Reliance upon proven risk management-based frameworks and public-private collaboration, instead of prescriptive regulation, is the most effective way to bolster the cybersecurity of the oil and gas industry and the critical infrastructure companies in it operate, a recent report from two industry groups concluded.
“With the increasing sophistication and adaptiveness of cyber adversaries, it is essential that industry be afforded the necessary flexibility and agility to respond to a constantly changing threat landscape, and that government and industry continue to partner to share cyber threat intelligence and strengthen cyber defenses,” the report from the Natural Gas Council and the Oil & Natural Gas Sector Coordinating Council said.
Its recommendations included that:
• Companies acknowledge that cyberattacks can present “enterprise risks”—which could compromise a company’s viability—and have comprehensive approaches to cybersecurity in place.
• Companies orient their information technology and industrial control systems (ICS) cybersecurity programs to leading frameworks and best-in-class standards, especially the National Institute of Standards and Technology’s Cybersecurity Framework and the ISA/IEC 62443 Series of Standards on Industrial Automation and Control Systems Security.
• Cyber threats are not new or unique to pipelines, but are present across the energy system, including at coal-fired and nuclear power plants. Pipelines have layers of security in place to protect against cascading failure, which also include mechanical controls that are not capable of being overridden through any cyber compromise of an ICS.
• The US gas system is highly resilient because the production, gathering, processing, transmission, distribution, and storage of gas is geographically diverse, highly flexible, and elastic. It also is characterized by multiple fail-safes, redundancies, and backups.
Cybersecurity regulation must balance the government’s interest in guidance and oversight against the risk that static rules will quickly become obsolete, the report concluded. “Further, regulation might cause companies to focus their defenses on a limited number of types of attacks or business activities to the detriment of other existing or emerging needs,” it said. “There also is the risk that such rules might create a window into industry defenses that could be exploited. This can generate significant unintended consequences.”
National oil and gas trade association leaders quickly responded to the report’s findings.
“Cybersecurity is a top priority for the oil and gas industry,” said American Petroleum Institute Pres. Mike Sommers. “Pipeline systems are purposely built to be highly resilient. Our members are leaders in cybersecurity, sharing cyber threat indicators and intelligence with each other and with the US government through the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC).”
API has convened its member companies on cybersecurity for more than 15 years, the report noted. It said the nation’s largest oil and gas trade association’s Information and Management Technology Committee, which is made up of chief information officers from API member companies, serves as an industry forum to address systems technology issues including computers, communications, and electronic commerce.
“This report makes clear that assertions regarding the inadequacy of natural gas pipeline cybersecurity are not grounded in reality,” Interstate Natural Gas Association Pres. Donald F. Santa said. “The gas industry makes extensive investments in cybersecurity and works directly with the federal government agencies immersed in these issues. These efforts demonstrate that the current framework facilitates the safe, secure, and efficient operation of the gas pipeline system.”
INGAA’s cybersecurity approach
INGAA convenes member organizations through a Cyber and Physical Security Committee to assure the physical and cybersecurity of natural gas pipelines, the report said. On a federal regulatory level, the committee primarily works with the US Federal Energy Regulatory Commission, Department of Homeland Security and its Transportation Security Administration, Department of Energy, other federal agencies, and Congress to this end. This group holds security tabletop exercises and shares information with the federal government to stay ahead of cyber and physical threats, the report said.
It pointed out that the American Fuel & Petrochemical Manufacturers has had a cybersecurity subcommittee as part of its Operational Planning Control and Automation Technologies Committee since 2005 to provide technical feedback on legislation and regulatory efforts. “As many current cybersecurity issues need not only technical feedback, but feedback from higher levels within member companies, AFPM also engages members of [its] Government Regulations Committee on priority issues related to cybersecurity,” the report said.
It also mentioned the International Association of Drilling Contractors, which it said has a cybersecurity member on which members develop digital easy-to-use, practically applicable and tailored cybersecurity guidelines for drilling assets that are built upon existing industry standards and best practices.
IADC’s committee also reviews existing cybersecurity regulations, industry best practices, and standards of relevance for industrial control systems and drilling assets, “clearly defining the approach for standards to follow and subsequently moving to align with standards that can be practically applied to drilling assets,” the report said.
“When we looked at all the programs and actions that the gas industry undertakes to maintain cybersecurity on its systems, it became clear to all the associations of the Natural Gas Council that we had a good story to share about industry’s commitment to safety and security,” said Dena E. Wiggins, president of the Natural Gas Supply Association, which currently leads the NGC.
