With suggestions for improvement of cybersecurity measures and discussion of whether pipelines pose a weak link in energy infrastructure networks based on voluntary security standards, a March 28 technical conference at FERC featured leaders from FERC and the Department of Energy questioning speakers from government agencies and the private sector.
There were vows of vigilance, acknowledgement of the need for enhancements, and an emphasis on employee training to address the constantly changing threat scenarios for the power grid and natural gas pipelines. Steps being taken by the North American Electric Reliability Corp. (NERC) and government agencies such as the Transportation Security Administration (TSA) were addressed, with comments about the differences in the way pipelines and the power grid are operated.
TSA is taking actions to improve pipeline security oversight following a critical report from the Government Accountability Office in 2018, said TSA Administrator David Pekoske. Structural changes within the agency with enhanced regional presence and putting policymaking in one office and operations in one office will increase the reach of pipeline security staff, he said. A strategic goal for the agency is to accelerate action on pipeline security at the pace the industry requires and not the pace of government, Pekoske said.
Sonya Proctor, assistant administrator of surface operations at TSA, also said the internal changes will improve TSA’s oversight of pipeline security. As a result of the realignment of resources outlined by Pekoske, “we’re going to be able to increase the number of personnel that we have focused on pipeline security, which means that we will have a presence in the pipeline community on a very regular basis,” following up on security reviews and assessments, she said.
Commissioner Richard Glick questioned Proctor on the TSA processes for assessing pipeline security, asking if there can be gaps on the number of pipelines reviewed because TSA screens them based on the top 100 pipelines in terms of throughput. Proctor noted that TSA places a priority based on facilities deemed to be critical, such as those serving military bases, multiple generation facilities or important urban centers and not solely based on throughput figures.
Donald Santa, president and CEO of the Interstate Natural Gas Association of America (INGAA), told Glick and others that pipeline operators have the means to limit the impact of an incident by diverting gas flows and adjusting operations. That does not mean protection is not a priority, but understanding the consequences has a role in the discussion, he said.
Santa also mentioned that the INGAA board last year made a commitment to follow the TSA cybersecurity guidelines and he suggested letting the current model work based on the steps being taken by TSA.
Speaking with reporters during a break in the all-day session, Santa acknowledged that “there’s room for improvement” in pipeline compliance with TSA guidelines. Rather than changing to mandatory standards or moving pipeline security to some other agency, “let’s focus on improving the model, because it’s very clear that TSA is committed to it,” and INGAA supports increased funding and resources for the agency to carry out its pipeline security mission, Santa said.
Besides Santa, among those speaking to the FERC commissioners and DOE Assistant Secretary Bruce Walker in the Office of Electricity, who jointly presided at the session, were James Robb, president and CEO of NERC, Nick Akins, president and CEO of American Electric Power, , Mark Gabriel, administrator and CEO of the Western Area Power Administration, Robert Kolasky of the Department of Homeland Security, Charles Kosak, deputy assistant secretary at the Department of Defense and William Evanina in the Office of the Director of National Intelligence.
A panel of afternoon speakers included several state regulators, along with utility and independent system operator representatives and Alan Armstrong, president and CEO of The Williams Companies. A consensus among the afternoon panel is that state regulators are not imposing barriers to cost recovery for utility cybersecurity investments. There are concerns about “gold plating” and raising rates to utility customers to cover too many security expenditures, but all agreed that infrastructure security is a priority that merits constant improvement.
Adopting a strong security posture does not always involve complying with standards, said Nicholas Brown, president and CEO of Southwest Power Pool (SPP). There are cyber maturity models that assess organizations’ steps on a variety of issues, and SPP hired an outside consultant to do an assessment, to take the grid operator above and beyond the NERC standards.
One concern mentioned by several speakers, including Brown, is that larger companies have the resources and means to adopt thorough risk management programs with cyber protections. The interconnected nature of the power grid makes the larger companies more wary of the limited cyber protection measures of smaller utilities.
For pipelines, Armstrong and Santa told FERC members that an affirmation of the 2001 policy statement about recovery of extraordinary expenditures for critical infrastructure protection would be welcome. Unlike utilities with rate recovery measures from state and federal regulators, most pipelines have negotiated rates or discounted rates to compete with each other and recovery of cybersecurity expenses and other security measures can be an issue, they said.
The pipeline representatives and utility speakers commented that they are constantly under attack by hackers trying to take advantage of digital equipment used in the energy sector to disrupt operations. Armstrong and others said the industry is investing in protections and trying to be proactive to ward off intrusions, and mitigate any damage that could be done.
Gabriel of WAPA commented that the federal transmission provider has “200,000 pings on our firewall every day” and in 2018 deemed 10,000 threats that it pointed out internally and shared with utility customers. Those numbers are increasing on a continuing basis, he said.
Robb of NERC said besides the standards and other measures the reliability organization uses, it holds webinars, grid protection exercises and issues alerts to make companies aware of the latest developments or threats. Since 2009, NERC has issued 46 alerts, and 41 of those were cyber related, he said.
