As the cyberthreat facing the nation’s biggest natural gas pipelines grows and evolves, a small group of federal workers tasked with protecting the sprawling, hidden energy matrix is woefully outnumbered.
Just how many career staffers at the Transportation Security Administration’s headquarters in Arlington, Va., are tasked with protecting more than 300,000 miles of interstate gas pipelines from the intrusions and surveillance of enemy states and rogue vandals?
Six. And they’re not all cyber experts.
In a blog restricted to congressional staff and obtained by E&E News, federal researcher Paul Parfomak last month explained how TSA, the Department of Homeland Security branch better-known for aviation security, landed the job of overseeing pipeline cybersecurity in the days following the Sept. 11, 2001, terrorist attacks.
Parfomak, a specialist with the Congressional Research Service, laid out the brewing concerns among policymakers about TSA’s reliance on industry-driven, voluntary safety measures. He suggested Congress may wade into the prickly debate over the quality of threat information and whether TSA is sufficiently staffed and trained to protect a network of pipelines and, by extension, the backbone of a gas-reliant U.S. electric grid.
Last year, he warned House members that hackers could find their way into sophisticated pipeline operating systems and trigger spills, explosions or fires. He reported an uptick in repeated and aggressive attacks on U.S. pipelines — a category that includes not just gas transmission but hundreds of thousands of additional miles of crude oil and refined product lines — for the purpose of collecting sensitive information.
Experts have found that the nation’s pipeline sector has been penetrated and spied on, with hackers holding some of the blueprints needed to launch a cyberattack that could plunge parts of the nation into darkness.
"If our critical infrastructure has an attack, we’re not going to recover anytime soon," said William Evanina, director of the National Counterintelligence and Security Center, which houses the Office of the Director of National Intelligence. Dire scenarios targeting gas supplies are on its radar, he said, even though the government hasn’t pointed to an imminent threat against gas pipelines.
TSA officials acknowledged in written responses that only half a dozen federal workers were monitoring security threats against pipelines.
According to multiple sources briefed on TSA inspections, reviews take up to four hours and focus largely on physical security.
For example, Sonya Proctor, TSA’s surface division director, told a House Homeland Security subcommittee last year that the agency’s top priority has been 100 of the highest-risk U.S. pipelines, which it inspected over 2008 to 2011 following a congressional mandate. Now, five years after the last of those inspections, TSA is conducting follow-up visits. TSA conducted six "corporate security reviews" or visits in fiscal 2015 and planned to conduct eight in fiscal 2016, she said.
TSA in written comments said such reviews "were not developed to assess an agency’s technical cyber-security environment," but do include a "cyber-component." An online copy of a pipeline corporate security review, apparently dating back to 2009, asks about basic password security practices, overlap and coordination between the control system and corporate networks, and cybersecurity staffing details, among dozens of other topics. TSA declined to confirm the authenticity of the document, citing its security-sensitive classification.
TSA has also encouraged the oil and gas industry to take advantage of more technical tools from the Department of Homeland Security to assess their online protections, and use the agency’s voluntary guidelines that address cybersecurity. Insiders say that while companies may use such resources internally, the incentives aren’t there for companies to provide the government with specific information.
"Do I feel that government has an accurate view across the interdependencies of infrastructure and the risk that it introduces? No. I have no confidence that they know that," said Robert M. Lee, a former Air Force cyberwarfare operations officer who now leads industrial cybersecurity company Dragos Inc.
But while Lee said TSA’s limited view of cyberthreats and vulnerabilities could lead to bad outcomes for both government and industry, he added that the private sector is "rightfully scared" about offering the agency a warts-and-all look at the state of gas pipelines’ cyberdefenses.
In the wrong hands, such information could prompt a heavy-handed government response that, in Lee’s view, would do more harm than good compared to a cooperative approach. "We are going to get solutions that don’t match the problems that we have," he said.
For its part, TSA has not expressed interest in taking a tougher line toward industry, defending the voluntary approach as "currently achieving desired results in protecting pipeline infrastructure."
A ‘constrained’ agency
Parfomak has warned Congress about TSA’s precarious situation in the past, but little has changed.
