Top intelligence and homeland security officials are borrowing from the U.S. government’s approach to counterterrorism in a bid to warn pipeline companies about hacking threats to their systems.
The Pipeline Cybersecurity Initiative unveiled this month aims to deliver intelligence to natural gas companies that form the backbone of America’s electric power grid, according to multiple agencies involved with the program.
Officials at the Department of Homeland Security, which is leading the effort, are also hoping to find and fix weak points in pipeline infrastructure through a series of voluntary cybersecurity tests. The assessments will review major energy firms’ IT networks as well as the operational, Supervisory control and data acquisition (SCADA) systems that physically monitor and control the flow of gas.
"We see in the intelligence community, [hacking] penetrations, attempted penetrations and successful ones from our adversaries," said Bill Evanina, director of the National Counterintelligence and Security Center, at a U.S. Chamber of Commerce event last week. "And when they’re going into the SCADA systems and the industrial control systems of these pipeline companies, it’s not to see how they work."
When the U.S. government gets a heads-up about potential terrorist activity, intelligence agencies scrub out classified information and tip off targeted companies. Evanina explained how he and others in the intelligence community are trying to sift pipeline cyberthreat information "through the washing machine" and pass it along to DHS, the Department of Energy and the Federal Energy Regulatory Commission, among others.
"We have to be able to put that analytic stream together, but at the same time, explain to these companies what the threat is, and let DHS and other organizations help them mitigate the threat they see," he said, "so that a nefarious activity by a nation-state threat actor can’t shut that pipeline off. That’s the ultimate goal."
While many of the nuts and bolts of the initiative have yet to be worked out, the effort drew a warm welcome from pipeline industry groups that have been leery of facing enforceable cybersecurity standards. Currently, six workers at DHS’s Transportation Security Administration are responsible for overseeing physical and cybersecurity across hundreds of thousands of oil and natural gas pipelines across the United States. TSA’s cybersecurity guidelines are not mandatory or enforceable, leaving the agency to lean heavily on voluntary cooperation from the energy sector.
The new initiative, which emerged from a high-level meeting among TSA, DOE and natural gas executives earlier this month, does not add regulatory teeth to TSA’s guidelines. However, the effort will offer some backup to TSA’s slim staff through DOE and a separate DHS agency, the National Protection and Programs Directorate. Outside DHS specialists are set to carry out technical "Validated Architecture Design Reviews" (VADR) on "top tier" pipeline computer systems, according to Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at NPPD.
"That’s what the pipeline initiative is really about — a series of assessments, more focused on information and intelligence getting to them, more senior-level commitment from the government agencies and from industry to work together to reduce risk where we find it," she said.
Manfra put the initiative in the context of the shifting U.S. power grid, which has grown increasingly reliant on natural gas as a fuel source for power generation in recent years.
"Part of it has to do with how the energy market is changing, as you see more and more natural gas being used," Manfra said, when asked about the impetus for the initiative at the U.S. Chamber last week. "That’s not a fact that our adversaries are unaware of."
A cyberattack isn’t known to have physically disrupted the flow of natural gas anywhere in the U.S., but recent pipeline disasters have underscored the potential consequences of a successful hack.
On Sept. 13, a series of gas pipeline explosions in Massachusetts killed one bystander, injured 21 others and demolished several homes following apparent monitoring and maintenance failures at Columbia Gas (Energywire, Oct. 12).
Grid authorities at DOE and the North American Electric Reliability Corp. have raised concerns about an explosion or cyber disruption at the larger gas transmission lines that often feed into multiple power-generating sites in places like the Northeast and parts of California.
In the wake of a NERC assessment on potential gas-grid pressure points last year, the organization’s director of reliability assessments, Thomas Coleman, called for the natural gas industry to have the same binding cyber and physical security standards that apply to big electric utilities (Energywire, Nov. 15, 2017).
Since then, several senior officials and some lawmakers have called for further action on pipeline security, from proposing to transfer responsibility for gas security from TSA to DOE, to extending "critical infrastructure protection" cybersecurity standards to large gas storage and pipeline firms through FERC.
In a leaked policy memo earlier this year, DOE analysts proposed propping up economically ailing coal and nuclear power plants, arguing in part that cyber and physical vulnerabilities in gas pipeline networks could jeopardize gas-fired power generation.
DOE officials have stayed mum on those nascent plans, which are now being considered at the White House. But Energy Secretary Rick Perry has repeatedly warned of an uptick in cyberthreats to critical infrastructure systems.
"We face a host of bad actors out there eager to exploit our vulnerabilities, disrupt and destroy our energy assets," he said last week at a swearing-in ceremony for Karen Evans, a new top cybersecurity official at DOE.
Perry cast the pipeline cybersecurity initiative as a way to "leverage the unique strengths and expertise of our industry partners in addressing cyberthreats to our pipelines, and increasing the security of our very critical energy infrastructure."
"As secretary, I don’t have a higher responsibility, higher priority than protecting our nation against those dangers," he added.
Senior representatives from several major pipeline companies and electric power utilities huddled at DOE headquarters Wednesday afternoon to discuss cyberthreats and the growing interdependencies between the two sectors, sources say.
A spokeswoman for one of the groups present at the meeting — the Interstate Natural Gas Association of America — declined to comment on the makeup of the meeting but welcomed the joint DOE, DHS and TSA security initiative.
"INGAA believes that taking a risk-informed approach to combating security threats is the best way to secure our critical infrastructure," Cathy Landry said in a statement.
For now, the most pressing cyberthreats to the critical control systems that undergird pipelines and other long-distance infrastructure networks come from foreign intelligence services like Russia’s GRU or China’s Ministry of State Security, according to U.S. intelligence estimates.
"Right now my concern is: We have indicators that we have people who are interested in [SCADA]; and that in and of itself is enough to say that we’ve got to be organized and have the right resources and capabilities to address it," said Rob Joyce, senior adviser for cybersecurity strategy at the NSA and President Trump’s former cybersecurity coordinator, on the sidelines of the U.S. Chamber event last week. "The thing I worry about is nation-state. For years, there have been concerns about terrorists operationalizing cyber — I’ve not seen that to date. We’ll continue to look at it, but I think the real threat right now is nation-state."