Recent press reports indicate that a cyber-attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of a Federal Bureau of Investigation and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government intuitions, including the Federal Energy Regulatory Commission (“FERC”). These incidents are raising questions about cybersecurity across the US pipeline network.
Lawrence J. Bracken II, Michael S. Levine and Geoffrey B. Fehling
In today’s interconnected society, cyber breaches are inevitable. As the saying goes, it is not a matter of if, but when, an organization will be breached. This is particularly true for businesses in the energy sector, which is one of the most frequently targeted industries for cyber attacks. From producers to pipelines and refineries, energy companies’ computer systems are increasingly at risk of becoming the target of a sophisticated and targeted cyberattack, making cyber risk mitigation paramount.
In coordination with the TSA, PHMSA issued an advisory to remind the industry of the importance of safeguarding pipeline facilities and monitoring SCADA systems for indications of unauthorized access or interference with pipeline operations. This advisory was issued in response to October 11, 2016 attempts by unauthorized individuals to shut down major pipeline facilities in four states across the U.S. Such activities endangered public safety by creating the potential for death, injury, serious infrastructure damage, and significant economic and environmental harm. The individuals were arrested and face serious charges. In the advisory, PHMSA highlights the need for increased awareness and vigilance by the industry and the public.
The Senate Intelligence Committee recently approved the “Cybersecurity Information Sharing Act”, which would facilitate the sharing of information about cybersecurity threats or countermeasures by among private entities and with the federal government. If information is shared in accordance with certain requirements (such as the use of technical controls to protect shared information), the bill provides broad protections for entities sharing information for cybersecurity purposes, including immunity against any legal action related to the monitoring, sharing, or receipt of information done in accordance with the Act.
The National Institute of Standards and Technology (NIST) recently released the final “Framework for Improving Critical Infrastructure Cybersecurity.” The Framework addresses procedures and processes for reducing cyber risks to critical infrastructure – which includes the transportation sector and pipeline systems. These voluntary guidelines address existing global cybersecurity standards and practices and summarize cybersecurity activities common across critical infrastructure sectors. The Framework was developed by NIST for the purpose of helping organizations to understand, communicate, and manage cyber risks, and is a key deliverable under Executive Order 13636 and Presidential Policy Directive 21 issued by President Obama on February 12, 2013.
In the wake of an attack last year on an electric substation in California, four U.S. Senators have written a letter to the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, urging them to adopt mandatory standards for physical security at electric power facilities. During the attack, unidentified gunmen disabled 17 transformers by firing shots from a high-powered rifle through a fence surrounding the facility. Calling the incident a “wake-up call” to the risks of physical attacks on the grid, the lawmakers expressed concern that current voluntary measures may be insufficient to minimize the risks of such attacks in the future.
During his State of the Union Address, President Obama unveiled an Executive Order (EO) and Presidential Policy Directive (PPD) to improve critical infrastructure cybersecurity . The EO and PPD come in the wake of two failed attempts by Congress to pass cybersecurity legislation, and are generally aimed at seeking to improve relationships across the federal government and industry to strengthen critical infrastructure security. The EO and PPD also contain several directives relevant to pipeline operators. Among these, the Department of Homeland Security (DHS) is directed to establish a national physical infrastructure center and cyber infrastructure center to serve as “focal points” for critical infrastructure owners to obtain information to protect their facilities. The EO also requires the federal government to develop a “Cybersecurity Framework” to address cyber risks, and outline a voluntary critical infrastructure cybersecurity program to promote sharing of information by private infrastructure owner/operators. The EO also requires DHS to formulate a risk-based list of critical infrastructure most vulnerable to a cybersecurity incident. The EO and PPD prescribe fairly aggressive deadlines for accomplishment of these directives. Click here for a full summary and to review the Executive Order and PPD.