Why the Pipeline Cybersecurity Initiative is a critical step

It’s well known by now that pipeline attacks and attacks on utilities of all kinds have been an unfortunately well-trodden path by cyber-adversaries in numerous countries for a few years now. These types of attacks are not theoretical, and the damage done to date—as well as the potential damage—is significant.

With this backdrop, it was encouraging to see a few months ago that that the U.S. Government was working in a coordinated fashion to push for a more coordinated effort around pipeline security. As part of the annual Cybersecurity Awareness Month each October, the U.S. Department of Energy (DOE) and Department of Homeland Security (DHS) met with the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) to discuss ongoing threats having to do with pipeline security, resulting in the Pipeline Cybersecurity Initiative.

According to Hunton Andrews Kurth, the Pipeline Cybersecurity Initiative “will harness DHS’s cybersecurity resources, DOE’s energy sector expertise, and the Transportation Security Administration’s (TSA) assessment of pipeline security to provide intelligence to natural gas companies and support ONG SCC’s efforts.”

And even though the Pipeline Cybersecurity Initiative is in its earliest stages, it’s worth discussing the key items that it relates to and how it might impact better cybersecurity hygiene going forward across the industry as a whole:

• Timing—The timing for this initiative is important. No longer can industry observers and experts claim that pipeline, energy, and utility security is not an issue. As indicated above, this is a genuine problem that has real-world implications. Moreover, we know that this issue has occurred in a number of different countries.
• Industrial Internet of Things (IIoT)—IIoT is a topic that continues to be raised in meetings with customers and partners around the world. Some of those customers are in financial services (think ATMs) while others are in healthcare (think imaging machines) and yet others are of course in energy (think pipelines, pumping stations, etc.). My point is that across unrelated industries, this topic is a very real area that companies are increasingly taking seriously. Utility Dive summarizes this well, “With the prevalence of automation and digital sensors, pipelines moving a physical commodity, like oil or natural gas, are vulnerable to cyber-intrusions, just as a transmission line or power plant.”
• Public-private partnership—The public-private nature of this partnership makes good sense and is great to see. For instance, it was important to see this mentioned so openly by the TSA in one of the accompanying statements and is a clear indication that this is a complex issue that requires broader coordination and partnership. “The TSA is committed to the mission of securing the nation’s natural gas and oil pipelines, and values longstanding relationships with pipeline operators across this great nation,” said TSA Administrator David Pekoske. This also builds on some of the past few years of efforts in this realm in the U.S. specifically.
• An international issue—Beyond the U.S., other countries working on similar initiatives should be mentioned. While not a comprehensive list, it would be remiss not to mention other parts of the world that also either suffer from or worry about this issue, including the U.K., Denmark, and Australia.

To those of us in the cybersecurity world, energy security as it relates to cyberthreats has been a concern for a while. The known attacks have been disconcerting and people beyond the energy industry have recognized this. Practitioners and defenders have been doing fabulous work, and the Pipeline Cybersecurity Initiative will help ensure that additional resources, information-sharing, and coordination will help mitigate additional cyber-related risks against the U.S. energy industry in the coming years. For more information on infrastructure security, read Defending critical infrastructure is imperative and listen to the Cybersecurity Tech Accord web seminar, Cyberattacks on infrastructure.