‘Every day thing’
Energy execs always thinking of next attacks
Mike Howard says working to thwart attacks like the one that hit Colonial Pipeline Co. is nothing new for a company like his. And it’s a never-ending battle.
“It’s a constant, every day thing,” he said this week. “It’s an ever-changing technological problem. They figure out a new way to hack you and then we design new systems and practices to respond.”
Howard is chairman and CEO at Howard Energy Partners, a midstream energy company based in San Antonio. It operates multiple pipelines carrying natural gas, crude oil, hyrdogen and refined products. In addition to pipelines, it owns and operates natural gas processing plants, liquid storage terminals, deep-water dock and terminal facilities, rail, terminal and transloading facilities and related assets.
Howard — whose company has operations in Texas, New Mexico, Oklahoma, Pennsylvania and Mexico — spoke by phone Wednesday about the cyberattack on Colonial Pipeline, its shutdown last Friday, and what it means. The following conversation has been edited for brevity and clarity.
Q: How does the existing energy infrastructure in this country make us vulnerable to this kind of attack?
A: One of the first things you have to understand is how much of the energy we use comes
through pipelines. Diesel, natural gas, propane — almost all of that comes from pipelines. The good news is it’s a distributed network that is often duplicated in most areas. Meaning that there are regional redundancies.
An attack like this was very unique because this particular pipeline handles up to 45 percent of gasoline and diesel flowing to its end points. It’s connecting the largest refining complex in the country — the Texas and Louisiana Gulf Coast — and taking those products where we need them most, which is the populated regions of the Northeast. And the Southeast as well, to some extent.
I never want to say something like this isn’t a big deal. But the good news is that because of the redundancy we have, it would be hard to shut down large regions of our energy infrastructure for extended periods of time.
I’m not concerned that we could have an attack that could shut down half the country or even half the state through attacking pipeline infrastructure.
Hurricane Harvey started in Corpus Christi and went up the Houston Ship Channel. It shut down large swaths of infrastructure and the country didn’t shut down. Those sorts of weather-related things worry me more than a single attack on a pipeline company like the Colonial Pipeline hack.
Q: I’ve heard of pipelines being attacked by terrorists to cause destruction, or pipelines attacked by criminals who want to siphon off oil and gas to control their own resources, but this is the first time I’ve heard of a cyberattack on a pipeline. Is this something you and your industry have heard of before Friday?
A: We’ve heard of it a lot. We’ve been preparing for it a lot. This is a common conversation in our industry, dating back as far as 9/11.
We conduct cybersecurity training all the time. I’m in peer CEO groups in which we discuss it constantly. Ransomware is very common right now.
Q: How vulnerable are certain regions of the country to this kind of attack? Are there geographies where a pipeline going down would cause massive longlasting damage?
A: When I think of long term, I think of longer than two weeks. It’s hard to come up with a scenario where this couldn’t be fixed in a short time frame.
Because of the distributed network and redundancy, I don’t see long-term problems as a realistic possibility. Especially with liquid products, you can truck them. You can use ships, trains and trucks to fill in some of the short-term needs.
Q: Are some places immune to this kind of chokehold because there are multiple ways to move oil and gas around?
Q: If Colonial went down in Texas, we’d be shipping (oil and gas) from other sources. If you’re going to parts of Pennsylvania maybe, if they don’t have another refinery, that’s a bigger deal there.
Q: I imagine lots of midstream energy companies are reluctant to embrace huge additional regulatory oversight as a result of this attack, but are there federal, state or industry-driven safety regulations you think companies should be considering?
A: There are federal regulations we already have to comply with, that control our infrastructure. We already have best practices and oversight of these systems.
There is a National Institute of Standards and Technology, and the specific department is the Department of Energy’s Cybersecurity Capability Maturity Model. Those are things that companies are already using for the latest and greatest technology developments. And responding to hacks.
An example of best practices derived from those organizations is that we try to separate our business systems and our pipeline operational systems. We separate delivery and business operations into different buildings and different servers, using different personnel.
In addition to thinking about the role of energy delivery through our pipelines, I also concern myself with hackers shutting down my entire company. Our company operates in four states and in Mexico. So attacking a single pipeline is one thing. Attacking my entire company is another.
Q: Is there a common standard of anti-hacking the industry has adopted? Or is this all so new that every company would have its own safety/compliance/ anti-hacking measures?
A: This is not new. It’s very common. We all concern ourselves with this. It’s a constant, every day effort to stop cyberattacks.