Recent press reports indicate that a cyber-attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of a Federal Bureau of Investigation and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government intuitions, including the Federal Energy Regulatory Commission (“FERC”). These incidents are raising questions about cybersecurity across the US pipeline network.
Lawrence J. Bracken II, Michael S. Levine and Geoffrey B. Fehling
In today’s interconnected society, cyber breaches are inevitable. As the saying goes, it is not a matter of if, but when, an organization will be breached. This is particularly true for businesses in the energy sector, which is one of the most frequently targeted industries for cyber attacks. From producers to pipelines and refineries, energy companies’ computer systems are increasingly at risk of becoming the target of a sophisticated and targeted cyberattack, making cyber risk mitigation paramount.
After a string of highly publicized attacks on energy pipelines in different areas of the country, several Congressmen addressed a letter to US Attorney General Jeff Sessions last month, asking that the United States Department of Justice (DOJ) respond to several questions concerning the ability and intent of the DOJ to investigate and prosecute criminal activity against energy infrastructure at the federal level. The letter also asks for DOJ clarification on whether attacks against the nation’s energy infrastructure fall within the DOJ’s understanding of 18 U.S.C. § 2331(5), which defines “domestic terrorism” to include activities that “involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State” and that “appear to be intended to . . . influence the policy of a government by intimidation or coercion.”
A group referring to itself as “Climate Direct Action” claimed to have shut down five major cross-border oil pipelines in various states on Tuesday October 11, 2016: Minnesota (Enbridge Lines 4 and 67 near Leonard), Montana (Spectra Energy’s Express Pipeline near Coal Banks Landing), North Dakota (TransCanada’s Keystone Pipeline near Walhalla) and Washington State (Kinder Morgan’s Trans Mountain Pipeline near Anacortes). Enbridge confirmed that activists with bolt cutters broke into a valve station in Minnesota prompting them to shut down two pipelines as a precautionary measure. In total, four of the pipelines were temporarily closed and the fifth (Kinder Morgan’s Trans Mountain pipeline) was not in service when activists attempted to turn it off.
Several legislative developments of significance to the pipeline and energy transportation industries are in progress, with the introduction of a bipartisan pipeline safety reauthorization bill in the House, the passage of a bipartisan energy bill in the Senate, and the passage of a bill in the Senate that provides for the use of drones to monitor pipelines and other energy infrastructure.
The Senate Intelligence Committee recently approved the “Cybersecurity Information Sharing Act”, which would facilitate the sharing of information about cybersecurity threats or countermeasures by among private entities and with the federal government. If information is shared in accordance with certain requirements (such as the use of technical controls to protect shared information), the bill provides broad protections for entities sharing information for cybersecurity purposes, including immunity against any legal action related to the monitoring, sharing, or receipt of information done in accordance with the Act.
The National Institute of Standards and Technology (NIST) recently released the final “Framework for Improving Critical Infrastructure Cybersecurity.” The Framework addresses procedures and processes for reducing cyber risks to critical infrastructure – which includes the transportation sector and pipeline systems. These voluntary guidelines address existing global cybersecurity standards and practices and summarize cybersecurity activities common across critical infrastructure sectors. The Framework was developed by NIST for the purpose of helping organizations to understand, communicate, and manage cyber risks, and is a key deliverable under Executive Order 13636 and Presidential Policy Directive 21 issued by President Obama on February 12, 2013.
In the wake of an attack last year on an electric substation in California, four U.S. Senators have written a letter to the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, urging them to adopt mandatory standards for physical security at electric power facilities. During the attack, unidentified gunmen disabled 17 transformers by firing shots from a high-powered rifle through a fence surrounding the facility. Calling the incident a “wake-up call” to the risks of physical attacks on the grid, the lawmakers expressed concern that current voluntary measures may be insufficient to minimize the risks of such attacks in the future.
During his State of the Union Address, President Obama unveiled an Executive Order (EO) and Presidential Policy Directive (PPD) to improve critical infrastructure cybersecurity . The EO and PPD come in the wake of two failed attempts by Congress to pass cybersecurity legislation, and are generally aimed at seeking to improve relationships across the federal government and industry to strengthen critical infrastructure security. The EO and PPD also contain several directives relevant to pipeline operators. Among these, the Department of Homeland Security (DHS) is directed to establish a national physical infrastructure center and cyber infrastructure center to serve as “focal points” for critical infrastructure owners to obtain information to protect their facilities. The EO also requires the federal government to develop a “Cybersecurity Framework” to address cyber risks, and outline a voluntary critical infrastructure cybersecurity program to promote sharing of information by private infrastructure owner/operators. The EO also requires DHS to formulate a risk-based list of critical infrastructure most vulnerable to a cybersecurity incident. The EO and PPD prescribe fairly aggressive deadlines for accomplishment of these directives. Click here for a full summary and to review the Executive Order and PPD.
On June 22, 2011, the House Homeland Security Committee is expected to conduct a mark-up of HR 901, the Chemical Facilities Anti-Terrorism Security (CFATS) Authorization Act of 2011. HR 901 would reauthorize the CFATS program through FY 2018 without burdensome mandates of so-called “inherently safer technology” (IST). Click here for more information.