The May 2021 attack on Colonial Pipeline — thought to be the largest successful cyberattack on oil infrastructure in U.S. history — led the Department of Homeland Security’s Transportation Security Administration to issue the first mandatory cybersecurity standards for pipelines, after years of relying solely on voluntary guidelines. But Democratic lawmakers, regulators and cybersecurity experts say those standards don’t go nearly far enough, and fall short of the binding standards that the U.S. electricity sector has spent years developing.
U.S. regulators or the gas pipeline companies themselves need to address that gaping hole in the nation’s energy security, experts say — noting that the gas and electricity sectors increasingly depend on each other.
“We say ‘gas and electricity’ as if they’re separate — they aren’t,” said Craig Miller, a research professor of electrical and computer engineering at Carnegie Mellon University, and former chief scientist of the National Rural Electric Cooperative Association. “You don’t move gas without electricity: You need pumps. And you don’t make electricity without gas.”
The Russian invasion of Ukraine has only exacerbated fears of a cyberattack on critical energy infrastructure. Energy Secretary Jennifer Granholm urged energy executives last week to prepare “to the highest possible level” for a potential cyberattack from Russia.
“While there remains no specific credible threat to the homeland from Russia, that I am aware of, the U.S. Government has been working with energy sector owners and operators to prepare for all geopolitical contingencies,” she wrote in a letter to industry trade organizations.
The nation has grown more reliant on natural gas as a power resource — the fuel made up 37 percent of the U.S. electricity mix in 2021, according to the U.S. Energy Information Administration, compared to 25 percent a decade ago — and the challenges of connecting the two energy systems have been a focus of federal regulators for years. Meanwhile, digital technology increasingly runs the systems that control critical infrastructure, making all energy infrastructure more vulnerable to cyber risks.
But the laxer standards governing the gas sector make pipelines more of a target, critics of the existing regulations say. A 2021 report from cybersecurity company Black Kite estimated 28 percent of oil companies and 25 percent of the natural gas sector are “highly likely” to incur a ransomware attack, versus 17 percent of the electric sector. The findings were based on an analysis of energy control systems that found companies have not done enough to protect their software systems from a cyberattack.
The easiest way to think about the difference between the industries — and how pipeline vulnerabilities could harm the grid — is to picture the standards a gas plant must meet, said Tobias Whitney, a former official with the North American Electric Reliability Corp. who is now vice president of strategy and policy at the cybersecurity firm Fortress. NERC is the power grid’s regulatory authority that develops and enforces reliability standards on the bulk power system. The agency is regulated by the Federal Energy Regulatory Commission.
The power sector is governed by 13 critical infrastructure protection standards developed by NERC and FERC — 12 of which are related to cybersecurity. A power plant would be required to meet those standards — which are mandatory and enforceable — Whitney said, but the natural gas compressor station half a mile away that controls how fuel flows to the plant through the pipeline system would not be subject to those same standards.
“You see pipeline infrastructure that is not secure in the same manner that you’ve seen in the plant,” Whitney said. “There’s no guards, there’s minimal access controls. And that compromise of that pump station could lead to that entire plant [being] inoperable.”
“There’s a definite vulnerability there: I don’t have to take out the power plant if I want to disrupt the operations of that plant through the gas infrastructure,” he added.
Leaders of FERC, who can direct NERC to develop specific standards and ultimately approve those rules, have spent years calling for regulations for the pipeline industry that mirror the electric sector’s rules. In a 2018 op-ed then-Chairman Neil Chatterjee, a Republican, and now-Chairman Richard Glick, a Democrat, also argued that pipeline security should fall under the Department of Energy. DOE, unlike TSA, has an entire office dedicated to cybersecurity risks, while TSA as of 2017 had just six full-time employees to oversee the security of the nation’s more than 2.6 million miles of pipelines, though the agency has since hired more staff and says it now has enough to enforce its new rules.
And a draft plan from the Trump administration in 2018 to bail out coal and nuclear plants for “resilience” purposes cited cybersecurity concerns of gas pipelines in its memo circulated among trade groups. “Natural gas pipelines are increasingly vulnerable to cyber and physical attacks,” the memo read. “The incapacitation of certain pipelines through the United States would have severe effects on electric generation necessary to supply critical infrastructure facilities.”
Separately, Rep. Bobby Rush (D-Ill.) introduced a bill late last year that proposed bringing cybersecurity standards for the gas pipeline sector under FERC’s jurisdiction — creating an entity similar to NERC but for the pipeline sector.
