Increasing calls from lawmakers and federal regulators to improve U.S. natural gas pipeline cybersecurity are “credit positive” for operators and the utilities that have come to rely on them, according to Moody’s Investors Service.
During a hearing last month before the U.S. House Energy and Commerce Committee’s energy subcommittee, FERC Commissioners Richard Glick and Cheryle LaFleur expressed concerns about the lack of mandatory cybersecurity standards for the U.S. gas pipeline system as they push for better federal standards.
Moody’s said the implementation of federally mandated cybersecurity standards could benefit pipeline operators and utilities, since the addition of baseline defenses could make pipelines more difficult targets for attackers. Federal standards would also support pipeline operators’ ability to recover costs through future rates and support their financial position.
A Government Accountability Office (GAO) audit last year also cited cybersecurity as a weakness. The natural gas pipeline security program is run by the Transportation Security Administration (TSA). Moody’s noted that its oversight of industry cybersecurity is lacking, as the TSA only has the equivalent of six full-time employees tasked with supervising the entire U.S. interstate pipeline industry.
FERC currently only requires utilities to report cyberattacks on electric grids, even when attacks do not cause service disruptions. Previously, utilities were required to report attacks if they interfered with service. Unlike utilities, however, interstate natural gas pipelines are not covered by the requirements currently in place.
“We view mandatory cybersecurity standards as a starting point for protecting against cyber threats,” Moody’s analysts wrote in a report on Wednesday. “The adoption of mandatory cybersecurity standards in the natural gas pipeline sector will help guarantee that all operators are focused on this growing risk (at least to the level required by law) and force any late adopters to shore up their baseline defenses and become more difficult targets for attackers, or face regulatory fines and increased oversight.”
The increasing reliance of pipeline operators on sophisticated networked computer systems and electronic data leaves them vulnerable to attacks from cybercriminals, who have identified natural gas pipelines as a prized target, according to the report. Operators are not currently required to report cyberattacks if they are not deemed material by the company, Moody’s said.
“As a regulated asset, natural gas pipelines charge rates that can be adjusted through rate case proceedings to recover prudently incurred costs,” Moody’s said. “Mandatory cybersecurity standards would support pipeline operator arguments of the need to increase investments in this area, which should strengthen their case for recovering these costs through future rates. This, in turn, would further support their financial position.”
Moody’s also said that while improved government oversight would be a credit positive, the ultimate responsibility for protecting infrastructure lies with the operators themselves.