He has gone into great length about TSA’s inclusion of industry guidance to bolster pipeline cybersecurity and the agency’s partnerships with the departments of Energy and Transportation. He outlined the hundreds of visits TSA inspectors made to the nation’s major oil and gas pipelines throughout the years, the results of which were never made public.
Yet Parfomak ultimately concluded in comments to the House Homeland Security Subcommittee on Transportation Security that deep questions linger about the effectiveness of a voluntary system overseen by a sliver of DHS that is underfunded and operating with only a handful of employees. Those concerns, he said, permeate TSA, where some career workers have raised concerns about limited staff and the inability to conduct enough reviews given their workload sussing out terrorist threats.
"At its current staffing level, TSA’s pipelines branch has limited field presence for pipeline site visits, and has constrained capabilities for updating standards, interacting in the various stakeholder groups with which it collaborates, analyzing security information, and fulfilling other administrative responsibilities," Parfomak wrote in prepared remarks.
Parfomak declined to be interviewed for this series, but said his written reports speak for themselves.
Further complicating TSA’s oversight was the agency’s reorganization in 2014, which eroded some of the agency’s capacity to oversee pipelines by replacing specialists with generalists, Kathy Judge, director of corporate security for National Grid, a Britain-based supplier of electricity and natural gas to customers in the northeastern United States, told lawmakers at the same House hearing.
Judge said the reorganization "dismantled" effective security programs both the government and the operators had benefited from, and TSA is only "slowly rebuilding" its capacity.
An official at the American Gas Association agreed with that assessment, saying TSA is still recovering from that decision. A former TSA official backed up that claim, noting that the agency’s Corporate Security Reviews offered at least a surface-level evaluation of cyberdefense capabilities, but that the program "has not been the same since" the shakeup.
Up until the reorganization, the AGA official, who did not want to be identified, said industry had a good working relationship with TSA’s pipeline staff on site review and receiving feedback. But after the realignment, those federal workers were moved to other departments, throwing a wrench into a working system and undermining the development of effective teamwork on cybersecurity.
The industry source said Proctor, the TSA division director, recognized the ineffectiveness of the reorganization and the need to return to the agency’s original model, as well as the need to fill open pipeline security positions with qualified candidates, a process that is ongoing.
The agency is still working to fill the shoes of a recently retired TSA general manager, Jack Fox, who sources say had a good grounding in cybersecurity issues. Fox did not respond to request for comment. A current TSA employee said his responsibilities have been distributed among the office’s staff until a replacement can be found.
Meanwhile, TSA’s surface transportation unit — covering everything from pipeline to rail security — gets only a fraction of the funding of the agency’s better-known role protecting airports. The latest budget deal sets aside $122 million for TSA surface programs, less than 3 percent of funding levels for aviation.
TSA officials have pointed out that this discrepancy is because the agency bears the cost for airport screening on its own, whereas pipeline operators are responsible for their own security programs.
In 2011, TSA placed the probability of a cyberattack on the nation’s pipeline network as "low."
A report from the agency’s Office of Intelligence that year noted that terrorist groups had discussed attacks on unspecified computer systems underpinning major oil and gas pipelines, but federal officials weren’t certain whether al-Qaida or any other group had the capability to conduct a successful cyberattack on the systems.
But months after TSA released its assessment, news of a malicious cyber campaign emerged.
Five years ago, members of an elite cyberwar unit of China’s military hacked into U.S. pipeline companies, likely walking away with some of the blueprints needed to take down critical energy infrastructure for days, if not longer, according to law enforcement and security experts.
Two years later, the Justice Department would unveil charges against five of these hackers, putting up a "Wanted" poster for People’s Liberation Army officer Wang Dong and throwing open the door to "sophisticated" campaign of alleged cyber theft dating back to 2006.
Still, federal experts and industry continue to provide assurances that the threat is not high. Even if Dong had specifically targeted pipeline companies, rather than casting a wide net and incidentally stealing information from their networks, there is no evidence he or his fellow hackers ever breached the industrial control systems that could cause physical damage.
