FERC official’s comments spotlight pipeline cyber risk

By Peter Behr | 08/10/2018 07:33 AM EDT

Comments by the Federal Energy Regulatory Commission’s chief of staff, Anthony Pugliese, to an industry group appear to be more evidence of concern over potential attacks on U.S. gas pipelines that could threaten the nation’s electricity supply.

Grid operators monitor electricity use across more than a dozen states in a control room in PJM Interconnection's headquarters near Valley Forge, Pa.

Grid operators monitor electricity use across more than a dozen states in a control room in PJM Interconnection's headquarters near Valley Forge, Pa. PJM Interconnection

Comments by the Federal Energy Regulatory Commission’s chief of staff, Anthony Pugliese,
to an industry group appear to be more evidence of concern over potential attacks on U.S. gas pipelines that could threaten the nation’s electricity supply.

Pugliese singled out pipelines as a priority target for state-based cyberattacks. "More and more, you have adversarial countries … who see pipelines, for example, as an area of great opportunity, let’s put it that way," he said.

And he also dismissed the capabilities of the Transportation Security Administration to oversee pipeline cybersecurity, a mission given the agency by Congress after the Sept. 11, 2001, terrorist attacks. TSA has published standards for cybersecurity defense that gas pipelines are expected to follow. The guidelines are voluntary.


"TSA doesn’t really have a lot of the resources; they certainly don’t have enough subject matter expertise," he said.

Pugliese’s comments at a meeting of the American Nuclear Society, shared with E&E News by Rod Adams of Atomic Insights, raised questions about how FERC’s staff might be contributing to a top priority DOE policy initiative to channel subsidies to struggling coal and nuclear plants to prevent their retirement (Energywire, Aug. 9).

DOE says that these plants provide greater security and resilience to the grid because their fuel is on-site — in reactors, or plant-side coal piles — in contrast with pipeline supplies for gas-fired generators. DOE’s proposed "resilience" policy was leaked in June, but has not been approved, as the department seeks ways to identify which plants should be supported.

The FERC official said at one point, "We are working with DOD and DOE and NSC to identify the [coal and nuclear] plants that we think would be absolutely critical to ensuring that not only our military bases but things like hospitals and other critical infrastructure are able to be maintained, regardless of what natural or man-made disasters might occur."

Congress has made DOE responsible for assuring electric power availability to defense facilities, and DOE’s plan would invoke that authority.

But a FERC spokesman said yesterday that despite Pugliese’s "working with" comment, the commission was not DOE’s partner in policy formation. "In response to a question after the speech, the chief of staff was simply stating that the federal government is working to ensure that important critical infrastructure, like hospitals, remains operational. FERC is an independent agency and therefore has not assisted in the development of policy but provides technical assistance as subject matter experts," FERC spokesman Craig Cano said.

The DOE plan has split the U.S. energy industry, with a coalition of wind, gas, solar and other industry sectors promising to fight it in court, if it is advanced.

"Our main point … is the scope of any review should be all fuels, not just natural gas. That means rails and barges for coal, for example," said John Shelk, president of the Electric Power Supply Association, representing independent power producers and marketers.

Pugliese’s comments singled out the risk to gas supplies, however, giving support to a policy push by the PJM Interconnection, the Eastern power grid operator, and Exelon Corp., the nation’s largest nuclear operator, who have urged FERC to require gas pipeline companies to work more closely with grid operators in strengthening defenses against possible cyber and physical attacks.

PJM announced in April that because of the potential risk to power plants from gas supply disruptions, it would undertake "targeted analyses to identify fuel security risks" to particular locations, including challenges in fuel delivery under stressed conditions.

PJM has urged FERC to require gas pipelines to share confidential operating information about potential vulnerabilities. Today, such sharing is voluntary — encouraged but not mandated — and pipeline companies’ cooperation varies markedly, PJM said. (The grid operator said better cooperation is also essential from telecom companies that carry grid operators’ critical communications.)

It needs "regulatory support" from FERC to get a clear picture of cyber and physical vulnerabilities of gas pipelines, PJM said. The commission should use its existing authority to order cooperation between grid and gas companies on threat assessment, PJM urged.

Classified briefing

PJM met with DOE officials in July for a classified briefing on cyber or physical threats that could affect fuel supply and affect the grid, according to Mike Bryson, PJM vice president for operations. The briefing also covered attack methods and capabilities that foreign or domestic adversaries might use.

"The information from the DOE meeting is a key input into … PJM’s fuel security study to analyze a range of risk scenarios and determine the potential impact on PJM’s ability to continue to provide reliable electricity" in its service area, which covers 13 states and the District of Columbia, the organization said in a policy update.

"PJM is demonstrating exemplary leadership in reaching out to DOE to better understand the risk that adversaries will disrupt the flow of natural gas on which power generation increasingly depends," said Paul Stockton, former assistant secretary of Defense for homeland defense, and managing director of Sonecon LLC, a consultant on security issues for Exelon and other energy companies.

"Two factors will be especially important in assessing these risks. First, providing a realistic but extreme scenario that reflects the risk that a large number of gas pipelines will be attacked simultaneously," Stockton said. "The second factor — in addition to the number of pipelines attacked — is the duration of the gas interruptions that would result from such attacks."

Pugliese did not indicate how FERC will respond to the PJM requests. A senior power industry official, speaking not for attribution, said that FERC has plenty of statutory authority to weigh into the security of pipeline gas deliveries to power plants. A first step could be an order directing PJM and other regional grid organizations to assess their vulnerabilities to gas pipeline disruptions. That would, in turn point to the question of how secure the pipelines are.

Exelon, in its filing with FERC, commended PJM for seeking to define the threats it faces. But it added, "unless PJM is modeling the right scenarios, its analysis of fuel security vulnerabilities, and the solutions it will propose based on that analysis, will not necessarily ensure resilience. Yet PJM lacks access to the information needed to assess which risks it should plan its system to meet."

PJM says it is getting good cooperation from a number of pipeline companies, as it investigate threat vulnerabilities, but not all. "They recognize the fact that collaboration is production and they want to make sure their system capabilities and their cyberdefenses are well understood," said Jonathon Monken, senior director of system resilience at PJM.

But the information sharing is also not at a full "open kimono" level, he added. The process is ongoing.

"One of the most significant challenges is being able to have a good snapshot of cybersecurity defenses across U.S. critical infrastructure," he added. "You have companies with very sophisticated cyberdefense capabilities all the way down to folks who are at a fundamental blocking and tackling level."

Jennifer O’Shea,
vice president for communications at the American Gas Association,
repeated the industry’s insistence that its cyberdefenses are strong, in a comment to E&E News.

"Natural gas utilities actively manage cybersecurity risk using a number of tools," O’Shea said. Voluntary actions adopted by AGA members include implementation of the TSA Pipeline Security Guidelines and the application of the NIST Framework for Improving Critical Infrastructure Cybersecurity."

Neither the AGA nor the Interstate Natural Gas Association of America would comment on how TSA is evaluating pipeline cyberdefenses.

PJM’s analysis of fuel supply vulnerabilities will not tell pipelines how to do their business, Monken said. "This is not going to produce a punch list for the gas folks," he said. "It’s not airing dirty laundry, either."

But, at least in PJM’s view, if the analysis shows serious vulnerabilities on the pipeline side, that will be a call for action. Commenting to FERC on the disparity between mandatory cyber and physical rules for the interstate grid and voluntary ones for gas pipelines, PJM said, "Although legislation would be needed to change this disparate paradigm, there is little reason why the approach by TSA and FERC to these cross-industry topics needs to be so diverse."