Divided cyber policy undermines gas and grid networks — report

By Peter Behr, Blake Sobczak | 09/07/2017 07:15 AM EDT

A natural gas pipeline valve in McKenzie County, N.D.

A natural gas pipeline valve in McKenzie County, N.D. Tim Evanson/Flickr

A new Congressional Research Service study warns of fragmented federal oversight of cybersecurity vulnerabilities in vital energy sectors, singling out the interconnected electric power and natural gas industries.

The Aug. 28 study, obtained by E&E News, was prepared for use by congressional committees and is not a public document.

Congress, in 2015, gave DOE responsibility to safeguard power networks in a national emergency, but other authority is divided. The Federal Energy Regulatory Commission enforces mandatory cyber regulation of the interstate power networks, while the Transportation Security Administration (TSA) in the Department of Homeland Security has elected voluntary cyber oversight of gas pipelines.


Without specifically calling for new legislation or endorsing existing cyber bills, the CRS report points Congress toward the issue of Balkanized cyber policy in energy. "The effect of the dispersed cybersecuity responsibility at the federal level has been the subject of congressional interest, but has not been studied," CRS said.

The same warning of divided oversight was delivered last month to President Trump by an expert panel, the National Infrastructure Advisory Council, which saw only a "a narrow and fleeting window of opportunity" to pull together a unified response (Energywire, Aug. 23).

The CRS report highlights the issue of the power grid’s growing reliance on natural gas supply, with both sectors facing increasing cyberthreats to their control systems. CRS said that "many in Congress recognize that grid and pipeline cybersecurity are intertwined," but their policies are not.

The CRS analysis focuses on the Energy Department’s Office of Electricity Delivery and Energy Reliability (OE), which leads DOE’s cybersecurity oversight of the power grid. CRS noted that the proposed Trump budget for fiscal 2018 would cut OE’s appropriations to $123 million, or 41 percent less than the estimated current level, at the same time that it has been handed new responsibilities by Congress.

"[T]here is little discussion in published materials as to what extent OE collaborates directly with FERC or TSA on specific cybersecurity [research] programs," CRS noted, adding, "the ongoing level of cooperation between OE and TSA in the area of pipeline security is difficult to determine from published materials."

CRS noted that DOE and DHS had collaborated in 2015 in issuing an energy-sector response plan for cyber and physical attacks, which explicitly excludes gas pipelines.

An E&E News report in May cited concerns at DOE, under President Obama, that the department could not determine whether pipeline cyberdefenses were adequate (Energywire, May 23).

A policy paper in July by the Natural Gas Council stated the industry’s case that its cyberdefenses were strong. "There is low risk of single point of disruption (regardless of cause) resulting in uncontrollable, cascading effects," the paper says.

Michael Assante, a former grid security executive at the North American Electric Reliability Corp., said CRS is asking the right question about gas-grid interconnections and vulnerabilities. "They’re on the right track," said Assante, who heads industrial control system security at the SANS Institute cyber training group.

Much of the CRS report describes apparent missing pieces of cyber policy, or uncertain responsibilities, where it could not find answers in the public record, an invitation for Congress to seek answers.

The report was not directed at the evolving cyber policy of the Trump administration, but it noted that a holdover executive order from the Obama administration remains in force, spelling out governmentwide coordination in the face of a major cyberattack. Obama’s National Cyber Incident Response Plan (NCIRP) would stand up a top-level response team in the National Security Council to pull together crisis actions by DHS, the FBI and intelligence services.

CRS said it could not determine how the Trump administration is managing the challenge now. In May, Trump ordered a 90-day review of cyber policy for critical infrastructure, but the report has not been released. CRS said that "the concept of operations prescribed in the NCIRP appears still untested in real-world response."

"The whole idea of the Congressional Research Service is to take an issue and try to understand: ‘Is there a role for legislation? Is there a need for it?’" Assante said in an interview. "In this case, I think they’re just further educating the legislative discussion as to whether more needs to be done or not."