October was National Cybersecurity Month, and it came at a critical time as security concerns across multiple industries abound. Corporations, policymakers, and individuals are reminded on a nearly daily basis that all connected devices, infrastructure, databases, and other information networks are potentially at risk of cyber intrusion.
Millions of government workers’ – and in some cases their relatives’ – personal information was stolen when the Office of Management and Budget’s personnel files were breached. We learn about new data breaches on a regular basis affecting credit cards and banking information, or other personal identifying information stored in social media platform databases. Many are rightfully concerned about the security of all electronic systems. As mid-term elections approach next week, people have even begun to ask whether we can rely upon the security of our polling places.
Attacking this issue head on, the Department of Homeland Security (DHS) is raising awareness about the importance of cybersecurity through a collaborative government and industry effort designed to raise awareness of potential threats, and to increase the resiliency of the country from threats.
Recently under fire, the energy industry is also showcasing its efforts to secure critical infrastructure from cyber threats. The Oil and Natural Gas Subsector Coordinating Council just released a report pushing back against Trump Administration agencies that have recently questioned the vulnerability of natural gas pipelines as part of an effort to enhance grid “resilience”. Many believe these efforts are more directed at providing a lifeline to uneconomic coal and nuclear power plants than they are at addressing the security of natural gas infrastructure.
Earlier this year the Department of Energy Secretary Rick Perry said, “I think there is a considerable vulnerability to our pipelines, particularly as we use more gas.” Perry was of course referring to the amount of natural gas that is now used to produce electric power. The report shows that these statements are not based on fact and points to various steps the industry has taken to harden its systems and increase resiliency through disconnected nodes and backup systems.
Whatever his intentions, Perry may have caused some unnecessary concern about pipeline safety and sparked a turf war of sorts within the administration. Pipeline safety is regulated by the Department of Transportation while the DHS has primary jurisdiction over foreign cybersecurity threats. Perry and others have suggested revisiting that issue, and of course possibly shifting responsibilities to the Department he oversees.
A DOE memo leaked earlier this year to the National Security Council citied a 1950’s era defense statute as giving DOE jurisdictional authority and legal justification to trigger emergency authorities under the Federal Power Act.
The real question then, is what is the administration’s priority – protecting energy infrastructure from cyber intrusion or bailing out uneconomic forms of energy? In an earlier Houston Chronicle article, one pipeline executive made his opinion known, saying, “They are certainly using every argument they can come up with to try and justify [the emergency order to bail out uneconomic coal and nuclear power plants]….”
That executive went on to say that if security were the issues, the administration’s public statements might be counterproductive. Like defending any other asset or territory, advertising efforts being taken to ensure security can defeat the purpose of taking such actions.
Regardless of the motive, natural gas pipeline organizations have had to respond. Don Santa, president and CEO of the Interstate Natural Gas Association of America (INGAA) stated in a recent commentary that, “Natural gas pipelines can be targeted by cyberattacks. So can electric grids. And power plants. And hospitals, city governments, banks, entertainment companies, and virtually anything ese that exists in the digital age” as he laid out the case that pipelines are no different than any other sector. This week’s white paper points out that natural gas production, distribution, and storage is not centralized and consists of many layers, redundancies, backups, and mechanical systems immune from compromise.
Critical infrastructure is always at risk of cyber intrusion. As INGAA’s Santa pointed out, this threat is not limited to natural gas pipelines. The administration is right to focus on defending important energy infrastructure to strengthen power system resilience. The administration is also right to raise awareness of and build defenses against the threat of cyber intrusions.
However, narrowing the focus of cyber vulnerabilities to only natural gas infrastructure is akin to missing the forest for the trees. And artificially stimulating reliance on other resources is essentially playing Russian Roulette. The administration would be guessing that natural gas lines are a more likely target than other parts of the power system. A better approach would be a comprehensive assessment of the entire power sector cyber vulnerabilities across the U.S., followed by discrete and concrete actions to mitigate or eliminate these vulnerabilities.