Boardwalk Pipeline Partners, LP - (BWP)

10-K Filing Date: February 06, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Our business is dependent upon our computer systems, devices and networks (operational and information technology) to collect, process and store the data necessary to conduct almost all aspects of our business, including the operation of our pipeline and storage facilities and the recording and reporting of commercial and financial information. We maintain a cybersecurity program, which includes people, processes, and technology aimed at defending our computer systems, devices and networks (operational and information technology) against increasingly sophisticated threats.

We recognize the importance of protecting both our information and operational control systems from threats that could disrupt our business, put our assets at risk or compromise our customer and employee data. The effective protection of our assets and technology infrastructure is crucial to the reliability of our operations, our ability to serve our customers, the nation's energy needs and the security of our data. We developed a comprehensive strategy designed to address both physical and cybersecurity threats. Additionally, as further described in Item 1. Business—Government RegulationTransportation Safety Administration, TSA has issued a series of security directives that all pipeline owners and operators must include in their cybersecurity planning, testing and in their reporting of any incidents.

Our cybersecurity program is encapsulated in our Cybersecurity Implementation Plan, Cybersecurity Incident Response Plan and Cybersecurity Assessment Plan (CAP). Our cybersecurity program is implemented and maintained using information security tools, policies and a dedicated team responsible for monitoring our networks, providing training to our employees, analyzing the evolution of new threats and strategies for mitigating such threats and seeking to continually harden our cybersecurity posture. The program is periodically exercised, reviewed, updated, and vetted through third-party audits, assessments, and tests with the goal of validating its effectiveness in reducing risk, as well as evaluating its compliance with legal and regulatory requirements. We assess, identify and manage our material risks from cybersecurity threats by employing the following:

a.Identification of critical systems – we seek to identify which operational or information technology, if compromised or exploited, would result in operational disruption or data compromise. We aim to protect the entire environment at an enterprise level where practical, combined with additional layered, risk-based controls designed to safeguard against cybersecurity threats. This strategic, defense-in-depth, and risk-based approach to cybersecurity provides a methodology designed to identify, protect, detect, respond, and recover from cybersecurity incidents.
b.Network segmentation – we use a combination of firewalls and routers to provide network segmentation seeking to provide us with network zone protection.
c.Access controls – we leverage several security capabilities to attempt to enforce access, authorization and authentication to relevant systems, technology, and controls. A least-privilege methodology is applied for localized client workstations, servers, and applications. Security capabilities for access control include physical, administrative, and technical controls that combine to provide a defense-in-depth approach designed to protect our cyber assets from unauthorized use.
d.Continuous monitoring, detection, and auditing – we employ various technologies, tactics, and procedures aimed to continuously monitor, baseline, and detect threats, and audit our network and systems. In addition, we use a combination of technology tools with outside managed security service providers designed to capture, analyze and respond to security anomalies.
e.Patch management – we use a network vulnerability scanning tool that continually scans, and reports identified vulnerabilities in servers and workstations in certain networks. Vulnerability scanner reports are used to drive patching and remediation efforts and are also used as a tool to evaluate the effectiveness of efforts to seek to ensure patches are applied timely. Application and infrastructure subject matter experts subscribe to various third-party vendor security notifications to receive proactive notifications on, among other things, bugs, security flaws and mitigations, related to operational and information systems.

The above cybersecurity risk management processes are integrated into our overall risk management program. Cybersecurity threats are understood to be wide reaching and to intersect with various other enterprise risks. In addition to
24


assessing our own cybersecurity preparedness, we also consider cybersecurity risks associated with our use of third-party service providers based on the potential impact of a disruption of the services to our operations and the sensitivity of data shared with the service providers.

We regularly engage independent third parties to periodically assess our cybersecurity posture. These assessments include penetration tests, purple team activities, health checks and point-specific technical cybersecurity assessments of key systems. Some of these assessments are performed with internal audit oversight. Certain of these processes are part of our CAP and are required to be tested in regular intervals with the test results required to be reported to TSA on a regular basis. We interface with industry peers, participate in information sharing and analysis centers and partner with federal, state, and local law enforcement and regulatory agencies with the goal of forming a cybersecurity threat feedback loop and periodically sharing threat and mitigation information, techniques, tactics and procedures.

Impact of Risks from Cybersecurity Threats

As of the date of this Report, we are not aware of any previous cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.

Governance

Our board of directors oversees the execution of our cybersecurity strategy and the assessment of cybersecurity risks, along with the actions that we take seeking to mitigate and address those cybersecurity risks. Our Chief Information Security Officer (CISO) oversees our cybersecurity activities and leads our team of cybersecurity professionals responsible for our cybersecurity program and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents as part of our cybersecurity programs. Our CISO and other cybersecurity professionals provide updates regarding cybersecurity risks to our executive team and board of directors at least quarterly, with more frequent updates regarding cybersecurity-related situations, such as intelligence pointing to increased adversary activity, as appropriate. Our Chief Information Officer and CISO also attend weekly executive leadership meetings to give updates on any immediate cybersecurity threats, risks and regulatory changes as well as any improvements or impediments to our cybersecurity posture. Our CISO has over thirty years of experience involving technology in the energy sector, with a focus over the last twenty years on helping companies, including us, improve their technology infrastructure and cybersecurity programs.