Sen. Jay Rockefeller (D-WV), who has been at the forefront of the chamber’s efforts to address cyber vulnerabilities involving the nation’s critical infrastructure, sent a letter to the American Gas Association (AGA) Thursday expressing concern about a recent report that AGA-developed standards to protect data transmitted by control systems from attacks were abandoned because of the costs.

Based on the results of a March 2006 AGA report, which found that “there are credible [cyber] vulnerabilities that threat agents could exploit,” an AGA working group developed a set of standards, known as “AGA-12,” to protect data transmitted by control systems.

“While you [in] industry should be commended for working to recognize its cyber vulnerabilities, I am concerned about a recent press report which suggested that ‘AGA-12’ was abandoned because of the costs. One independent researcher who helped develop ‘AGA-12’ [said], ‘What I think killed AGA-12 more than anything else was the cost of it. It was a success. But nobody was willing to pay $500 for a bump in the wire solution even if it radically improved security. I haven’t seen any deployment of it,'” Rockefeller wrote in his letter to AGA President Dave McCurdy.

Industries other than natural gas with critical infrastructure have faced the same choices about making investments to thwart cyber attacks, he said. “While many companies wisely view enhancing cybersecurity as a good long-term investment for owners and operators of critical infrastructure, some companies have chosen to view it as a short-term expense and have not taken the necessary steps to protect their critical business assets,” Rockefeller noted.

“I fear that the business justification for securing critical infrastructure will not come until it is too late, after a cyber attack does great damage to our economy, or worse, causes a mass casualty event. At that point, the private sector will have little choice but to make the necessary investments in cybersecurity.”

McCurdy did not respond directly to the claim that the AGA-12 standards were abandoned due to costs. But he noted that “our members are currently involved in a number of cyber security initiatives to help advance safety, including the Department of Energy’s Roadmap to Secure Control Systems in the Energy Sector, the Transportation Security Administration’s Pipeline Security Guidelines and [the] AGA/Interstate Natural Gas Association of America Security Practices Guidelines for Natural Gas Industry Transmission and Distribution.”

Moreover, “AGA has a standing Natural Gas Security Committee as well as a Cyber Security Task Group. These groups speak frequently about the security of our natural gas delivery system and facilitate communications amongst members and share best practices to help improve the safety and reliability of this system to protect customers and communities,” McCurdy said.

The threat of cyber attacks has become particularly real as the Department of Homeland Security (DHS) has tracked a series of intrusions into natural gas companies’ computer networks over the past couple of months (see NGI, May 14). The department said it is working with the FBI and other federal agencies, as well as pipelines, to identiify the cyber intruders.

Various sources have provided information to the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which investigates threats to public infrastructure, “describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations,” the ICS-CERT said in its “Monthly Monitor” report in April.

“Analysis of the malware [malicious software] and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign. The campaign appears to have started in late December 2011 and is active today. Analysis shows that these spear-phishing attempts [to gain unauthorized access to confidential data] have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization,” the ICS-CERT report said.

ICS-CERT said it has been working with critical infrastructure owners and operators in the oil and gas sector since March to address the series of cyber intrusions targeting pipeline companies. “DHS is coordinating with the FBI and appropriate federal agencies, and ICS-CERT is working with affected organizations to prepare mitigation plans customized to their current network and security configurations to detect, mitigate and prevent such threats,” DHS spokesman Peter Boogaard told NGI.

©Copyright 2012Intelligence Press Inc. All rights reserved. The preceding news reportmay not be republished or redistributed, in whole or in part, in anyform, without prior written consent of Intelligence Press, Inc.