At the end of a Senate hearing last month, Sen. Maria Cantwell (D-Wash.) challenged Dave McCurdy, president of the American Gas Association, to say how Congress and the public can be confident about the cybersecurity defenses of the nation’s natural gas infrastructure when no one is keeping score.
"We still don’t have the metrics needed to measure the relative cybersecurity of our pipeline systems," Cantwell said, citing assessments by the Government Accountability Office.
The Transportation Security Administration and other agencies under the Department of Homeland Security were directed by the Obama administration in October 2014 to create those metrics, so the government can measure the strength of its defense against efforts to sabotage the United States’ critical infrastructure. For its part, TSA is responsible for overseeing the security of more than 300,000 miles of natural gas pipelines.
In February, GAO told Congress that the agencies under DHS had not provided those metrics.
The Department of Energy revealed in January that it was in the dark, too. Although gas pipeline cybersecurity is not DOE’s responsibility, DOE officials in the departing Obama administration surprisingly called for an audit of gas pipeline cybersecurity to determine whether mandatory regulations were needed. The safety of the nation’s electric power grid is a national security priority, DOE said, and the grid is increasingly dependent on natural gas to fuel generators (Energywire, Jan. 11).
The Federal Energy Regulatory Commission, the chief regulator of interstate gas pipelines, is also flying blind about the risks, which prompted Norman Bay, who was FERC chairman at the time, to ask DOE to request the pipeline audit, according to informed sources. Since then, FERC has offered to conduct voluntary cybersecurity audits of gas pipelines.
Industry officials interviewed by E&E News said they also are not systematically tracking the cybersecurity posture of interstate natural gas pipelines and local distributors.
AGA, which represents local distributors of natural gas, does not have a comprehensive scorecard of pipelines’ cybersecurity performance, according to an association official authorized to comment but not by name. Nor does the Interstate Natural Gas Association of America, whose members are the large, long-haul pipelines. Terry Boss, senior vice president for security at INGAA, was asked how many pipeline companies received TSA reviews on cybersecurity, and he replied: "We are just not sure. However, I do know of some audits that did include cybersecurity."
Inside the borders
The threat of a cyberattack against pipeline and power grid control centers was hammered home in 2014 by DHS’s Industrial Control Systems Cyber Emergency Response Team (Energywire, July 1, 2014). It held meetings at FBI field offices around the country to brief infrastructure operators about malware that secretly breaks into inventory network systems, like bank robbers casing a target.
Joseph McClelland, director of FERC’s Office of Energy Infrastructure Security, said the supply of gas to the nation’s power generators is becoming ever more critical. "Don’t think our adversaries aren’t well-aware of that fact," he told state regulators earlier this year.
"They are already inside our borders. We can assume they’re already here," AGA’s McCurdy said in an interview with E&E News, confirming warnings of cybersecurity professionals. "The major [cyberthreat] players are doing a lot of mapping. They have the capability. But do they have the intent?"
At last month’s hearing of the Senate Energy and Natural Resources Committee, McCurdy said the industry is on top of the cybersecurity threats, citing pledges by industry leaders. AGA companies’ chief executives have signed a voluntary commitment to protect gas pipeline infrastructure, McCurdy said. "We have every investor-owned [gas] utility as a member of AGA," he told E&E News. "If they are holding out, they wouldn’t be a member" (Energywire, April 5).
Shannon Bañaga, an energy industry attorney and member of the Trump energy transition team, said the companies fully understand that all of their necks are on the line.
"If a security event happens to one company, it happens to all of us, and it’s up to us to make sure that doesn’t happen," she added. "To believe that additional federal oversight is necessary simply because it isn’t required misses the point. It isn’t required because there hasn’t been a demonstrated need."
The gas and pipeline industry repeatedly points to its close relationship with TSA as the foundation of its cybersecurity preparation. "The TSA does regular audits; they do cooperate and work closely [with the industry]," McCurdy told Cantwell at the hearing. "They are the subject matter experts."