The session in some ways mirrored a February 14 Senate hearing where lawmakers questioned whether mandatory cybersecurity standards from TSA should replace the current voluntary standards, especially if the security efforts at TSA are viewed as a weak spot since one pipeline can provide fuel for 10 or more major power plants.
As he did at that hearing, FERC Chairman Neil Chatterjee said his preference is to allow the pipeline sector and TSA to make progress under the current voluntary standards, and he asked Proctor whether voluntary standards are sufficient.
“I do believe they are,” Proctor said, commenting that TSA has the tools and the authority needed to address cyber protections for pipelines. Pekoske can issue a security directive that calls for compliance and the voluntary guidelines provide flexibility for the pipeline sector to address events outside of the time-consuming regulatory compliance process associated with mandatory standards.
Glick and Walker probed further on TSA efforts on pipeline security, with Walker commenting that the increased reliance on gas-fired generation makes the power sector more dependent on pipelines for fuel supplies. That increased reliance “makes me uncomfortable,” Walker said, asking Santa about efforts to address the interdependence of the power and gas industries.
Santa mentioned INGAA’s commitment to meeting TSA guidelines and standards and the difference between the way pipelines and the power grid are operated. Compared with power flows that nearly instantaneous and require a constant balancing of supplies and demand, natural gas moves through the pipeline network slowly to allow adjustments and changing flows in case of pipeline disruptions, Santa said. The ability to operate the pipeline system manually and the use of gas storage as a secondary supply option is a design feature that provides resilience to the pipeline transportation network, he said.
TSA has conducted 23 different corporate security reviews at pipeline operators, with a 90% compliance rate, and an 80% compliance rate on cybersecurity practices outlined in TSA guidelines, Proctor said. The agency has also begun a new level of cybersecurity architecture reviews for pipelines under TSA’s jurisdiction, she said.
Several speakers, including some from the power sector, said there should be mandatory standards from TSA for pipeline security due to the growing gas/electric interdependence and to make the protections equivalent among the two industries.
When questioned by Glick, Proctor said TSA has the authority to impose mandatory standards and the goal should be 100% compliance with the current voluntary standards. She seconded Pekoske’s comments that freeing up more resources within the agency will allow TSA to improve its oversight of pipelines and allow more follow-up among those companies below 100%.
When asked by Glick if INGAA opposes mandatory standards, Santa said yes, the group does oppose such a move. The current model is working well and is being improved, with voluntary measures enabling more agility and reaction to what is happening and not a “check the box” mentality associated with mandatory standards, Santa said.
Another factor in favor of the current standards is that the collaboration with TSA and pipeline owners allowing pipelines to have a certain level of ownership and buy-in, rather than a more adversarial posture that can be associated with mandatory standards, he said. Santa suggested that the government authorities should let INGAA and TSA work on the current program and improve it as needed rather than imposing mandatory security standards.
Another similarity with the Senate hearing was the focus on sharing information and the challenge of classified information not allowing prompt information exchange among those without certain government security clearances. Several speakers from the private sector urged government agencies to declassify information quickly and enable more information exchange on the latest cybersecurity threats to both pipelines and the power grid.
The different entities that share information among the power sector and government can be improved to address some of the cyber risks up front instead of reacting and trying to address the latest threats, Robb and others said. NERC’s Electricity Information Sharing and Analysis Center serves as a conduit for information and coordination among agencies and industries such as the gas and water sectors, Robb noted.
Critical infrastructure protection standards of NERC are a good baseline but they are not sufficient themselves in light of the increase in frequency and sophistication of cyber attacks, said Robb. “We’ll never rest on our laurels” because adversaries trying to penetrate grid operations are persistent and dedicated, he said. E-mail spear phishing is still the most common method because it is easy to execute and has been effective in other industries, Robb said.
The consequences of a successful cyber attack on energy infrastructure could be devastating, and protections are being designed to ward off malicious nation states and individuals with nefarious intentions, Walker said. Quoting from national security assessments, Walker said there is no doubt that nations have the ability to disrupt U.S. energy networks temporarily, and he praised the work of the industry in responding to the threats. He sought to ensure industry representatives and government agency speakers that DOE is helping the country be prepared “for the inevitable cyber battle that is brewing.”
Joe McClelland, director of the Office of Energy Infrastructure Security at FERC, noted that the Commission will be accepting written comments in the proceeding (AD19-12). A notice will be issued giving a deadline for the comments to be submitted. FERC issued a staff report March 29 on critical infrastructure protection (CIP) audits that includes recommendations to help entities go through risk assessment, compliance with NERC standards and overall cybersecurity measures. The audits were not public and the report lists steps taken without identifying utilities or companies involved.
The lessons learned through the audits will improve the security of the power grid and aid compliance with mandatory reliability standards, FERC staff said.
By Tom Tiernan TTiernan@fosterreport.com