The May 2021 attack on Colonial Pipeline — considered the largest successful cyberattack on oil infrastructure in US history – led the Department of Homeland Security’s Transportation Security Administration to issue the first mandatory cyber security standards for pipes, after years of relying solely on voluntary guidelines. But Democratic lawmakers, regulators and cybersecurity experts say these standards don’t go far enough and don’t meet the mandatory standards that the US electricity industry has taken years to develop.
US regulators or the pipeline companies themselves must close this gaping hole in the country’s energy security, experts say – noting that the gas and electricity sectors are increasingly dependent on each other.
“We say ‘gas and electricity’ as if they’re separate — they’re not,” said Craig Miller, a research professor of electrical and computer engineering at Carnegie Mellon University and former chief scientist at National Rural. Electric Cooperative Association. “You don’t move gas without electricity: you need pumps. And you can’t make electricity without gas.
The Russian invasion of Ukraine has only heightened fears of a cyber attack on critical energy infrastructure. Energy Secretary Jennifer Granholm urged energy leaders last week to prepare “to the highest possible level” for a potential cyberattack from Russia.
“While no specific credible threat to the homeland from Russia remains, to my knowledge, the U.S. government has worked with owners and operators of the energy sector to prepare for all geopolitical eventualities. “, she wrote in a letter to trade organizations in the industry.
The nation has become more dependent on natural gas as an energy resource – fuel accounted for 37% of the US electric mix in 2021, according to the US Energy Information Administration, up from 25% a decade ago. — and the challenges of linking the two energy systems have been the focus of federal regulators for years. Meanwhile, digital technology is increasingly managing the systems that control critical infrastructure, making all energy infrastructure more vulnerable to cyber risks.
But the released standards governing the gas industry is making pipelines a bigger target, critics of the existing regulations say. A 2021 report by cybersecurity firm Black Kite estimated 28 percent of oil companies and 25 % of the natural gas sector are “very likely” to experience a ransomware attack, compared to 17% of the electricity sector. The conclusions were based on an analysis energy control systems that revealed companies hadn’t done enough to protect their software systems from a cyberattack.
The easiest way to think about the difference between industries — and how pipeline vulnerabilities could damage the network — is to imagine the standards a gas plant must meet, said Tobias Whitney, a former official of the North American Electric Reliability Corp. who is now vice president of strategy and policy at cybersecurity company Fortress. NERC is the power grid regulator that develops and enforces reliability standards on the bulk power system. The agency is regulated by the Federal Energy Regulatory Commission.
The electricity sector is governed by 13 critical infrastructure protection standards developed by NERC and FERC, 12 of which relate to cybersecurity. A power plant would be required to meet those standards — which are mandatory and enforceable — Whitney said, but the natural gas compressor station half a mile away that controls how fuel flows to the plant through the system pipeline would not be subject to these same standards. .
“You see pipeline infrastructure that’s not secure the same way you saw it in the factory,” Whitney said. “There are no guards, there are minimal access controls. And this compromise of this pumping station could lead to this whole factory [being] inoperable.”
“There is a certain vulnerability there: I don’t need to destroy the power plant if I want to disrupt the operations of this plant via the gas infrastructure,” he added.
FERC officials, who can direct NERC to develop specific standards and approve those rules, have spent years pushing for regulations for the pipeline industry that reflect the rules of the electrical sector. In a 2018 op-ed, then-President Neil Chatterjee, a Republican, and current President Richard Glick, a Democrat, also argued that pipeline safety should come under the Ministry of Energy. The DOE, unlike the TSA, has an entire office dedicated to cybersecurity risks, while the TSA in 2017 had only six full-time employees to oversee the security of the more than 2.6 million miles of pipelines nationwide, though the agency has since hired more staff and says it now has enough to enforce its new rules.
And a draft Trump administration plan in 2018 to bail out coal and nuclear plants for ‘resilience’ purposes cited gas pipeline cybersecurity issues in its memorandum distributed to professional groups. “Gas pipelines are increasingly vulnerable to cyberattacks and physical attacks,” the memo said. “Failure of some pipelines across the United States would have severe effects on the generation of electricity needed to power critical infrastructure.”
