SCADA Master Station	Emerson Ovation v3.4	Ovation 3.4.1 (2021)	Midland Control Room	Patch 3.4.2 available — not yet applied No application whitelisting
OT-002 through OT-007	Compressor Station PLCs (6 units — one per station)	Allen-Bradley ControlLogix L71	Firmware 32.011 (2020)	Odessa, Pecos River, Hobbs, three gathering stations	Firmware 33.013 available — update requires outage window No keyswitch locks on two units
OT-008 through OT-021	Remote Terminal Units — M&R Stations & Valve Sites (14 units)	Fisher ROC809	Firmware 1.86 (varies)	Remote M&R and valve sites across pipeline	5 units: Factory-default credentials 3 units: Active dial-up modem backup No firmware change log
OT-022 through OT-025	Custody Transfer Flow Computers (4 units)	Emerson Daniel Senior Sonic	Daniel MeterLink v3.9	Odessa, Hobbs, Winkler, Loving County	Audit log enabled — logs not reviewed regularly
OT-026 through OT-027	Distributed Control System — NGL Facilities (2 units)	Honeywell Experion PKS R511	R511.2 (2022)	Winkler NGL Facility, Loving County NGL Facility	SIS on separate network — no formal change control IT staff have DCS read access with corporate credentials
OT-028 through OT-035	Industrial Ethernet Switches — Managed (8 units)	Cisco IE-4000-8GT8GP4G	IOS 15.2(7)E4	Compressor stations and NGL facilities	SNMP v2c enabled — community string "public" No port security or 802.1X
OT-036 through OT-046	Industrial Ethernet Switches — Unmanaged (11 units)	Hirschmann RS20-0400M2M2-0A	N/A (unmanaged)	Remote gathering sites and M&R stations	Unmanaged — no visibility, no logging Cannot enforce VLANs or port security

🌐

Network Architecture

IT / OT TOPOLOGY ▼

╔══════════════════════════════════════════════════════════════════════════════════════════╗ ║ LONE STAR MIDSTREAM LLC — NETWORK TOPOLOGY (SIMPLIFIED) ║ ╚══════════════════════════════════════════════════════════════════════════════════════════╝ ┌─────────────────────────────────────────────────────────┐ │ INTERNET / CLOUD SERVICES │ │ Office 365 (M365 E3) · Azure AD Connect · SAP B1 │ └───────────────────────────┬─────────────────────────────┘ │ Internet Circuit (AT&T Fiber 200Mbps) ▼ ┌─────────────────────────────────────────────────────────┐ │ CORPORATE PERIMETER FIREWALL │ │ Cisco ASA 5545-X (IOS-XE 9.18.2) │ │ ✓ Stateful packet inspection ✓ IPS module (limited) │ └───────────────────────────┬─────────────────────────────┘ │ Corporate LAN (VLAN 10 — 192.168.10.0/24) ▼ ┌─────────────────────────────────────────────────────────┐ │ CORPORATE IT NETWORK │ │ SRV-001 Domain Controller · SRV-004 File/Print │ │ SRV-005 Azure AD Connect · SRV-006 SAP ERP │ │ SRV-007 Engineering Workstation Server │ │ Cisco Catalyst 3850 Core Switch │ └──────────────┬──────────────────────────┬───────────────┘ │ VLAN 20 (192.168.20.0/24)│ VLAN 30 (Mgmt) ▼ │ ┌──────────────────────────┐ │ │ SCADA / OT NETWORK │◄─────────────┘ │ (Partial Segmentation) │ ⚠ IT/OT boundary NOT enforced │ SRV-002 Ovation SCADA │ at remote compressor stations │ SRV-003 PI Historian │ (no firewall at Pecos River, │ WS-001 to WS-004 HMIs │ Odessa, or M&R sites) │ WS-005 OT Eng. WS │ └──────┬───────────────────┘ │ MPLS / T1 Leased Lines to Field Sites (Lumen / AT&T) │ + Cisco IW3702 Industrial Wireless (AES-128, WPA2) ▼ ┌─────────────────────────────────────────────────────────┐ │ FIELD SITE OT NETWORKS │ │ │ │ [Odessa CS] AB ControlLogix PLC · Fisher ROC RTU │ │ Cisco IW3702 Wireless · Local HMI │ │ │ │ [Pecos River] AB ControlLogix PLC · Fisher ROC RTU │ │ Dial-Up Modem (active, unmonitored) │ │ Hirschmann Unmanaged Switch │ │ │ │ [Hobbs NM CS] AB ControlLogix PLC · Fisher ROC RTU │ │ Cisco IW3702 Wireless · Local Historian│ │ │ │ [M&R Stations] Fisher ROC809 RTUs (14 units) │ │ 5 units: Default credentials │ │ Emerson Daniel Flow Computers │ │ Hirschmann Unmanaged Switches │ │ │ │ [NGL Facilities] Honeywell Experion DCS · SIS │ │ Cisco IE-4000 Managed Switches │ └─────────────────────────────────────────────────────────┘ REMOTE VENDOR ACCESS: ───────────────────────────────────────────────────────── Emerson Field Services → Cisco AnyConnect VPN → SRV-002 (SCADA Admin) Permian Basin Managed IT → Cisco AnyConnect VPN → SRV-001 (Domain Admin) SAP B1 Partner → Cisco AnyConnect VPN → SRV-006 (ERP Admin) ⚠ No MFA on VPN · No session recording · No access review policy