A more general recent DHS Office of Intelligence and Analysis assessment examining the energy sector as a whole concluded last year that "the threat of a damaging or disruptive cyberattack against the U.S. energy sector is low."
But recent cyberattacks on parts of Ukraine’s power grid temporarily knocked out power to several hundred thousand people and raised questions about how long the threat will stay dormant in U.S. critical infrastructure.
"Right now, you’re staying one step ahead of the bad guys," said Jim Guinn, who leads the energy and utilities cybersecurity practice at Accenture while based out of Houston. "The problem is, you don’t know how fast the bad guys are running, because you’re dealing with a nameless, faceless enemy."
TSA officials said they were not aware of any cyber incidents disrupting the gas grid. The agency draws on data from its Transportation Security Operations Center, which in turn is fed intelligence from the FBI and other DHS offices.
The U.S. government relies in large part on the cybersecurity information volunteered by the pipeline industry, according to multiple government and industry sources.
Government watchdogs have questioned how deeply TSA probes cybersecurity issues during its inspections. In 2010, the Government Accountability Office reviewed TSA’s oversight of pipelines’ overall security posture, noting that the agency’s "corporate security reviews" do indeed include questions about cybersecurity.
But a footnote to the report reveals that interviews with officials from TSA’s Pipeline Security Division (PSD) didn’t involve "in-depth inspections or assessment of an operator’s cyber security system and its vulnerabilities because PSD does not possess this expertise." TSA officials said that expertise could be found either in the private companies themselves or in DHS’s cybersecurity division.
This diffusion of cyber responsibilities may exacerbate what GAO once called "federal assessment fatigue," or "a perceived weariness among critical infrastructure owners and operators who had been repeatedly approached or required by multiple federal agencies and DHS offices and components to participate in or complete assessments."
That July 2016 report singled out TSA’s voluntary critical facility security reviews — a distinct program from the agency’s corporate security reviews — as being "potentially subject to multiple assessment efforts" that interviewees warned may not provide the government with new or "useful" information.
A GAO spokesman said the office is updating its 2010 review of TSA pipeline oversight, with no timetable on its release.
One of the best sources for energy-sector-specific cybersecurity knowledge in the U.S. government, the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), also conducts on-site security reviews for government agencies and private-sector companies. But the office adheres to a strict Protected Critical Infrastructure Information program, keeping any uncovered security slip-ups out of reach to regulators or the general public.
In fiscal 2016, ICS-CERT made 130 cybersecurity evaluations, more than double the number in fiscal 2010. Just 22 of those assessments took place at energy companies, and the agency’s resources are strained to meet a growing demand. ICS-CERT has increasingly picked up the burden of warning about insecure "internet of things" devices that are coming online by the thousands across multiple critical infrastructure sectors. One DHS official recently described feeling "completely overwhelmed" by the sheer volume of equipment and potentially vulnerable technology on ICS-CERT’s plate.
DHS was one of the few agencies spared cuts in the Trump administration’s fiscal 2018 budget request released Tuesday, which calls for a multibillion-dollar boost at the agency to pursue his immigration policies and border wall.
The 2017 budget deal hashed out in Congress earlier this month advised setting aside an additional $11.9 million for TSA’s surface transportation program, more than a 10 percent raise from 2016 levels, plus an extra $73.5 million for DHS’s broader cybersecurity activities, which include securing federal networks and staffing round-the-clock cyber watch floors (E&E Daily, May 2).
On May 11, President Trump signed an executive order on cybersecurity that homed in on the need to strengthen critical infrastructure protections (Energywire, May 12). It also called for a 90-day review of "transparency in the marketplace" when it comes to cybersecurity, with an emphasis on large, publicly traded infrastructure operators. The DHS-led report would examine "the sufficiency of existing federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities," according to the order.
"I do sense that [Trump administration officials] want to focus on critical infrastructure, and gas would certainly be part of that," said Gerry Cauley, president and CEO of the North American Electric Reliability Corp., in an interview conducted before the final executive order was signed.
"Other than the gas companies just exercising good practice and good risk management, what is the role of government to assure that?" Cauley said. "I think that’s the question that needs to be answered."