The natural gas industry is taking cybersecurity threats very seriously and has devoted increasing resources to fighting them since 2001. This comes as the federal government shares classified information of credible threats to the industry and weighs legislation to do more, according to officials with the American Gas Association (AGA).
In an interview with NGI, AGA CEO Dave McCurdy said FERC Chairman Norman Bay was pleased to hear some of the initiatives undertaken by AGA and its member companies. Bay spoke before the Natural Gas Roundtable in Washington last Tuesday. He spent a good portion of his keynote speech urging the industry to take cybersecurity threats seriously (see Daily GPI, July 21).
"It is a top priority," McCurdy said Thursday. "It's been a top priority at AGA. I think it's true across the board. What I've noticed over the years is that the boards of directors of companies have elevated this issue as well. Their senior executives are asking where we are on cybersecurity, and that's a major step."
What's changed since 9-11
McCurdy said that on the day of the Sept. 11, 2001, terror attacks, he was serving as president and CEO of the Electronic Industries Alliance and was a board member of the Software Engineering Institute at Carnegie Mellon University. He was in Tokyo speaking to the Organisation for Economic Co-operation and Development (OECD), on -- of all things -- cybersecurity, which was then called "internet security practices."
"It was difficult to get their attention [before 9-11]," McCurdy said. "We realized there was a gap between what was done in the federal government [and] parts of academia, and industry. Those that were most involved early on were the financial sector because they were the big target. And so was communications."
McCurdy said AGA member companies see cyber threats from an operator standpoint.
"We maintain that we are somewhat different than electric generation, even though a lot of our members are both electric and gas, just by nature of the physical and communications network that we use," he said. There’s a lot of difference between dealing with molecules and electrons.
"We're working with a natural gas infrastructure, and there are a lot of safety regulations that we must comply with," said Kimberly Denbow, AGA engineering services director. "We have a lot of backup systems, redundancies and fail-safe mechanisms that are not only put in place because it's smart business, but also because they may be required by regulations. So we are able to have an environment in our operating network that supports even greater layers of defense. It's not like other parts of the energy sector, where a flick of the switch and things get turned off. We're not set up like that from an operations perspective."
"Most of the threat scenarios you see out there, and those that present the worst case scenario, involve a cascading failure of the electric grid," McCurdy said. "In the electron state, that's a potential threat, yes. But the concern now is that since more and more electricity is generated by natural gas, how far down that chain do you go to ensure the reliability of that gas supply?
"Gas supply is not just coming from one pipeline; it's comes from storage and multiple sources, some of them dedicated. There's still a significant physical effect in the natural gas arena, since we are a massive pipeline infrastructure across the country."
Denbow said the natural gas industry "is not just looking at it from a prevention perspective, but from a prevention, detection, mitigation and then response recovery perspective. It's layered defenses." She added that the Downstream Natural Gas Information Sharing and Analysis Center, DNG-ISAC, "is one tool in a full comprehensive strategy."
Legislation on Capitol Hill
In Congress, the Cyber Intelligence Sharing and Protection Act (CISPA), which would help the U.S. government investigate cyber threats and help ensure network safety from cyberattacks, passed the House in 2012, but failed to pass the Senate during the same session. It was reintroduced in the House and passed again in 2013. The bill, HR 234, is currently under consideration by the House Subcommittee on the Constitution and Civil Justice.
Meanwhile, a second, lengthy bill -- S 754, the Cybersecurity Information Sharing Act (CISA) -- is under consideration in the Senate. The bill passed the Senate Select Committee on Intelligence by a 14-1 vote on March 13.
CISPA would, among other things, direct the federal government to share real-time cyber threat information between all designated federal cyber operations centers, and the president would be required to designate two civilian federal entities -- one within the Department of Homeland Security (DHS) to receive cyber threat information, and another at the Department of Justice (DOJ) -- to receive cybersecurity crime information.
In an area that could apply to the natural gas industry, CISPA calls for the federal government to use shared cyber threat information "for cybersecurity purposes to ensure the integrity, confidentiality, availability or safeguarding of a system or network."
Under CISA, the DHS, DOJ, the director of National Intelligence and the Department of Defense (DOD) would be required to, among things, "develop and promulgate procedures to promote...the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments..." The law would also permit "private entities to monitor, and operate defensive measures to detect, prevent or mitigate cybersecurity threats or security vulnerabilities..."
CISA would also require the Department of Energy (DOE) and other agencies -- the Privacy and Civil Liberties Oversight Board, inspectors general of DHS, the intelligence community, DOJ and DOD -- to report to Congress at least every two years on shared indicators and defensive measures.
"The proof is in the pudding on all of this," said Brian Caudill, senior director for federal affairs for the AGA. "In each case [these two bills] received fairly overwhelming and bipartisan support. Yes, there are folks on the left and the 'populist right' who have some concerns about how data shared by the private sector to the government can potentially be used by the intelligence community.
The bill is in the Senate “so it will have to be addressed in one form or another. I suspect that if it is put to a floor vote it will pass, but there's an awful lot of things that still need to be negotiated."
"There's been a philosophical difference [of opinion], with privacy advocates,” McCurdy said. The extreme privacy advocates say the NSA [National Security Agency] is an agency they cannot deal with, and tech companies have some concerns there because they've dealt with them for years.
"Our industry concerns are that we want this to be voluntary participation, but we believe that there has to be some liability protection, and there's a safety act provision that we think would cover those types of activities. We just want to make sure that the money that's dedicated doesn't just go to compliance -- kind of like all these debates about Sarbanes-Oxley and Dodd-Frank -- that it just doesn't become a set of rules. What we actually need is actionable effort working with government.
"We need flow of information from them because they do have certain detection skills that our members do not. But they also want to hear from us what our potential [threats are], what we are seeing and what the impacts of those are. And we're prepared to share, but we do seek some protection in doing so."
McCurdy said the horns of the dilemma are “What are the things that government can actually do, and then how far will they be allowed to go -- how deeply involved government should be engaged and what branches of government." He noted the Edward Snowden affair.
Where the threats are coming from
Media reports have pointed to China, North Korea and Iran as potential sources for cyber attacks. Other entities, including Al-Qaeda and the so-called Islamic State, could also harbor attackers.
"There's a lot of mapping that goes on, whether it's governments or -- in our case, if you have energy in your title -- there's both industrial espionage and intelligence concerns, and there's those who [just have] ill intent that want to get data.
McCurdy said the natural gas industry gets probed and faces spear phishing attempts -- where potential attackers try to gain access to confidential data through fraudulent email -- on a daily basis. So do individual people in the industry and organizations like the AGA.
"Our members are alert to the challenges, but that's just true across the board today," McCurdy said. "We are not isolated from it. Through DNG-ISAC, we share information from analysts, government and industry that are in the business of trying to detect threats, and then [we determine] how to mitigate those threats, repair, change or respond to those. It's kind of an early warning system.
"If you're living and operating in a connected world, you have threats actively against you on a daily basis."
Denbow said AGA has taken a lead role in increasing cybersecurity awareness across the entire energy sector, not just the natural gas arena.
"We have been privy to classified information, but more importantly we have been working proactively and aggressively with the government intelligence community," Denbow said. "To say you know classified information is great, but you need to get actionable information out to the industry, to the folks that don't have a security clearance, because these are the folks that are really going to need that information and make a difference with ensuring their detection and mitigation mechanisms are in place.”