IT/OT Segmentation Gap IT/OT network segmentation is only partially implemented. VLAN separation exists between corporate IT (VLAN 10) and the SCADA network (VLAN 20) at the Midland HQ, enforced by the Cisco ASA firewall. However, no equivalent network boundary exists at the three remote compressor stations (Odessa, Pecos River, Hobbs) or at any of the 14 M&R/valve sites, where OT devices share a flat network with IT management traffic routed over leased T1 lines.

Dual-Homed Engineering Workstation (WS-005) The OT engineering workstation (WS-005) is configured with two active network interfaces — one connected to the corporate IT LAN (VLAN 10) and one directly connected to the SCADA network. This creates a direct bridge between the two network segments that bypasses the Cisco ASA firewall, effectively nullifying the IT/OT segmentation control at the HQ site.

🔒

Cybersecurity Controls Assessment

12 CONTROL DOMAINS ▼

Domain	Current Control / Status	Implementation	Key Gap / Finding
Access Management	Active Directory with role-based groups; VPN for remote access; no PAM tool	Partial	No MFA on SCADA HMIs or VPN; shared operator credentials on two HMIs; no privileged access review process
Threat & Vulnerability Management	Qualys vulnerability scanner deployed on IT network; no OT scanning; informal patch process	Partial	OT assets (PLCs, RTUs, DCS) not included in vulnerability management program; EOL historian (SRV-003) not patched since Jan 2023
Situation Awareness	Windows Event Logs collected; no SIEM; Cisco ASA logs to local storage only; no OT monitoring	Missing	No centralized log management or SIEM; OT network has no intrusion detection or anomaly detection capability; log retention is less than 30 days on most systems
Incident Response	Draft Incident Response Plan (IRP) exists; never tested; no OT-specific runbooks; TSA reporting process identified	Partial	IRP is IT-focused only; no OT incident scenarios; TSA SD-02C requires 24-hour reporting of cybersecurity incidents — LSML has not exercised this capability; no tabletop exercises conducted
Service Continuity	Tape backups for servers; no tested recovery; BCP does not cover cyber scenarios; manual pipeline operations documented for safety shutdown only	Missing	No cyber-specific BCP/DR plan; SCADA historian backups not tested for restoration; no defined RTO/RPO for critical OT systems; SCADA backup server not maintained
Risk Management	PHMSA integrity risk assessment performed for pipeline physical integrity; no formal cyber risk assessment exists	Missing	No documented cybersecurity risk register; no cyber-physical risk analysis; TSA SD-02C requires a Cybersecurity Implementation Plan (CIP) — LSML's CIP filed in 2023 is partially implemented
Asset Management	IT asset inventory maintained in spreadsheet; OT asset inventory partially documented; no automated discovery	Partial	OT asset inventory is incomplete — RTU firmware versions inconsistently tracked; no configuration baseline for PLCs or flow computers; no software license management for OT
Identity Management	Active Directory for IT users; OT identities managed locally on SCADA server; no identity lifecycle management process	Partial	Three former employee accounts still active in AD (departed within last 12 months); no formal user access review; SCADA accounts not synchronized with HR termination process
Supply Chain & Third-Party Risk	Vendor contracts reference general security requirements; MSP has domain admin access; no vendor risk program	Missing	No third-party cybersecurity risk assessment program; Emerson remote access not monitored with session recording; no annual vendor review; MSP contract does not specify security requirements
Workforce Management	Annual safety training required; cybersecurity training not formalized; background checks for new hires; no security awareness program	Partial	No cybersecurity awareness training program; social engineering/phishing simulations never conducted; control room operators have not received ICS-specific security training; TSA Cybersecurity Coordinator (Webb) has no formal security certification
Physical Security	HQ has card access and partial CCTV; remote compressor stations have perimeter fencing; M&R stations are padlock-only	Partial	Fourteen M&R and valve sites have only padlock security with no CCTV, no intrusion alarm, and no visitor log; no formal policy for escorting vendor personnel to OT equipment rooms
Configuration Management	IT change management policy exists (informal); no OT change management; PLC/RTU configurations not baselined	Missing	No formal OT change management process; firmware updates on PLCs and RTUs performed on an ad-hoc basis; no configuration backup or version control for OT devices; no integrity monitoring for OT configurations

