Northwest Arkansas Democrat-Gazette
Cyberthreats against pipelines raise concerns in Congress
A cyberattack that U.S. natural gas pipeline owners weren’t required to report has lawmakers taking a closer look at how the industry is handling such threats, raising the prospect of tighter regulation.
In website notices to customers last week, at least seven pipeline operators from Energy Transfer Partners LP to TransCanada Corp. said their third-party electronic communications systems were shut down, with five confirming the service disruptions were caused by hacking. But the companies didn’t have to alert the U.S. Transportation Security Administration, the agency that oversees the nation’s more than 2.6 million miles of oil and gas conduits in addition to providing security at airports.
Though the shutdowns didn’t disrupt the supply of gas to U.S. homes and businesses, it underscores that energy companies from power providers to pipeline operators and oil drillers are increasingly vulnerable to electronic sabotage. It also showed how even a minor attack can have ripple effects, forcing utilities to warn of billing delays and making it more difficult for analysts and traders to predict a key government report on gas stockpiles.
“These attacks are a wakeup call that addressing our aging energy infrastructure needs to be a priority,” U.S. Rep. Robert Latta, R-Ohio, who serves on the House Committee on Energy and Commerce, said in an emailed statement on April 5. “Bad actors are looking at any way to weaken the American energy sector.”
This isn’t the first time
hackers have had oil and gas pipes in their sights: The Congressional Research Service reported intrusions targeting pipeline communication systems back in 2012. A Web attack could “disrupt pipeline service and cause spills, explosions, or fires — all from remote locations,” the service said in a report.
The electronic systems that were targeted in the recent cyberattack help pipeline customers communicate their needs with operators via a computer-to-computer exchange of documents, such as contracts and invoices. The attacks didn’t affect operational control of the pipelines.
Even before the most recent pipeline Web attack, there were signs that the government was intensifying its focus on Web-based energy threats. Last month, the the Transportation Security Administration issued a 27-page report on pipeline security that included a section on
cybersecurity. In the report, the agency urged pipelines to take measures including establishing a cybersecurity plan, limiting network access and changing default passwords.
But the Transportation Security Administration doesn’t require operators to report Web intrusions, and it’s not clear whether the agency would have jurisdiction over an attack on a third-party communications provider. The agency requests voluntary notifications of “security incidents that are indicative of a deliberate attempt to disrupt pipeline operations or activities that could be considered precursors to such an attempt,” according to the report last month.
“[The Transportation Security Administration] will continue to work with the pipeline industry to assess any vulnerabilities associated with this incident,” Lisa Farbstein, a spokesman for the agency, said in an email Friday. “[The agency], in consultation with cyber experts, will make recommendations,
as appropriate, to the pipeline industry to mitigate concerns.”
The American Gas Association, an industry group that represents more than 200 gas supply companies, supports voluntary reporting of cyberattacks, said Dave McCurdy, the association’s president. Mandatory reporting could be counterproductive because it may set the bar too low and create a false sense of security, especially in an environment where cyber threats evolve quickly, McCurdy said by phone Friday.
“Just asking for reporting and requirements is not the answer,” he said. “We need to understand the nature of attacks. Every industry in a critical area receives attacks mostly daily.”
Tom Fanning, chief executive officer of utility owner Southern Co., said cybersecurity risks to the power grid are a “moving target.” Fanning is the co-chairman of the Electricity Subsector Coordinating Council, a group that serves as a liaison between the government and the power
industry in preparing for and responding to national disasters and infrastructure threats.
Though the “bad guys’ ability to take the electric network down is very slim, you can’t rest on your laurels,” Fanning said on the sidelines of the Bloomberg New Energy Finance Future of Energy Summit in New York. “The threat landscape continually changes.”
In February, Energy Department Secretary Rick Perry announced the department would use $96 million in funding to create an office to address cyber threats to energy. Though Homeland Security, which oversees the Transportation Security Administration, has the legal authority to oversee energy cybersecurity, “[the Department of Energy] works closely with the sector on cyber security and threat information sharing,” Shaylyn Hynes, a spokesman for the department, said in a statement.