IPRO

View Original

PIPELINE CYBERSECURITY IN THE SHADOW OF THE UKRAINE WAR.

(Comments delivered during the workshop held by The East Harris County Manufacturers Association & Houston Ship Channel Security District)

  • We’re here today because GEOPOLITICS IS ABOUT TO ENTER OUR DOMESTIC CYBERSPACE, perhaps in a big way. Our domestic natural gas and oil pipeline infrastructure is vulnerable to attack. No surprise there. That makes the electric system vulnerable too, as Texas knows. There are few industrial complexes more exposed and vulnerable to physical and cyber threats than the Houston Ship Channel. That said, cyber is keeping a lot of people up at night!

    “America Isn’t ready for the Cyber Attacks That Are Coming” NYTimes 3/5 “Russian Hacking Threat Hovers Over U.S. Gas Pipelines” Politico 3/2 “Biden’s infrastructure bill won’t protect your corporation from cyber attack – you’ll have to do that yourself.” The Hill 12/1/21

  • 2021 was the year cybersecurity became everyone’s problem. Risks are now systemic. If it were not for the ransomware attack on Colonial, this conversation probably wouldn’t be happening. But, ransomware and extortion attacks (Colonial, JBS meatpacking, and other money-motivated attacks) are only one part of the challenge. They may cover up far deeper attacks on control systems that render hard drives and devices useless, or worse.

  • While IT departments have often not understand or shared responsibility for operations, IT, OT, and IoT are now converging under security management. That’s because the potential for financial and environmental impacts from attacks on operations can far exceed impacts from attacks on IT. “Payouts pale in comparison to business losses due to production downtime, which are in the Billions.” (Velta Technology) Cyber intrusions can change pipeline pressures, manipulate valves, take over SCADA and ICS systems, force tanks to overflow, speed or slow processes, and essentially “weaponize” energy facilities.

  • What needs to be done? Everyone agrees public-private partnership is necessary. The Transportation Security Administration (in DHS) has jurisdiction over the security of the massive network of pipeline facilities. However, this little agency is no match for the moment. After Colonial, TSA directed after-the-fact incident reporting and review of individual pipeline practices that are essentially voluntary. Yet, trade groups found TSA’s measures too prescriptive. Elsewhere, regulators are pushing for more mandatory pipeline standards and/or a more centralized approach to setting and enforcing standards across all industries.

  • There’s a more fundamental problem. Government’s responsibility for overseeing the security of oil and natural gas pipelines is shared among agencies that regulate pipeline safety, agencies with authority over pipeline economics, over energy policy, over surface transportation, as well as agencies setting or enforcing standards. In Congress, scores of committees and subcommittees have some level of cybersecurity responsibility. There are simply too many cooks in the kitchen – and few have any agreement or understanding about how pipelines operate or what pipelines can or should be doing to prepare for this threat environment.

  • I wish I could say that the gas and oil pipeline industry’s response to actual or anticipated cyber threats is transparent and coherent so that the state and adequacy of its protections were understood and sure to be executed upon. Perhaps the paucity of OT attacks on pipelines to date has made innovation less likely – “if it ain’t broke, don’t fix it.” Even the Cyberspace Solarium Commission, created by Congress to rouse the government to action, has concluded that, despite all the warnings about the need to erect more formidable cyber barriers and ratchet up recovery capabilities, only a major emergency is likely to get us off the dime.

  • In the midst of all this, there is a new, fresh approach – the International Pipeline Resilience Organization. It’s a bottom-up, not a top-down, approach. We designed IPRO as a non-profit entity -- a pipeline-focused, self-regulatory, industry-driven organization that will use collaboration to provide the following benefits:

    • √ A proactive rather than reactive industry posture, with the industry collectively in charge of ensuring the best security management across the board

    • √  Risk management at scale that ensures more predictable standards compliance and controls, rather than vague go-it-alone practices and reliance on after-the-fact reporting

    • √  More regular, efficient, and transparent communications with government regulators, for mutual benefit

    • √  Let’s discourage or foreclose the inclination of agencies, which often lack knowledge of pipeline operations, to mandate security practices from Washington

    • √  Collective action by energy companies will enable them to access, and make the best use of, increasingly scarce and costly cybersecurity expertise

  • If Russia uncorks major OT attacks on this or other industries, expect a rash of finger-pointing and new regulations. But, why wait for that? Our domestic pipeline cybersecurity expertise needs to be marshalled in orderly fashion for the protection of all pipelines. One security expert put his finger on the solution, “a more collaborative approach to critical infrastructure cyber security, such as the one used in the North American power industry, would be a major step forward.” (Eric Byres, Cyberwirepro, 12/2/21)