🤝

Third-Party Relationships & Vendor Access

7 VENDORS ▼

Vendor Access Monitoring Gap Remote vendor access to LSML systems is authenticated via Cisco AnyConnect VPN using shared credentials (no MFA). Active sessions are not recorded or monitored. No vendor access review has been performed in the past 18 months. Three vendors — Emerson, Permian Basin Managed IT, and the SAP partner — hold administrative-level access to critical systems and are not subject to any formal vetting, access limitation, or periodic review process.

Vendor	Service Provided	Access Level	Risk Rating	Notes / Gaps
Emerson Automation Solutions	Ovation SCADA application support, configuration changes, software updates	Remote VPN — SCADA Full Admin	HIGH	No MFA; sessions not recorded; access not time-limited; shared credential used by multiple Emerson engineers
Permian Basin Managed IT (PBMIT)	IT managed services — helpdesk, server monitoring, patch management support	Remote VPN — Domain Admin (AD)	HIGH	MSP holds full domain admin; contract does not specify security requirements; last security review of MSP: never; MSP accesses SCADA application server (SRV-002) indirectly via domain admin
Allen-Bradley / Rockwell Automation	PLC firmware updates, Studio 5000 configuration support	Onsite + USB Media	MEDIUM	Firmware updates delivered via USB thumb drives without hash verification; no malware scan on removable media before OT use
SAP Business One Partner (TexasBiz ERP LLC)	SAP B1 ERP support, quarterly updates and customizations	Remote VPN — SRV-006 Admin (quarterly)	MEDIUM	Remote access quarterly; no MFA; session not recorded; vendor personnel turnover not communicated to LSML; same credentials since 2021
Halliburton (Field Inspection Contractor)	Pipeline integrity inspections, in-line inspection tool runs, hydrostatic testing	Physical Site Access (escorted)	LOW	Physical access only; no IT/OT system access; badge access issued for duration of project; escorted at all sites
AT&T / Lumen Technologies	MPLS network, T1 leased lines to field sites, internet connectivity	Physical Infrastructure — Carrier Access	MEDIUM	LSML does not encrypt traffic on internal T1/MPLS circuits; telecom provider access to network infrastructure not reviewed; no redundant carrier for critical pipeline sites
PHMSA / TSA Inspector Access	Regulatory compliance audits — pipeline integrity and cybersecurity inspections	Read-Only Historian Data Access (on-site)	REGULATORY	Inspectors granted temporary read-only access to OSIsoft PI historian during audits; no formal process for provisioning and deprovisioning temporary regulatory access accounts

