In the year since Russian hackers forced the shutdown of a major liquid fuels pipeline, U.S. gas utilities and pipeline operators have become more focused on building defenses against cyber threats, but compliance with federal security mandates has proven a nettlesome distraction.
Weeks ahead of Russia’s invasion of Ukraine in February, cybersecurity expert Cisco Talos Intelligence Group already was warning of cyber operations by malicious actors in the U.S. and elsewhere aimed at eroding support for Ukraine. Attacks, Talos predicted, likely would target critical infrastructure with a goal of creating disruptions that were serious but relatively easy to recover from.
It sounded like déjà vu all over again. Russian hackers behind the Colonial Pipeline ransomware attack in May 2021 targeted the operator’s enterprise systems while leaving operational systems intact, yet forced Colonial to shut down a major network delivering gasoline, jet fuel and diesel to the East Coast and pay $4 million ransom in cryptocurrency.
Nearly a year later, are U.S. oil and natural gas operators better equipped to defend themselves against such attacks from a variety of state-sponsored and independent cyber criminals? Perhaps, though some industry advocates are concerned many operators have had to redirect their focus to meeting new federal security mandates rather than actually strengthening cyber defenses.
Colonial certainly got the attention of gas industry executives and helped to reprioritize cybersecurity for some. Soon after the May incident, the Transportation Security Administration (TSA) issued two security directives intended to fortify about 100 TSA-designated critical pipeline systems against ransomware, malware and other threats.
Both directives list several requirements. The first directive asked operators of these systems to designate a cybersecurity coordinator to serve as a point of contact for TSA and report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The second, more nettlesome directive requires operators to take specific mitigation measures to protect against cyber threats and develop and implement contingency and recovery plans.
“Have we become more secure? I’m not going to say we haven’t,” said Kimberly Denbow, Managing Director of Security and Operations for the American Gas Association (AGA), which represents more than 200 energy companies. “I’ll say yes, in a nutshell we’ve become more secure, but at the same time we’re distracted by compliance.”
On a recent call with TSA administrator David Pekoske, Denbow said, one natural gas CEO told the regulator how the mandates had forced his company to “add so much more cyber staff, not because they had a poor cyber program by any means, but so they could come into compliance by checking the boxes that need to be checked.”
Bolstering threat alert capabilities
For its part, the AGA has made strides in the past year in improving the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC), the industry’s premier alert system for both physical and cyber threats. The system serves members of the AGA, the Canadian Gas Association (CGA) and pipeline operators represented by the Interstate National Gas Association of America (INGAA).
The AGA enhanced the DNG-ISAC platform in 2021 to make it more secure and user-friendly, with a mobile app and better push notification capabilities for threats and information submission opportunities. The platform posted 1,200 alerts last year, including information on hundreds of cyber-related threats, potential vulnerabilities, and actual cyber intrusions of relevance to pipeline operators.
David McConkey, Director of Operations, Safety and Security for the Canadian Gas Association, said the DNG-ISAC is an important complement to the Blue Flame Program, a near real-time threat information and analysis sharing system established by CGA last year in partnership with the Canadian Centre for Cyber Security (Cyber Centre).
The CGA helped facilitate the close working relationship that now exists between the DNG-ISAC, the Cyber Centre and other organizations on the Canadian side, “so they have a really healthy and active flow of information there, which benefits our members because the information coming out of the DNG-ISAC has a Canadian flavour as well,” McConkey said.
The threat alert system is just one area where cross-border collaboration is boosting cyber defenses. This fall, the AGA will pilot its first NGX event, a cybersecurity planning exercise that will include U.S. and Canadian participants from natural gas utilities, transmission pipelines and government. It will be a scaled-down version of GridEx, a planning exercise that originated in the electric industry but now includes gas operators. Denbow’s plan is to grow NGX over time.
A new twist on cyber vulnerabilities?
Cybersecurity concerns tend to focus on the bag of tricks malicious foreign actors and domestic “hacktivists” can use to wreak havoc on critical infrastructure in pursuit of their agenda, but U.S. industry advocates say the potential impact of total electrification of the energy system on cybersecurity deserves more attention.
Going all-electric will not just make the overall energy system less resilient in terms of physical threats such as severe weather events or activist attacks but could also simplify the playbook for those planning cyber mayhem, they say.
The electric grid already is stressed: There were 182 major disruptions to the grid in 2020, compared to fewer than two dozen in 2000, according to a Wall Street Journal analysis published earlier this year. Culprits include the age of the U.S. transmission system, the inherent vulnerability of an aboveground transmission system, and the vagaries of wind and solar.
“Everything is tied to having electricity, and yet we’re not focusing on the reliability of the grid. That’s absurd and that’s frightening,” Curt Morgan, CEO of electric power wholesaler Vistra Corp. told The Wall Street Journal in February. “There’s such an emotional drive to get where we want to get on climate change, which I understand, but we can’t throw out the idea of having a reliable grid.”
AGA’s Denbow tied total electrification to increased cybersecurity risks at a recent meeting of the National Association of Regulatory Utility Commissioners (NARUC). Denbow cautioned against pursuing policies that reduce resilience by “putting all of our energy eggs in one basket” and at the same time ignore the impact on the cybersecurity landscape.
“Energy policy continues to be made in siloes,” Denbow said. “Cyber becomes an afterthought: Operators are asked ‘What about the cyber?’ I reply, ‘Well, what about the energy policy that increased our cyber vulnerability?”
Like so many other aspects of the total electrification debate — like its impact on climate change, resilience, and affordability — it comes down to what is lost by not including natural gas as part of the solution.
“I think the message there is the natural gas sector is doing a lot, we’re on top of things, we’re a great asset from a physical and cybersecurity standpoint and we’re leading in many respects,” the CGA’s McConkey said. “You throw our industry out and you’re losing an asset from many, many perspectives.”
“Like so many other aspects of the total electrification debate — like its impact on climate change, resilience, and affordability — it comes down to what is lost by not including natural gas as part of the solution.”
Still working the kinks out
The AGA and its member companies have been working with TSA since July to address aspects of the “one-size-fits-all” security directives that have created problems for operators — for example, multifactor authentication requirements that aren’t compatible with control systems and various components now in use.
Issues persist and new vulnerabilities are being created in the process. TSA in February requested that the designated pipeline operators submit their cybersecurity incident response plans to the agency electronically — a request that was greeted by operators with grave concern.
“TSA has collected all of these sensitive plans in a single database,” Denbow said. “In a threat environment when we’re worried about nation states compromising our networks, storing all these playbooks in one location does not give operators a warm-fuzzy feeling, regardless of security assurances provided by the government.”
Around the time the second TSA directive was issued last July, federal officials simultaneously released previously classified documents revealing that 13 of 23 U.S. natural gas pipeline operators were successfully compromised by a Chinese “spear-phishing” campaign from 2010–2013 that could have allowed hackers to gain control pipeline operations.
In combination with the Colonial incident and the TSA directives that followed, those disclosures no doubt had a salutary influence on oil and gas operators that lagged on their cybersecurity efforts, but those likely were already in the minority.
“For the majority of the companies subject to the security directives, cybersecurity has been a priority for a long time,” Denbow said. “For those that may not have been giving cybersecurity the level of attention needed, the attention is certainly there now.”
David Coburn is a strategic thinker, writer, media relations expert and communications consultant leveraging 30-plus years of print journalism and agency public relations experience.