A U.S.-based liquefied natural gas operator engaged Armexa to conduct a Cybersecurity Vulnerability Assessment (CVA) across its process control and safety instrumented systems to satisfy the mandatory requirements of NFPA 59A (2023) Section 11.7.2. Armexa executed a structured multi-phase assessment across its facilities, delivering a validated OT asset inventory, CVSS-scored vulnerability register, and a prioritized remediation roadmap aligned to NFPA 59A and ISA/IEC 62443.
Challenges
Meeting a mandatory regulatory requirement with no prior formal CVA on record
NFPA 59A (2023) Section 11.7.2 mandates periodic Cybersecurity Vulnerability Assessments of process control and safety instrumented systems at LNG facilities. The operator had not previously undergone a formal, structured CVA, leaving its OT cybersecurity posture undocumented and unvalidated against the applicable standard. Key challenges included:
- No prior CVA established to satisfy the NFPA 59A periodic assessment requirement
- OT asset inventories were unvalidated and relationships between firewalls, switches, servers, and workstations not confirmed
- Firewall, switch, and endpoint configurations not systematically reviewed for security weaknesses
- Physical and cyber-physical vulnerabilities not assessed through on-site inspection
- No structured remediation roadmap tied to risk ranking or compliance alignment
Our Solution
A five-phase CVA executed across multiple facilities over six to eight weeks
Armexa designed and delivered a structured CVA scoped to the operator’s process control and safety instrumented systems, aligning stakeholders, combining documentation review, technical analysis, and on-site validation across all the client’s facilities.
- Documentation Review: We began by collected system documentation and architecture data to frame the assessment.
- Data Analysis: Reviewed firewall, switch, router, server, and workstation configurations; analyzed packet captures (PCAPs) and vulnerability scan results to identify weaknesses.
- Site Walkdowns: Conducted on-site inspections at all site to validate asset inventories and assess physical and cyber-physical vulnerabilities not visible from documentation alone.
- Reporting: Produced a vulnerability register with CVSS scoring, updated architectural diagrams, and prioritized recommendations structured for operational implementation.
- Closeout: Delivered the final report and facilitated stakeholder alignment on next steps and risk mitigation strategies.
Outcomes & Impact
A defensible compliance baseline and a clear path to improved OT security posture
The assessment delivered measurable improvements to the operator’s OT cybersecurity posture and established the documented foundation required under NFPA 59A:
- Validated OT Asset Inventory: Confirmed assets and interrelationships across firewalls, switches, servers, and workstations. providing the operator a trusted, defensible record of its OT environment for the first time.
- Prioritized Remediation Roadmap: Risk-ranked action plan covering firewall hardening, access control list (ACL) enforcement, firmware upgrades, and authentication improvements, sequenced for operational feasibility.
- Compliance Alignment: Roadmap structured to advance OT cybersecurity program maturity toward NFPA 59A (2023) and ISA/IEC 62443, supporting both regulatory defensibility and insurer expectations.
