The Transportation Security Administration has refreshed a 6-year-old set of pipeline security guidelines after lawmakers voiced concerns about its oversight of cybersecurity threats to natural gas networks, officials confirmed this week.
TSA said the new document, completed last month but still under review, will capture an "objective benchmark" of pipelines’ cyber readiness by borrowing from a step-by-step security framework published by the National Institute of Standards and Technology in 2014.
The changes do not include mandatory cybersecurity rules for gas companies. As the U.S. power grid increasingly relies on gas-fueled generation, regulators at the North American Electric Reliability Corp. have pressed for the gas industry to follow the same binding cybersecurity standards that apply to the high-voltage power grid.
TSA spokeswoman Lisa Farbstein defended her agency’s voluntary approach, noting that it "continues to achieve desired results in protecting pipeline infrastructure."
The natural gas industry remains firmly opposed to mandatory federal cybersecurity rules, industry groups said in response to queries from E&E News. The industry also doesn’t favor comprehensive voluntary benchmarking of the gas sector’s cyber readiness, an issue raised this year by Sen. Maria Cantwell (D-Wash.), ranking member on the Senate Energy and Natural Resources Committee.
The oversight of pipeline cybersecurity was raised by the outgoing Obama administration’s Energy Department, which called for an audit of companies’ defenses.
Industry groups cite new measures taken this year to strengthen defenses against cyber and physical attacks, such as agreements to share more cyberthreat information with the electric power sector.
Gas industry representatives also took part for the first time in the GridEx IV training exercise last month, which tested participants with a set of simulated cyber and armed assaults on U.S. electric networks. In the midst of the event, the "attackers" shifted targets, suddenly hitting compression stations that maintain flows of natural gas to power plants, factories and heating customers.
The inclusion of the natural gas infrastructure in the top-level biennial grid "war games" came at the end of a year of increased concern about the security of gas networks and other critical infrastructure sectors.
"We still don’t have the metrics needed to measure the relative cybersecurity of our pipeline systems," Cantwell said at a Senate hearing in April, in an exchange with Dave McCurdy, president and chief executive of the American Gas Association. Cantwell asked McCurdy to work with the committee staff in exploring benchmarks.
Asked about that request, McCurdy cited "progress toward raising the overall cybersecurity readiness of our industry" through information-sharing efforts and best practices.
"Safety is a core value and our top priority," he said in a statement this week. "Our experience in this area has taught us that a proactive, collaborative, public/private partnership approach to cybersecurity more effectively supports a robust cybersecurity posture than a static regulatory checklist."
Representatives of the Interstate Natural Gas Association of America and the American Petroleum Institute did not specifically address the benchmarking question in response to E&E News emails.
"Pipeline operators use a number of tools and resources to assess and evaluate their security practices, including but not limited to the INGAA Control System Cyber Security Guidelines for the Natural Gas Pipeline Industry" and government voluntary best-practices guidelines, INGAA said in a statement. "In using these tools, operators strive for continuous improvement of their security practices," it said.
Adding the NIST Cybersecurity Framework into the mix could press pipeline operators to draft a "profile" of their defense capabilities, keying in on five areas: identifying cyberthreats, protecting against them, detecting hackers, and responding to and recovering from incidents.
How the framework will be applied and reviewed in practice remains to be seen. A special E&E News report in May found that TSA was critically understaffed in fulfilling its cybersecurity oversight responsibility for the gas pipeline network (Energywire, May 25).
Cantwell and Rep. Frank Pallone (D-N.J.), the ranking member on the House Energy and Commerce Committee, asked the Government Accountability Office in July to make an assessment of the cyber and physical security protections for natural gas, oil and other hazardous pipeline infrastructure, and gaps in policy that require attention. The GAO has not completed the work.
However, another GAO report this month found that TSA does not always align its surface transportation inspections — a category that includes gas pipelines — with the results of its risk assessments. The report declined to specify whether pipelines were one of the high-risk modes identified by TSA analysts, citing national security sensitivities.