📋

Policies & Governance

POLICY INVENTORY ▼

Critical Gap — No Cyber Incident Has Ever Been Declared LSML has never formally declared a cybersecurity incident in its operational history. The draft Incident Response Plan has never been exercised, and no tabletop exercises have been conducted. The IRP contains no OT-specific runbooks, no contact list for TSA incident reporting, and no guidance on distinguishing a cyber event from a process safety emergency. Control room operators are not trained on cyber incident indicators and do not know the IRP exists.

Policy & Procedure Inventory

In Place — 2023 Acceptable Use Policy (AUP) — Covers IT systems and internet use; employees sign annually; does not address OT systems or mobile devices
Draft — Never Exercised Incident Response Plan (IRP) — Draft document created 2022; IT-focused only; no OT runbooks; no tabletop exercise history; TSA 24-hour reporting obligation not addressed in procedure
Informal — Not Enforced for OT Change Management Procedure — IT change tickets tracked in ServiceNow; OT changes performed verbally by field technicians without documentation; no change advisory board
Does Not Exist Patch Management Policy for OT Systems — No formal policy; OT patches applied ad-hoc when vendor recommends; no risk-based patching schedule; no compensating controls for unpatched OT systems
IT Only — OT Not Addressed Access Control Policy — IT user provisioning and deprovisioning process documented; OT account management not addressed; no periodic access certification; former employee accounts not consistently removed
Does Not Cover Cyber Business Continuity Plan (BCP) — Physical BCP exists for natural disaster and equipment failure; does not address cyber-induced operational disruption; no defined RTO/RPO for IT or OT systems; no cyber BCP testing
Does Not Exist Third-Party / Vendor Access Policy — No documented policy for vendor remote access; no requirements for vendor MFA, session recording, access scope limitation, or periodic review
Filed 2023 — Partially Implemented TSA Cybersecurity Implementation Plan (CIP) — Required by TSA SD-02C; submitted to TSA in October 2023; several required controls not yet implemented including MFA, network segmentation at remote sites, and OT monitoring capability
Does Not Exist Removable Media Policy — No policy restricting use of USB drives or external media on OT systems; WS-005 USB ports unrestricted; Rockwell firmware delivered on unverified USB media
Does Not Exist Cybersecurity Awareness Training Program — No annual cybersecurity training; no phishing simulation history; no ICS/OT security awareness content; TSA Cybersecurity Coordinator has no formal certification

📊

C2M2 Domain Assessment — Indicative Scores

10 DOMAINS ▼

Assessment Scope Note The following indicative C2M2 v2.1 maturity scores are based on the asset inventory, controls assessment, and policy review documented in this case study. Students should validate these scores by mapping individual C2M2 practices to the evidence presented, identifying where the organization's actual practices fall short of the documented MIL threshold. Scores represent LSML's estimated current baseline — not a target or aspirational state.

🗂️ ASSET — Asset, Change & Configuration Management

LSML maintains a partial IT asset inventory in spreadsheets and has begun tracking OT assets, earning the highest relative score. However, OT configuration baselines and change management for field devices are absent.

IT asset inventory exists but is manually maintained and incomplete for OT
No configuration baseline for PLCs, RTUs, or DCS systems
No formal OT change management process
Top Practice: ASSET-2a — Establish and maintain a documented OT asset inventory with configuration baselines

Current MIL: 2 (IT Assets) / MIL 1 (OT Assets)

🎯 THREAT — Threat and Vulnerability Management

Qualys scanner deployed on IT network provides some vulnerability visibility, but OT assets are entirely excluded. No threat intelligence program exists and no OT-specific vulnerability sources are monitored.