But TSA has only six career staff members on duty for pipeline cybersecurity oversight, and not all of them are cyber experts. Congressional researchers have questioned the effectiveness of a voluntary system overseen by an underfunded and undermanned sliver of DHS. During a House committee hearing last year, the industry acknowledged TSA was operating on a shoestring. Speaking for AGA, National Grid security director Kathy Judge criticized a 2014 reorganization by TSA that "dismantled effective programs" on pipeline cybersecurity and said that TSA capabilities were "slowly recovering."
AGA conducts "peer reviews" of pipelines’ security practices patterned after those in the nuclear power industry. "We did 25 peer reviews this year alone," McCurdy said, describing a weeklong visit to pipeline companies. AGA is concluding a three-year cycle of reviews that will have covered utilities that supply three-quarters of the nation’s gas customers.
But how companies defend against cyberattacks is not part of the review, and there is no plan to add cyber questions, McCurdy said. The distribution utilities’ threat-sharing organization, the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC), has a fraction of the capabilities of its grid counterpart, the Electricity ISAC, officials confirm.
E-ISAC, dating back to 1999, has a score of full-time staff on watch duty, threat analysis and response, and training for cyber and physical threats. Suspected cyberthreats are channeled to the Pacific Northwest National Laboratory for state-of-the-art screening. Some security-cleared E-ISAC personnel are assigned to DHS’s National Cybersecurity and Communications Integration Center, a top-secret hub in the Washington, D.C., area where analysts investigate cyberthreats and vulnerabilities to critical infrastructure.
A single threat analyst is on duty at DNG-ISAC. Around-the-clock staffing is not yet considered essential. "Our staff size does not dictate our effectiveness. Through partnerships we can scale to meet threats head on," said the AGA official. The official added that DNG-ISAC sprang into action when the WannaCry ransomware cyberattack spread across the country earlier this month. The ISAC said it worked with DHS, TSA, DOE and intelligence agencies to collect and share software patches, attack signatures and other data with its members. It confirmed within hours that the U.S. natural gas sector had not been compromised, the AGA official said.
Still, even as the natural gas ISAC binds more closely to the electricity sector’s ISAC, the AGA official acknowledged that the threat-sharing process "is still in its infancy."
Mandatory standards? ‘No’
FERC’s unusual audit offer to gas pipelines — over which it has no regulatory authority — is also voluntary: The FERC teams must be invited in.
"We go out and work with some of the largest owners and operators of interstate natural pipelines, and we do a comprehensive [information technology] review," FERC’s McClelland said at a regulatory conference this year.
"It takes two days to get through that, and we look at everything," he said. "At the end of the two-day review, we give them the results and tell them every place we think there are vulnerabilities, and we assist them to fix those problems. And without fail, they fix them."
But like TSA, FERC’s capacity to do on-site reviews is limited, he told state regulators. "We have a significant backlog of folks who have asked for these reviews," McClelland said.
For more than a year, the natural gas industry has been digging in to oppose any suggestion of mandatory federal regulation of its cybersecurity readiness. In contrast to the gas industry’s preference for a voluntary approach, operators on the high-voltage electric power grid must meet FERC’s highly specific, mandatory Critical Infrastructure Protection (CIP) rules backed by potential fines of up to $1 million a day per violation.
National Grid’s Judge praised TSA for having "strategically refrained from executing its regulatory authority" to adopt mandatory cyber rules. "TSA is to be commended for choosing the more constructive path, partnering with owners [and] operators."
TSA’s inability to create a cybersecurity assessment for gas pipelines is partly the result of pushback from the industry. It said the industry and other companies operating critical infrastructure have been reluctant to share information TSA needs to monitor companies’ cybersecurity performance "because they fear regulation," GAO reported in 2015.
McCurdy had a one-word answer ready on the issue during last month’s Senate hearing.
"On the gas side, do you think the industry would be better with mandatory standards?" committee Chairwoman Lisa Murkowski (R-Alaska) asked McCurdy.