Finding a baseline
Power companies subject to the federal cyber regulations are given confidential NERC compliance audits by grid reliability coordinators. ReliabilityFirst Corp., which oversees 230 power industry companies and organizations in the Mid-Atlantic and eastern Great Lakes regions, said audits don’t provide fail-safe assurance of top-level cybersecurity readiness, but they provide a baseline for assessments.
"Although compliance alone does not guarantee secure operations, an entity’s failure to maintain baseline CIP compliance may be indicative of an entity struggling to ensure the security of its system," ReliabilityFirst said.
"The bottom line, I think we’re seeing a maturation, seeing the [power] companies getting stronger in understanding the emerging threats and implementing programs to meet those challenges," Jason Blake, ReliabilityFirst’s vice president and general counsel, told E&E News. "It’s still developing. We don’t want to open up the champagne too soon" (Energywire, May 17).
Threats of cyberattacks on all critical infrastructure sectors continue to increase in sophistication, experts agree.
Yesterday, the Federal Energy Regulatory Commission issued a proposed rule that would direct NERC to expand rules for mandatory reporting of cybersecurity incidents, to gain better warning against complex campaigns.
As the rules now stand, regulated utilities are required to report only attacks that succeed in disrupting or compromising critical operations.
The proposed rule would also require reporting of probes, surveillance scans and other intrusions that had no immediate impact, and attacks that did not succeed.
Researchers and utilities in the electric sector are working on a new system of voluntary cybersecurity benchmarks, of the kind Cantwell has asked about, that could be applied in the gas sector, its developers say.
Called the "Cyber Security Metrics for the Electric Sector," the 2-year-old research project is a high priority for the Electric Power Research Institute, said EPRI’s Matt Wakefield, one of the project’s leaders.
The goal is to use a detailed survey of utility cybersecurity policies and practices to quantify each participating company’s performance and create an industrywide benchmark, Wakefield said.
"When one [utility] implements a new cyber security solution that costs $500,000, how can the value of the investment be correctly quantified? When a policy was changed to enforce more complex passwords, what is the incremental security value achieved through the change?" EPRI asked in a description of the project.
"Prior to this EPRI project, little had been done in the electric utility industry to gather and quantify measurable, relevant information in the cyber security area," EPRI said. "Systematically gathered historical data provide utilities with essential information for establishing realistic cyber security policies while identifying optimal security investment strategies. This study confirms the need for a set of metrics based on real-world data."
The project’s promise is that a large response from utilities would create a baseline in each of the question areas, so that a utility could not only see where it performed well and not well, but also compare its results with industrywide averages.
The combination of looking at overall protection — threats, detection and response — will give a bigger picture of where the investments [in security] need to be, Wakefield said. More than 100 survey questions cover those three areas, including the number of confirmed cyber intrusion attempts per month and, among those, how many required human intervention; how many employees have access to cyber-sensitive systems; and the number of threat-hunting investigations per month, all related to a utility’s size.
Some results are likely to be revealing. One utility that took a pilot test got a score of 6.2 out of 10 on questions measure its cybersecurity protections. "Their response was, ‘I thought we would be better than that,’" Wakefield said. On the other hand, he said, "6.2 might be off-the-charts great." That won’t be known until the data are available and analyzed.
Fourteen large U.S. utilities are testing the survey or participating in the project’s working group. Documenting their experiences is a major goal for 2018, Wakefield said.
"Next year is going to be a key year, and we need a lot of success in improving how we collect the data and showing the value of the project. It would be nice to have some successes," he added.
Next year is also an opportunity to reach out to other infrastructure sectors, like gas, he said. Some of the EPRI program participants operate both electric power and natural gas systems, but at this stage, the gas side is not involved, Wakefield said. "I have not engaged personally with any of the pipeline organizations," he said.