Government and private stakeholders are seeking to secure millions of miles of oil and natural gas pipelines against cyber intrusions as attackers increasingly target the operational technology that controls energy infrastructure.
Seven months after a cyberattack shut down a major artery of gasoline supply in the U.S., the future of national pipeline cybersecurity remains largely unresolved, as government and industry grapple with hurdles to securing the nation's fuel backbone.
Protecting the nation's pipelines will require addressing complex challenges presented by expanding vulnerabilities and evolving cyberthreats. The industry needs to gain greater visibility across a vast network of operational technology, or OT, and to establish next-generation information-sharing platforms, according to experts.
Improving visibility into OT — the hardware and software that control infrastructure — would allow pipeline operators to respond to cyber breaches with greater precision, reducing the potential for costly supply disruptions across the nation's 2.6 million miles of oil and gas pipelines. It would also improve operators' ability to detect malicious activity and prevent an intruder from triggering a catastrophic incident.
Complicating the task are legacy OT networks that defy cheap and easy fixes, as well as long-standing tension between public and private stakeholders over minimum cybersecurity requirements and the scope of information that operators should share with government.
Cybersecurity vulnerabilities exposed by the May attack on Colonial Pipeline Co. have spurred a new push for regulation. Industry observers, including Federal Energy Regulatory Commission Chairman Richard Glick, have long criticized the lack of minimum standards for certain cybersecurity protections. With the Colonial attack in recent memory, though, the industry and some cybersecurity experts worry that in policymakers' rush to regulate, they could impose ineffective, burdensome rules.
"Compliance does not equate to security," Kimberly Denbow, managing director of security and operations at the American Gas Association, said in an interview, echoing cybersecurity experts.
Long impasse over regulation ends
Both Kinder Morgan Inc. and TC Energy Corp. noted their implementation of the cybersecurity framework released by the U.S. National Institute of Standards and Technology, or NIST, as part of their defenses against cyberattacks. Kinder Morgan expressed confidence in its cyber incident response plan, noting that there have been no interruptions or suspensions of the company's systems due to a cyber event. Still, the operators see room for additional government involvement in the space.
"Based on our implementation of the NIST cybersecurity framework and the partnerships we have with various relevant government agencies, we would not oppose making compliance with the NIST [framework] mandatory," Kinder Morgan spokesperson Melissa Ruiz said. "However, we also believe that it is part of the federal government's primary constitutional purpose to protect citizens and businesses from cyberattacks by entities affiliated with or sponsored by foreign governments. The private sector can never, on its own, match the resources of state actors."
For its part, TC Energy indicated it is committed to working with the federal government to comply with cyber rules. The company said it is currently monitoring the details of the Department of Homeland Security's latest cybersecurity order, one of several government updates to federal cyber policy this year.
In the wake of the Colonial Pipeline breach, the Biden administration issued several directives and orders that broke a long impasse over imposing minimum cybersecurity requirements on pipeline operators.
For instance, a July 20 security directive issued by the Transportation Security Agency laid out cybersecurity requirements for operators of certain pipelines. Yet some measures in this directive have already caused tension, in part because they mirror existing requirements for the bulk electric power sector.
"Our government, they tend to think of energy, but they mean electricity," Denbow said. "You cannot have one form of energy sitting at the table speaking on behalf of all of them. And unfortunately, that's what we've seen."
The American Gas Association, along with six other trade groups representing pipeline operators, wrote to the head of the TSA in light of the administration's directive, seeking a greater role in developing cybersecurity requirements and expressing concerns the agency overlooked some potential impacts to operational safety and reliability.
"For nearly two decades, we have worked alongside the TSA in a structured oversight model applying risk-based methodology that properly balanced pipeline security with operational reliability and safety," the groups — the American Gas Association, American Fuel and Petrochemical Manufacturers, Association of Oil Pipe Lines, American Petroleum Institute, Interstate Natural Gas Association of America, GPA Midstream Association and American Public Gas Association — said in their letter.
READ MORE: Stay informed on how technology is reshaping the future of your sector. Get the Next newsletter delivered to your inbox every Tuesday. Sign up here.
"As the directive was developed, industry conveyed highly probable operational safety and reliability concerns that could arise by imposing prescriptive cyber requirements and untenable timelines without specific understanding of a company's existing cybersecurity protections and operations," the letter said.
The TSA — which has authority over transportation security, including on pipelines — is exploring a longer-term rulemaking that would include more stakeholder feedback.
While the current directives largely addressed basic cybersecurity practices, studies have found vulnerabilities in these areas remain common.
According to an assessment of the pipeline industry's cyber practices by OT cybersecurity firm Dragos Inc., 80% of pipeline operators had insecure password and credential practices. Half did not adequately segment their networks, a practice that prevents attacks on public-facing IT networks from migrating to OT networks.
Operators lack visibility into assets
The Colonial Pipeline breach illustrated the consequences of those vulnerabilities. Attackers gained access to Colonial's IT systems by leveraging a single compromised password. The company then shut down its entire pipeline network because it was uncertain if the malware had spread to its OT network.
