Natural gas pipeline companies are being pulled in three different directions as federal agencies mull how to handle new security threats to an increasingly vital resource.
Should the U.S. government bail out competitors to natural gas to ease the power grid’s reliance on the fuel, as called for by a leaked plan from the Department of Energy?
Should policymakers preserve the status quo, counting on voluntary cooperation from the sector and a slim staff of specialists to gain a window into pipeline security, as the Department of Homeland Security favors?
Or should U.S. lawmakers consider beefing up gas security oversight and moving it out of DHS’s hands, an idea raised in the halls of the Federal Energy Regulatory Commission?
Shared among all three agencies — and the energy firms lobbying them — is a sense that cyberthreats to the gas pipeline networks are only set to rise as companies digitize operations and hackers backed by foreign intelligence services grow more intrusive.
"We now are dealing with nation states," said Dave McCurdy, CEO of the American Gas Association (AGA), at a July 31 cybersecurity conference in New York City. "The government isn’t necessarily organized for this 21st-century paradigm … you’ve got some challenges with the federal agencies, if you’re in industry."
The path chosen will inevitably reverberate in the bulk power grid, which in recent years has grown to rely on natural gas more than any other fuel source for generating electricity.
"There’s more concern about what is the impact of what would happen if there is an interruption in the gas supply," McCurdy said.
The gas industry has pushed back against proposals to require baseline security standards for large pipelines and related infrastructure.
"The threat evolves too quickly for a regulation or mandate to be the most effective method of maintaining the highest level of safety," McCurdy said. Beyond opposing mandatory security standards, the gas industry is also opposing any independent assessments of whether its cyber and physical defenses adequately protect its networks.
The DOE plan
To the Department of Energy strategists, grid security concerns already justify intervention through use of the Federal Power Act and a 1950s-era defense statute to prop up alternatives to natural gas.
In a draft policy memo leaked in June, DOE claimed that pipelines’ distributed nature, coupled with menacing online threats to their digital control systems, makes them harder to secure from attack.
DOE has floated propping up economically ailing coal and nuclear plants to pre-empt a future in which the country’s power grid relies overwhelmingly on "just-in-time" supplies from gas pipelines. DOE has not yet disclosed how many coal and nuclear plants it would support, how they would be chosen, and what subsidies would cost.
Because coal and nuclear plants have on-site fuel, the thinking goes, they would be more resilient in the face of cyber or physical attacks.
Energy Secretary Rick Perry has played up this argument, laying the rhetorical groundwork for a policy that has pre-emptively drawn fierce opposition from environmentalist and some energy industry quarters.
"Wind and solar are interruptible, and so [are] gas pipelines. The only forms that are not interruptible are coal and nuclear — because they’ve got fuel on-site," Perry said at a conference in Texas earlier this month (Energywire, Aug. 6).
Perry’s critics says his rationale is a policy proposal in search of a security problem. A major attack on U.S. grid infrastructure is as likely to focus on high-voltage transmission systems or local power distribution utilities as on pipelines. If adversaries take down part of the grid, power flow from all generation is halted, experts note.
Nuclear plants are the only "unique" generators from a security standpoint, and are likely to have the most stringent cybersecurity and physical defenses imposed by the Nuclear Regulatory Commission, said Dewan Chowdury, founder and CEO of the cybersecurity company MalCrawler and a consultant to major gas and electric utilities.
The DHS plan
The Transportation Security Administration, better known for its role guarding the nation’s airports, is charged with ensuring that vital gas pipelines are adequately protected against various threats.
E&E News reported last year that the DHS agency has assigned six full-time staffers to oversee the more than 300,000 miles of gas transmission lines crisscrossing the nation (Energywire, May 23, 2017). A TSA spokesperson confirmed that the number of full-time employees working on pipeline security remains the same.
"TSA has exercised security responsibilities over pipelines since 2002 and continues to exercise those responsibilities while working in conjunction with industry partners," the agency said in a statement.
The office relies on voluntary cooperation with large pipeline companies and industry groups like the AGA to gain a window into the sector’s security practices and defenses.
Earlier this year, TSA published updates to nonbinding pipeline security guidelines that urge companies to lock down their corporate and operational networks from hackers.
But compliance with the guidelines is not enforced, and agency officials have said there is no specific timeline for pipeline firms to complete "enhanced cybersecurity measures" for their most critical facilities.
An E&E News report in 2017 documented TSA’s lack of cybersecurity staffing and the absence of any systematic review of gas pipeline cyberdefenses, either by TSA, FERC or the industry itself.
An update of that reporting showed that that lack of oversight and accountability on cyber vulnerabilities has not significantly changed.
Meanwhile, homeland security officials have warned of Russia-linked hackers probing U.S. critical infrastructure networks across the country (Energywire, March 16).
