By Dr. Massoud Amin, Professor – University of Minnesota and Cofounder/Past Chairman – Cyber Security Summit with Lindsay Lien Rinholen, Attorney – OFT Food Safety & Injury Lawyers
May 18, 2021
Winston Churchill said, “Never let a good crisis go to waste,” and the recent ransomware attack on Colonial Pipeline, which supplies fuel from Houston to New York, is the perfect example. Pipelines have an opportunity now to strengthen their security by improving strategies and planning to proactively curb cyber attacks. Electric utilities have been in this position and offer two important lessons in developing comprehensive cybersecurity standards.
As we have seen, a major ransomware attack like the one that took down the Colonial Pipeline can trigger shortages and panic buying. According to crowdsourcing fuel data app GasBuddy, as many as 86% of gas stations in DC, 79% in North Carolina, and a majority (or substantial minority) of stations throughout the Southeastern region were without fuel. Consequences of a prolonged fuel shortage and crossover between pipelines and other critical infrastructure could lead to profound human suffering and even larger economic loss.
Some have suggested that we must simply “cope” with outages and failures such as these cybersecurity threats. As an infrastructure/energy professional, I cannot imagine how anyone could believe that the U.S. should learn to reactively ‘cope’ with these sort of cyber-attacks.. As I have said before, “coping as a primary strategy is ultimately defeatist.”
My experience assisting with assessment prior to Y2K and directing all security research and development for North American utilities after the 9/11 tragedies involved securing critical interdependencies with fuel supply chains, including coal, nuclear, oil and gas. Two years later, the 2003 Northeast Blackout left 50 million people without power for 4 days and caused major economic losses. This blackout triggered major structural change to energy utilities’ cybersecurity measures. Like the 2003 Blackout, the Colonial Pipeline attack by the DarkSide ransomware is likely a harbinger for major regulatory change for pipelines in the area of cyber security.
My advice: turn fear into positive action. Here are 2 lessons that pipelines can learn from electric utilities in developing a comprehensive cybersecurity standards:
1. Crisis Triggers Regulation
Pipelines should expect additional cybersecurity regulation. Following the 2003 blackout, consumer outcry drew congressional interest. Congress promptly began meeting to discuss measures that could be taken to improve electric utilities’ security. Congressional efforts resulted in the Energy Policy Act of 2005.
Under the Energy Policy Act of 2005, FERC was tasked with forming an Electric Reliability Organization (ERO) to set mandatory standards of reliability for RTOs and ISOs. FERC appointed the North American Electric Reliability Corporation (NERC) to serve as the ERO. NERC is a non-profit international regulatory authority that sets standards for reliability and security for the United States, Canada, and parts of Mexico.
Since 2007, NERC has developed and enforced reliability standards for the supply of power. Compliance with CIP and all security standards is carried out through eight regional entities. I had the privilege of serving on the Board of Directors for two of these organizations (the Midwest Reliability Organization and Texas Reliability Entity).
For years, pipeline cybersecurity has fallen under the purview of the TSA, which has emphasized voluntary standards. Now is the time for pipelines to proactively assess and address cyber-physical risks. Infrastructure security requires a new model for private sector-government relationships. Overlapping and inconsistent roles and authorities hinder development of productive working relationships and operational measures. With the formation of the Pipeline Cybersecurity Initiative in 2018, there is already some degree of interagency cooperation. Pipeline stakeholders should consider whether enhancing already existing independent organizations or to create an independent non-profit might be a better source of oil & gas pipeline cybersecurity standards, as NERC transitioned from an advisory role to a mandatory one for electric power utilities.
2. Operational foresight, proactive security, and resilience
We are only as good as our stakeholders’ preparedness, security and resilience. Every pipeline has its own business model, distribution network, and interests at stake in the face of a myriad of vulnerabilities. While the system complexity has increased during the past 20 years, we have developed the technical know-how to adapt to these changes—but there is still ample room to improve.
Currently more than 90 percent of successful intrusions and cyber-attacks take advantage of known vulnerabilities and misconfigured operating systems, servers, and network devices. In addition, two coordinated areas need to be addressed in close collaboration with the industry:
• Cyber and physical threats to communications and information technology (IT) as well as the operational technology (OT) systems. This attack was on Colonial’s financial system, and could have been much worse had it been on IT/OT systems.