OT assets not scanned — PLCs, RTUs, and DCS excluded from vulnerability program
EOL historian (SRV-003) unpatched for 24+ months
No ICS-CERT or DHS CISA alert monitoring process
Top Practice: THREAT-1a — Establish vulnerability management that includes OT/ICS assets

Current MIL: 1

⚖️ RISK — Risk Management

No formal cyber risk assessment or risk register exists. Physical pipeline integrity risk is well-managed under PHMSA requirements, but cybersecurity risk is not systematically identified, evaluated, or documented.

No documented cybersecurity risk register
TSA CIP submitted but risk-based prioritization not performed
No cyber-physical risk analysis for pipeline OT scenarios
Top Practice: RISK-1a — Establish and maintain a cybersecurity risk register aligned to OT/pipeline operations

Current MIL: 1

🔑 ACCESS — Identity and Access Management

Active Directory provides basic IT identity management. SCADA HMI and VPN access lack MFA, and OT identities are locally managed outside AD. Former employee accounts have not been fully deprovisioned.

No MFA on SCADA HMIs or VPN — highest priority remediation
Shared operator credentials on two HMI workstations
Three former employee AD accounts still active
Top Practice: ACCESS-2b — Implement MFA for all remote access and OT HMI authentication

Current MIL: 1

👁️ SITUATION — Situational Awareness

No SIEM, no OT network monitoring, and no centralized log management. Windows event logs are collected locally but not aggregated or analyzed. OT network activity is completely invisible from a cybersecurity perspective.

No SIEM or centralized log aggregation
OT network has zero intrusion detection or anomaly monitoring
Log retention less than 30 days on most systems
Top Practice: SITUATION-1a — Establish log collection and centralized monitoring for IT and OT systems

Current MIL: 0

🚨 RESPONSE — Event and Incident Response, Continuity

A draft IRP exists but has never been tested and contains no OT-specific content. No tabletop exercises have been conducted. TSA SD-02C 24-hour incident reporting requirements are not proceduralized. Service continuity plans do not address cyber scenarios.

IRP never exercised — no tabletop or functional exercise history
No OT incident runbooks or cyber-safety decision trees
TSA 24-hour reporting not proceduralized
Top Practice: RESPONSE-1b — Develop and exercise OT-specific incident response procedures including TSA reporting

Current MIL: 1

🏢 THIRD-PARTIES — Third-Party Risk Management

No third-party risk management program exists. Critical vendors (Emerson, MSP) hold administrative access without MFA, session recording, access time limits, or annual review. No vendor security requirements in contracts.

No vendor cybersecurity risk assessment program
Emerson remote SCADA access: no MFA, no recording, shared credential
MSP holds domain admin — no security requirements in contract
Top Practice: THIRD-1a — Establish a vendor access management policy with MFA and session monitoring requirements

Current MIL: 0

👷 WORKFORCE — Workforce Management

Background checks are performed for new hires and annual safety training is mandatory, but no cybersecurity awareness training program exists. Control room operators have not received ICS security training. The TSA Cybersecurity Coordinator has no security certification.

No cybersecurity awareness training — no phishing simulations
Control room operators untrained on cyber incident indicators
TSA Cybersecurity Coordinator lacks formal security training
Top Practice: WORKFORCE-1a — Implement role-based cybersecurity awareness training including OT/ICS-specific content

Current MIL: 1

🏗️ ARCHITECTURE — Cybersecurity Architecture

A partial IT/OT segmentation boundary exists at HQ but is bypassed by WS-005 (dual-homed engineering workstation). Remote sites have no network boundary. Unmanaged switches at field sites create blind spots. SNMP community string "public" is widely deployed.

IT/OT boundary at HQ bypassed by dual-homed workstation (WS-005)
No IT/OT segmentation at remote compressor or M&R sites
11 unmanaged switches — no visibility, VLAN capability, or port security
Top Practice: ARCHITECTURE-2a — Implement and enforce IT/OT network segmentation at all pipeline sites

Current MIL: 1

🗓️ PROGRAM — Cybersecurity Program Management

No formal cybersecurity program exists. The TSA CIP was filed to meet regulatory requirements but lacks executive sponsorship, budget allocation, or a structured roadmap. Cybersecurity is treated as an IT function rather than an enterprise risk management priority.