“Vladimir Putin’s invasion of Ukraine has thrust the issue of energy security into the spotlight yet again,” Rush said in an emailed statement Friday, adding that his bill would create “mandatory, necessary —and frankly, overdue — standards that would address both cyber and physical risks to our energy security.”
But the bill failed to get bipartisan support. Rep. Fred Upton (R-Mich.) said during a hearing that the bill “would dramatically expand FERC: transforming a relatively tiny agency into a behemoth with regulatory powers over America’s energy system.”
The pipeline industry also opposes the bill, saying it “risks complicating and impairing ongoing efforts to protect pipelines” by imposing “duplicative and conflicting federal oversight authority,” according to the Interstate Natural Gas Association of America. Further, INGAA disputes the idea that electricity standards are more stringent than those for the gas industry, saying “they are simply different.”
But the pipeline industry also has plenty of criticism for its current regulator’s efforts.
Since the cyberattack on the Colonial Pipeline, TSA has issued two directives to the pipeline industry: One requires pipeline owners and operators to report incidents to DHS’ Cybersecurity and Infrastructure Security Agency and have a cybersecurity coordinator available 24/7; a second requires pipeline owners and operators to implement measures to prevent or limit the effect of ransomware attacks and review their systems’ security against such attacks.
INGAA calls the standards “very prescriptive” and said it would prefer some of the more flexible aspects of the electricity standards set by FERC and NERC. However, the pipeline group proposes that TSA take direction from those agencies, rather than shifting oversight to FERC and NERC altogether.
Black Kite’s chief security officer Bob Maley also said regulatory standards “aren’t always the solution” in that the federal government tends not to be as agile as the private sector. For instance, President Joe Biden’s executive order on cybersecurity issued last year had “a lot of good stuff,” but reports stemming from the order ultimately won’t be released until two years out from Colonial — by which time bad actors have already probably found a new vulnerability to exploit.
Whitney argues that FERC oversight is a “reasonable” approach to ensuring standards are better integrated into the everyday practices and operations that come with running a power facility. Giving FERC cybersecurity oversight over the gas pipeline system would allow the agency to develop standards for the two sectors in step, including communications protocols dictating how the electric and gas sectors should communicate with each other if part of a facility goes down, he said.
The industries have been plagued by a lack of coordination recently. During the blackouts that struck Texas last year, leaving millions of people without power, one of the issues FERC later identified was that most natural gas pipeline infrastructure was not registered as critical load — meaning when the state’s grid operator triggered rolling blackouts, compressor stations and other critical pipeline equipment that needs electricity to operate were shut down, despite being necessary for the operation of natural gas plants. This contributed to further outages by lessening the amount of gas available for power plants.
Similar questions of coordination need to be answered in cybersecurity protocols, said Whitney.
“If there is, say, a cybersecurity incident at a natural gas facility that serves electric power infrastructure, who should be part of that communication?” he asked. “When should the generation facility and or the utility be notified if there’s an issue or a potential issue? What’s the expectation for information sharing between natural gas and electric power?”
Bringing the gas sector under FERC jurisdiction would take advantage of the agency’s “tremendous amount of infrastructure,” including staff expertise and a well-defined rulemaking process that includes industry feedback.
The cyberattack on Colonial Pipeline may have woken the industry up to some of the vulnerabilities of the pipeline industry, Miller said, but developing robust protections “takes years and takes a culture shift,” including training an entire workforce, creating multiple layers of defense and constant internal monitoring.
“We are largely — overwhelmingly — unregulated and unmonitored from a cyber perspective in both the gas and the … electricity industry,” he said.
“After Colonial, people said, ‘OK, it’s a big job; let’s start getting better.’ But that’s a big list. You can’t just say, ‘Install this part and monitor it; there’s a lot more to it.’”
[flexi-common-toolbar] [flexi-form class=”flexi_form_style” title=”Submit to Flexi” name=”my_form” ajax=”true”][flexi-form-tag type=”post_title” class=”fl-input” title=”Title” value=”” required=”true”][flexi-form-tag type=”category” title=”Select category”][flexi-form-tag type=”tag” title=”Insert tag”][flexi-form-tag type=”article” class=”fl-textarea” title=”Description” ][flexi-form-tag type=”file” title=”Select file” required=”true”][flexi-form-tag type=”submit” name=”submit” value=”Submit Now”] [/flexi-form]