That uncertainty underscored a core problem facing pipeline operators: Many lack visibility into sprawling networks of legacy OT assets that comprise valves, pumps, meters and other devices, as well as associated software. In its 2020 report, Dragos found 90% of its clients had extremely limited or no visibility into their OT environment.
Operators manage OT assets through industrial control systems, or ICS, which feed information to control rooms, where operators send commands to the equipment, known as control changes. Much of the OT asset base went into service decades ago and was not designed to continuously monitor for threats or accommodate other modern cybersecurity practices.
Further, OT often runs on custom-built software that is difficult to upgrade. Patching often means taking an asset out of service, leaving operators to manage vulnerability between scheduled maintenance.
The standardization of industrial control system technologies and increasing connections to external networks have only expanded vulnerabilities, according to a Sept. 9 Congressional Research Service report.
The trend toward deploying networks of sensors to optimize asset performance, measure emissions and conduct predictive maintenance has also expanded potential entry points, according to Johan Vermij, a research analyst at 451 Research who specializes in the internet of things. Additionally, some OT operators have sought to shortcut the data-modeling process by pumping industrial control data directly into IoT systems. Direct connections between these two systems can provide conduits for invaders.
"It's a quick and dirty solution to use your ICS system to feed your IT systems," Vermij said. "Keep them separate."
Cyberthreats expand for OT operators
At the same time, assessments by the federal government and cybersecurity firms show nation-state actors have ramped up campaigns targeting pipelines and other critical infrastructure, with some attacks seeking to weaponize the assets against operators or population centers.
Cybersecurity experts warn that capabilities developed in one region or sector can be applied to others. A growing concern is malware that learns how control systems maintain safe operations and then reprograms them to sabotage critical operations.
Nation-state actors are chiefly behind attacks on OT systems, according to Lisa Sotto, who leads the global cybersecurity practice at law firm Hunton Andrews Kurth LLP. "It's a potential treasure trove for them in gaining leverage over companies and the U.S. economy and citizens," Sotto said.
However, the threat could expand. The 15 threat actors focused on breaching OT systems that Dragos tracks are currently in "capability-building mode," according to Ben Miller, vice president of professional services and research and development at Dragos.
"Similar to what we saw on the IT side 10, 15 years ago, their sophistication will move up across the board," Miller said. "So criminal organizations, ransomware organizations, as an example, may see [an] opportunity to develop their own OT-ICS capabilities."
Government targets advanced cybersecurity
The U.S. government is moving toward addressing higher-level cybersecurity practices. In September, the Biden administration released nine cybersecurity performance goals for critical infrastructure operators. The list includes implementing cyberrisk management programs, inventorying OT assets and configurations, and continuously monitoring industrial control systems.
Congress has additionally sought to place new requirements for reporting cyber incidents on critical infrastructure operators and to create a designation for critical infrastructure, a concept that arose out of the U.S. Cyberspace Solarium Commission. The commission was created in 2019 to lay out a strategic consensus on defending the nation against significant cyberattacks.
For now, the Biden administration has addressed higher-level cyber preparedness through partnership rather than regulation. A July memorandum formalized the Industrial Control Systems Cybersecurity Initiative, a voluntary collaborative effort to deploy control system visibility, detection and warning technology.
In August, the administration launched a 100-day program to spur uptake of control systems monitoring among natural gas pipeline operators. The information sharing and analysis centers for gas utilities and the oil and gas industry have partnered with Dragos to use the company's Neighborhood Keeper platform to monitor for threats.
Rosetta stone for solving cyberrisk
Cybersecurity vendors are also increasingly focused on OT. Cybersecurity firm Tenable Holdings Inc. in 2019 acquired Indegy, which developed technology that uses existing OT protocols to monitor for control changes. Siemens Energy AG recently launched Eos, a platform for monitoring threats across IT and OT assets and streamlining cooperation through machine learning and automation.
Uptake of emerging technology will be necessary for effective information sharing and building collective defense across the industry, according to Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens.
"It's one thing to know that you're breached and then report on it. It's another thing to deal with a suspicion that you're breached and report on that," Simonovich said. Many operators today lack the sophistication to achieve that level of understanding, he added.
Ultimately, the effort to secure OT against cyberattacks will likely require a change in philosophy that mirrors the development of integrity and safety management systems, put in place to create systematic cultures of continuous safety improvement.
That work is getting under way as operators, vendors and contractors begin to adopt shared language and understandings around enterprise risk, according to Nicholas Friedman, national managing partner and governance, risk and compliance strategist at Templar Shield Inc. Essentially, the industry is developing a Rosetta stone for communicating and measuring risk effectively, he said.
"It's not a device. It's not a sensor. It's not a tool that's going to solve these problems," Friedman said. "It is a holistic program that takes each of these areas into consideration, and then designs a control monitoring program."
451 Research is part of S&P Global Market Intelligence.