Third-party contractors — our weakest cyber link — need to be held accountable
Congress should support efforts to further protect pipelines from cyber threats
This week my organization, the Interstate Natural Gas Association of America, testified before Congress to highlight how natural gas pipeline operators are responding to cyber and physical security threats and to call for increased collaboration with our government partners. Our message is simple - while much is already being done, we must continually improve our vigilance, because adversaries seeking to disable infrastructure of all kinds, including natural gas pipelines, are nimble and the threats they pose are real.
The critical role that energy plays in driving our economy is well understood and this is especially true for natural gas infrastructure, which serves as the indispensable link between natural gas producers and consumers. Correspondingly our industry takes its security responsibilities extremely seriously. Cybersecurity, in particular, is a C-Suite priority for pipeline companies and has expressly been labelled as a top-operational risk.
In recognition, INGAA's Board proactively developed its 'Commitments to Pipeline Security' which outline the specific actions that our members take to identify, protect, detect, respond to, and recover from security threats targeting our systems. Of course, this is just the tip of the iceberg. Operators use a broad-range of tools to assess and manage risk effectively, including the NIST Cybersecurity Framework and the TSA Pipeline Security Guidelines.
A foundational element of these efforts is effective collaboration. Real-time, actionable information is vital to ensure pipeline operators are equipped with the latest intelligence on threats, including known tactics, techniques, and mitigation measures.
Information sharing already occurs today through the work of the Downstream Natural Gas and the Oil and Natural Gas Sharing and Analysis Centers and the pipeline industry has an effective relationship with partners at Transportation Security Administration and U.S. Department of Homeland Security. However, information classification sometimes inhibits the timely sharing of important threat intelligence, potentially leaving critical infrastructure owners and operators in the dark about serious cybersecurity risks.
The implications are real, and were recently acknowledged by Dan Coats, the Director of National Intelligence, who stressed that sophisticated nation-state backed cybersecurity capabilities present a genuine threat to our critical infrastructure.
Given these warnings, it has been asked whether the natural gas pipeline industry should be subject to mandatory regulations. While such questions are understandable, our view is that it is essential that we have a process that enables flexibility and allows us quickly to adapt and update protocols given the speed at which our adversaries are evolving in sophistication.
Experience shows that mandatory standards often are outdated almost as soon as they are introduced. We need the flexibility and ability to build on our baseline practices in a way that matches the nimbleness of our adversaries. This is a quintessentially 21st Century challenge, and it demands greater information sharing and collaboration as the foundation to facilitate truly innovative 21st Century solutions.
TSA and DHS are working through the National Risk Management Center to understand how sophisticated, nation-state threat actors seek to identify ways to harm U.S. critical infrastructure. This is a positive step toward responding to these risks and protecting our nation. The significance of such an approach is that it acknowledges that the cyber-attacks cannot effectively be analyzed in isolation. Critical infrastructure of all kinds is being targeted, so we must craft our response with a similarly holistic approach.
In October, TSA and DHS announced the Pipeline Cybersecurity Assessment Initiative, which aims to conduct a comprehensive series of cybersecurity assessments to understand better the risks faced by our infrastructure, as well as to identify how best to protect it. TSA already piloted one INGAA member assessment in late 2018, and our members have begun to volunteer to participate in the 2019 program.
The natural gas pipeline industry will continue to support TSA as it enhances its capabilities to respond to the evolving threat. The industry is committed to multiple efforts, including volunteering personnel and resources for federal assessments, sharing information about indicators of compromise, and participating in cross-sector exercises. These activities are creating the blueprint for how the different segments of critical infrastructure can and must work together to support cybersecurity.
But industry alone cannot guarantee the security of our critical infrastructure. The growing threat of attacks by hostile foreign actors requires a coordinated, comprehensive approach that includes the federal agencies supporting national security.
We urge Congress to support TSA's efforts to improve its program. Additional funding is required for agencies to hire cybersecurity experts who can implement the new Pipeline Cybersecurity Assessment Initiative. This initiative and others will supplement efforts already underway and help TSA succeed in its mission to protect the nation's pipeline infrastructure.
The growing threat of nation-state backed cyber-attacks requires a coordinated and comprehensive approach across all critical infrastructure systems and across all Federal agencies supporting national security. INGAA and its members stand ready to play our part, as we continue to deliver the natural gas that drives America's economy.
Don Santa is the President and CEO of the Interstate Natural Gas Association of America (INGAA) and a former Member of the Federal Energy Regulatory Commission.