"No," McCurdy replied.
Since President Trump’s victory, a gas industry that raised many millions of dollars to support him and then helped fill out his White House transition team is calling in its chits to defend voluntary cybersecurity standards and oppose any version of the federal rules for power grids drawn up by the North American Electric Reliability Corp. (NERC) and acted on by FERC.
The Obama DOE’s recommendation for an audit of pipeline cybersecurity readiness, with mandatory cyber rules to follow if needed, made in DOE’s Quadrennial Energy Review 1.2 report in January, was dead on arrival in a Trump administration committed to wiping out regulations affecting oil and gas production.
"I don’t think anyone wants to raise a hand for more regulation," said Bañaga, the Trump transition team member.
"I don’t know of anyone in those [downstream gas] companies saying we need to apply NERC CIP to this. We don’t think that actually provides the confidence that we think is needed for us to do what we do," McCurdy said.
NERC CEO Gerry Cauley, on the same Senate hearing panel with McCurdy, disagreed. "I think mandatory requirements have a place. What was done in the bulk power system is an appropriate mix. We want to make sure everyone is meeting a threshold set of requirements," he said. "We can be harmed by the weakest link."
Paul Stockton, former assistant secretary of Defense for homeland defense and managing director of consulting firm Sonecon LLC, said regulation doesn’t bar companies from going further than rules require. "Mandatory standards [in the electricity sector] have provided a valuable baseline for security initiatives, but many utilities, thank goodness, have gone beyond those minimal standards … investing in their own resources to provide for additional resilience against cyberattack."
INGAA’s Boss noted that U.S. pipeline infrastructure is much less interconnected and thus much less vulnerable to a cascading failure than the tightly synchronized electric grid. Power travels at near light speed, while gas moves at 20 miles an hour, giving gas system operators much more time to respond, Boss said.
But pipeline systems’ vulnerabilities increase as the industry adopts more automated controls, said Sam Visner, senior vice president and general manager of cybersecurity at ICF International, a consulting firm that has analyzed gas system vulnerabilities.
"For better or worse, and hopefully for better, the nation’s gas pipeline infrastructure is going to be increasingly IT-enabled, with more and more devices having internet protocol addresses used to manage this infrastructure," Visner said, referring to pipelines’ supervisory control and data acquisition (SCADA) systems.
"If a SCADA system is in fact internet-facing, and if it were not protected properly, then certainly it could be vulnerable," he said.
As last month’s Senate hearing wound down, Cantwell asked McCurdy to join committee staff in creating a process for assessing pipeline cybersecurity defenses.
"Now, I know when you say something like that, people will tell you, ‘Wait, wait. We don’t want any new regulation,’" Cantwell said. "But at the same time, I’m for the collaborative effort, I am. But I think that we have to have some measurables here that we need to put in place. So we’ll be looking at that."
Cantwell said she hoped she could count on the industry’s support in creating benchmarks of cybersecurity performance. McCurdy didn’t respond directly to Cantwell’s request. Later, an AGA official reiterated the industry group’s position that government mandates should be off the table.
"The best assurance is [for members of Congress] to get off the dais and actually see what is happening, and dig more deeply than five-minute testimony," McCurdy said. "They will learn. And I think they will have more confidence in us.
"I don’t lay awake at night worrying about Southern Co.’s cybersecurity programs, ConEd [Consolidated Edison], Mid-American," three of the largest electric power companies that also have gas systems, he added. "They have the capabilities."
But officials in the electricity industry worry about power-sector and pipeline operators that fall short on cyber defense, particularly when so much of the nation’s energy backbones are connected.
The elevated risk to natural gas and electricity supplies stems from their reliance on interconnected delivery networks where a sophisticated attack could have cascading effects. As the 2003 Northeast electric power blackout and other widespread outages showed, a company that cuts corners on reliability puts its neighbors in danger. A wide-ranging cyberattack on part of the power grid in Ukraine in 2015 did not take down all of its targets, just the weakest links.