No cybersecurity budget line item — funded ad-hoc from IT budget
No executive cybersecurity governance (no CISO, no security committee)
TSA CIP filed but not operationalized as a program
Top Practice: PROGRAM-1a — Establish executive-sponsored cybersecurity program with dedicated budget and governance structure

Current MIL: 0

🎓

Exercise Discussion Questions & Scenario Injects

5 SCENARIOS ▼

Scenario A — Spear-Phishing Targeting a Control Room Operator A control room operator (Rosa Trevino) receives a convincing spear-phishing email appearing to come from Emerson Automation Solutions, asking her to click a link to "review and approve a scheduled SCADA maintenance window." The link installs credential-harvesting malware on her HMI workstation (WS-001). The malware attempts to move laterally to SRV-002 (SCADA application server) using her cached Windows credentials.

Discussion: Walk through LSML's detection and response capability at each stage of this attack chain. What logging, monitoring, or alerting would catch this? What does the draft IRP require Rosa to do? How does the absence of MFA affect the blast radius? What C2M2 practices, if implemented, would have disrupted this attack?

Scenario B — Unauthorized Firmware Change Discovered on a Field RTU During a routine site visit, a field technician at the Pecos River Compressor Station notices that the Fisher ROC RTU (OT-009) is running firmware version 1.87, but LSML's informal asset spreadsheet shows version 1.86. The technician is unsure whether this was an authorized Emerson update or an unauthorized change. He calls Marcus Webb, who has no change log or configuration baseline to compare against.

Discussion: What does LSML's change management process require in this situation — and what's missing? How would LSML determine whether this was an authorized vendor update or a compromise indicator? Which C2M2 domains are most directly implicated by this gap? What is the TSA SD-02C reporting obligation, if any?

Scenario C — TSA Pipeline Security Compliance Audit (SD-02C) TSA security inspectors arrive at Midland HQ for a scheduled SD-02C compliance audit. They request documentation of: (1) the Cybersecurity Implementation Plan, (2) network architecture diagrams showing IT/OT separation, (3) evidence of MFA deployment on OT systems and remote access, (4) incident reporting procedures and exercise records, and (5) the most recent vulnerability assessment of OT systems.

Discussion: For each of the five documentation requests, assess LSML's ability to provide adequate evidence. Which items are likely to generate audit findings? What is the potential penalty exposure for non-compliance? Prioritize a 90-day remediation roadmap based on the most likely TSA findings.

Scenario D — Compressor Station PLC Stops Responding At 2:15 AM, the SCADA master station (OT-001) loses communications with the Allen-Bradley ControlLogix PLC at the Odessa Compressor Station (OT-002). The compressor automatically trips to safe state per its Emergency Shutdown System (ESD) logic. The on-call control room operator (Bill Ferris) receives the SCADA alarm. He cannot determine whether the communication loss is due to a network equipment failure, a PLC hardware fault, or a cybersecurity incident.

Discussion: How does LSML's current incident response capability support Bill's decision-making at 2:15 AM? What is the process for distinguishing a cyber event from a process safety or equipment failure? Who gets called and when? What are the TSA SD-02C implications if this turns out to be cyber-related? What OT monitoring capability would have provided earlier warning?

Scenario E — Ransomware Encrypts the SCADA Historian A ransomware variant encrypts SRV-003 (OSIsoft PI Historian, Windows Server 2012 R2 — EOL) and begins attempting to propagate to SRV-002 (SCADA application server). The historian becomes unavailable. SCADA real-time data continues to flow, but all historical process data is inaccessible and LSML cannot generate production reports, custody transfer accounting records, or PHMSA-required integrity management data.

Discussion: Does LSML's BCP/DR plan cover this scenario? How long can LSML operate without historian data before regulatory and commercial obligations are affected? What is the recovery path — does LSML have tested backups of the PI historian? What is the containment strategy to prevent the ransomware from reaching SRV-002 (live SCADA)? Map this incident to the C2M2 RESPONSE domain practices and identify which are absent.