• System-wide interdependencies with other lifeline critical infrastructures with communication and cyber threats
Pipelines must ask: What measures are practical and useful for critical infrastructure protection (CIP) and the security of cyber physical infrastructure? Energy consumers?
NERC developed and administers a Critical Infrastructure Protection (CIP) program, encompassed in CIP standards 1 to 14. These standards address the security of cyber assets that are critical to the operation of the North American electric power grid. CIP compliance is mandatory.
As the utilities did after 2003, pipelines in 2021 face analogous challenges like integrating better/secure sensing, early warning feedback loops, layered defense architectures, focus towards proactive security, rapid localization/isolation of threats, operational resiliency and fast restoration in the future.
Pipelines will need to continue to invest in operational security, not only of their associated financial networks, but also controls and communication systems, which may include:
• Controls and Communication Facilitate, encourage, or mandate that secure sensing, “defense in depth,” fast reconfiguration and self-healing be built into the infrastructure. The overall communication/IT and operational technology and automation systems (robotics systems) that enable pipelines to operate reliably needs to be made secure and embedded within this defense-in-depth architecture.
• Investments in security. Due to the increasingly sophisticated nature and speed of targeted malicious code, intrusions, ransomware, and denial-of-service attacks, a human response may be inadequate and an automated response is often required. Hardening some key components including compressor stations and transportation is highly desirable. Pipelines should also increase investment in the grid/pipeline interdependencies and in R&D areas that assure the security of the cyber infrastructure (algorithms, protocols, chip-level and application-level security). However, providing comprehensive physical protection for all components is simply not feasible or economical. Dynamic, probabilistic risk assessments have provided strategic guidance on allocating security resources to greatest advantage. However, pathways to cost recovery and making a business case for security investments/upgrades often pose challenges.
• Security versus efficiency and ROI. The specter of future sophisticated terrorist attacks raises a profound dilemma for the pipeline industry, which must reliably supply the country with fuel, while being careful not to compromise cost. Resolving this dilemma will require both short-term and long-term technology development and deployment along with supportive public policy for cost recovery, which will affect fundamental power system characteristics, spurring development of new business models/strategies. We have also assessed possible insurance mechanisms. Perhaps a topic for another article.
• Sharing intelligence and threat information. As utilities have increasingly done, pipeline companies should share information to develop proactive protection strategies, including development of coordinated hierarchical threat coordination centers – at local, regional, and national levels. The owners and operators of pipelines need access to more specific threat information to develop adequate protection strategies. This may require either more security clearances issued to pipeline sector individuals or treatment of some intelligence and threat information and analysis as sensitive business information, rather than as classified information. Pipelines may consider promoting legislative action to remove impediments and obtain benefits through changes in the requirements of FOIA, anti-trust, liability, privacy statutes, etc. that hinder security efforts, both in personnel practices and in development and sharing of data.
• Infrastructure Interdependencies. Continue working at a federal level on better coordination of electricity and gas markets to mitigate potential new reliability and security issues due to increasing reliance on gas generation, with integrated proactive security considerations.
Undeniably, the cost of increasing cybersecurity measures and deploying a modernized stronger, more secure, and smarter pipeline network for the country will be substantial. Pipeline operators should work to determine the level of security upgrades necessary for the national interest and require governmental authorities to assume costs beyond what the private owners would expend for business purposes.
Back to the ‘Big Picture’
Our immediate and critical goal is to avoid widespread critical infrastructure failure, but the longer-term vision is to enable resilient and robust infrastructure. Achieving this vision and sustaining infrastructure reliability, robustness, security and efficiency are critical long-term issues that require collaborative strategic public/private investments in research and development.
Like utilities have done, pipelines have the potential to grow through the challenges presented by cybersecurity threats. Eighteen years following the 2003 Northeast Blackout, utilities got closer to their customers. Instead of outages with no end in sight, now utilities offer proactive notifications on outages, letting people know when they can expect power to be restored. Overall, consumer confidence in utilities has grown. Pipelines should enact and enforce a transparent public-private consensus to develop a high-confidence of operation.
Put simply, we must decide whether to build power and energy infrastructures that support a 21st century’s secure digital society or be left behind as a 20th century relic.
 North American Electric Reliability Corporation (NERC), “History of NERC,” http://www.nerc.com/AboutNERC/Documents/History_Dec12.pdf