While no cyberattack is known to have disrupted the flow of gas or electricity anywhere in the United States, hackers have interrupted third-party billing and document-sharing services used by large gas and power utilities. Several years ago, hackers thought to be linked to the Chinese government also launched a series of cyber intrusions into gas pipelines’ corporate networks, according to law enforcement officials and DHS briefings.
"I do think you need to have this different conversation both with TSA, with DOE, with [FERC], with NERC and with the gas industry about how you get that door protected," said Steven Naumann, vice president of transmission and NERC policy at utility giant Exelon Corp. "I know it’s an old adage, but if you’re a burglar, you’re going to go to the easy target. And if you’re spending all this money, all this time, all this effort on protecting the cyber health of the electric system, and then you can attack the gas system, water system, railroad system … then we’re so vulnerable."
Gas industry representatives contend that the nature of the commodity — slowly moving through pipelines, rather than the near-instantaneous path of electrons — intrinsically helps protect gas pipelines from certain threats.
Jennifer O’Shea, AGA vice president for communications, noted that the dispersed, redundant design of the U.S. pipeline system heads off risks from single points of failure carrying major consequences.
She said the industry "actively partners with multiple federal and law enforcement agencies, exchanging threat intelligence with the government through the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC).
Still, the extent of the gas industry’s voluntary compliance with TSA standards isn’t clear. E&E News asked AGA and the Interstate Natural Gas Association of America (INGAA) whether the industry has put in place any comprehensive review procedures of how well interstate pipelines are complying with TSA’s voluntary guidelines. The query asked how many interstate pipeline companies had received TSA cyber reviews this year, and what the industry’s expectations were for the timetable and scope of TSA future reviews of critical pipelines. Neither organization answered these questions.
The FERC plan
FERC has signaled that the independent agency wants to move to take on a larger role in ensuring the security of the pipelines that feed into America’s growing fleet of gas-fired power generators, although officials have been cautious to avoid stepping on the toes of other entities.
"There should be no aspect of our nation’s energy infrastructure that is left unprotected in a cyber sense, by whatever means we need to do that," said Republican FERC Chairman Kevin McIntyre at a June press conference.
He said he had not formulated a personal view on which government agency should be assigned oversight, or whether there should be mandatory standards, but did suggest that FERC could take on more authority in the future.
"I am not speaking for a formal FERC initiative or anything like that, but I wouldn’t be terribly surprised to see if we were to move in that direction at some appropriate time; we’re just not there now," he said.
His statements were noticed by others, including fellow Republican Commissioner Neil Chatterjee, who had suggested in a joint op-ed with Democratic Commissioner Richard Glick earlier this year that pipeline cybersecurity oversight be moved from the TSA to DOE.
"[McIntyre] wasn’t ready to commit to commission action, but he did indicate he could see us taking action in the area," Chatterjee said in a recent interview.
Chatterjee, who called TSA’s pipeline oversight office "clearly undermanned," noted that FERC is responsible for grid reliability, which could be endangered by cyberthreats to pipelines.
"FERC has a very serious role to play in this, but by suggesting the [oversight move to] DOE and not at FERC, this isn’t just some jurisdictional grab," he said.
The PJM Interconnection, an eastern U.S. grid operator, has called on FERC to insist that all gas pipelines provide more information about operations and vulnerabilities to the power generators that depend on them. "In PJM’s view, confidential information sharing should be both uniform and mandatory when the information is identified as needed to enhance the reliability" of grid and gas systems, said the grid operator.
"PJM urges the commission to drive further coordination through the exercise of its authority over both natural gas pipelines and the electric industry," the organization said (Energywire, April 17).
Now the gas industry must hold its breath to see to what extent FERC will intervene, possibly by requiring independent assessments of gas pipeline cyber vulnerabilities to cyber or physical attacks, or natural disasters, that would cut off fuel supply to essential gas-fired power generators.
FERC Chief of Staff Anthony Pugliese highlighted the possibility of intervention earlier this month when he told an industry audience that FERC’s staff was working with DOE, the Department of Defense and the National Security Council "to identify the plants that we think would be absolutely critical to ensuring that not only our military bases, but things like hospitals and other critical infrastructure are able to be maintained, regardless of what natural or man-made disaster might occur."
Pugliese singled out pipelines as a target for state-sponsored cyberattacks. "More and more, you have adversarial countries … who see pipelines, for example, as an area of great opportunity; let’s put it that way."
The INGAA challenged Pugliese’s statements about pipeline vulnerability, with INGAA spokeswoman Cathy Landry pointing to a fact sheet on the industry’s preparation.
"It appears that Mr. Pugliese could use a refresher on some basic facts and our industry’s commitment to this very serious issue," Landry said in a statement.
INGAA also released a statement from its president, Don Santa, who said the DOE plan "represents a solution to a problem that does not exist. If the Energy Department acts, consumers will be saddled with as much as $11.8 billion to pay for the uneconomic coal and nuclear plants.
"That might be justifiable if these facilities increased the reliability of the grid. But they don’t."