Separately, Rep. Bobby Rush (D-Ill.) introduced a bill late last year that proposed bringing cybersecurity standards for the gas pipeline industry under the jurisdiction of FERC — creating an entity similar to NERC but for the pipeline sector.
“Vladimir Putin’s invasion of Ukraine has once again put the issue of energy security in the spotlight,” Rush said in an emailed statement Friday, adding that his bill would create “standards mandatory, necessary – and frankly, overdue – that would address both the cyber and physical risks to our energy security.
But the bill did not win bipartisan support. representing Fred Upton (R-Mich.) said at a hearing that the bill “would dramatically expand FERC: transforming a relatively small agency into a giant with regulatory powers over America’s energy system.”
The pipeline industry also opposes the bill, saying it “risks complicating and hampering ongoing efforts to protect pipelines” by imposing “duplicative and conflicting federal oversight,according to the Interstate Natural Gas Association of America. Furthermore, INGAA disputes the idea that electricity standards are stricter than those of the gas industry, saying “They’re just different.”
But the pipeline industry also has plenty of criticism for the efforts of its current regulator.
Since the cyberattack on the Colonial Pipeline, the TSA has issued two directives to the pipeline industry: the first requires pipeline owners and operators to report incidents to the DHS Cybersecurity and Infrastructure Security Agency and that a cybersecurity coordinator is available 24/7; a second requires pipeline owners and operators implement measures to prevent or limit the effect of ransomware attacks and review the security of their systems against such attacks.
INGAA calls the standards “very prescriptive” and said it would prefer some of the more flexible aspects of electrical standards set by FERC and NERC. However, the pipeline group is proposing that the TSA follow the guidelines of those agencies, rather than hand over oversight to FERC and NERC.
Black Kite chief security officer Bob Maley also said regulatory standards “are not always the answer” as the federal government tends not to be as nimble as the private sector. For example, President Joe Biden’s executive order on cybersecurity released last year contained “a lot of good stuff,” but reports stemming from the executive order won’t finally be released until two years after Colonial — by which time bad actors have already probably found a new vulnerability to exploit.
Whitney argues that FERC oversight is a “reasonable” approach to ensuring standards are better integrated into the practices and day-to-day operations that come with operating a power plant. Giving FERC cybersecurity oversight over the gas pipeline network would allow the agency to develop standards for both sectors in stages, including communication protocols dictating how the electricity and gas sectors should communicate. between them if part of a facility fails, he said.
Industries have been plagued by a lack of coordination lately. During the blackouts that hit Texas last year, leaving millions of people without power, one of the problems identified by FERC was that most gas pipeline infrastructure was not registered as a critical load – i.e. when the state grid operator triggered blackouts, compressor stations and other critical pipeline equipment that needs electricity to operate were shut down, although that they are necessary for the operation of natural gas plants. This has contributed to further blackouts by reducing the amount of gas available for power plants.
Similar coordination questions must be answered in cybersecurity protocols, Whitney said.
“If there is, for example, a cybersecurity incident at a natural gas facility that serves electrical infrastructure, who should be part of that communication?” He asked. “When should the generating facility and/or utility be notified if there is a problem or potential problem? What do we expect from the sharing of information between natural gas and electricity? »
Bringing the gas sector under FERC’s jurisdiction would leverage the agency’s ‘tremendous amount of infrastructure’, including staff expertise and well-defined regulations process that includes industry input.
Cyberattack on Colonial Pipeline may have raised industry awareness of some of pipeline industry’s vulnerabilities, Miller said, but in robust development protections “takes years and requires a culture change”, including the training of an entire workforce, the creation multiple layers of defense and constant internal monitoring.
“We are largely – overwhelmingly – cybernetically unregulated and unsupervised in both the gas and electricity industry,” he said.
“After Colonial, people said, ‘OK, this is a big job; let’s start to get better.’ But it’s a long list. You can’t just say, “Install this room and watch it; there is much more to do.