With increased digitalization making oil and gas assets more susceptible to cyberattacks, the public and private sectors must work together in 2022 to build out more proactive security capabilities to mitigate the risk to critical energy assets, industry stakeholders and security experts said.
Receive daily email alerts, subscriber notes & personalize your experience.Register Now
"The cycle that we're in is that when a major attack happens, there's focus from the legislative branch and the executive branch to do something," Leo Simonovich, head of Siemens Energy's industrial cyber security business, said. The actions that follow tend to be prescriptive, rapid and address the fallout of the specific attack, "but we need to get more proactive."
He contended that cyber regulations are likely to become more abundant because attacks are happening and many of the critical infrastructure sectors are not regulated. "But what we need to see even more of is the platforms that enable public and private to come together," including funding models that are transparent, use risk-based approaches, and enable flexibility for operators to account for differences in their cyber maturity curves, Simonovich said.
The cyberattack on Colonial Pipeline "served as a pretty serious wake-up call, though we've seen wake-up calls in the past that the federal government has kind of hit snooze on," Rob Morgus, senior director of the US Cyberspace Solarium Commission, said in an interview. "Time will tell how serious the response is to the pipeline incident."
Morgus was referring to the heightened attention placed on the midstream segment of the oil and gas industry in 2021 after a ransomware incident forced Colonial to shut operations for nearly a week, triggering gasoline and diesel price spikes, panic buying and supply shortages across the Southeast and East Coast.
Congress has since increased its attention paid to the security of the pipeline network and has floated legislation that could see passage in 2022.
Bills already introduced have called for updated pipeline security guidelines, identifying and protecting systemically important critical infrastructure and mandatory cyber incident reporting. The notion of liability protection for nonfederal entities who satisfy mandated security protocols but still suffer a cyber breach is also being debated, with support coming from the GOP.
"We're beginning to see an emergence of camps here, and it's going to take some interesting and likely difficult negotiation to get over it," Morgus said. "Frankly, we could have another attack that hits people in their pocketbooks and makes people actually feel the pain of cyber risk, and that might unlock additional political capital to move something like this forward."
Following a year that put the security of the US pipeline network under intense scrutiny, "everybody wants to know what the next threat is going to be," said the American Petroleum Institute's Suzanne Lemieux.
The latest cyber incident to hit the oil and gas sector caused North American propane distributor Superior Plus to "temporarily disable certain computer systems and applications" after falling victim to ransomware Dec. 12, the company said.
Parker Fawcett, an analyst at S&P Global Platts Analytics, said, "moving forward, increased digitalization across major upstream projects globally could put companies at higher risk of cybersecurity threats, but US shale would likely be less of a high-profile target due to the fragmented nature of the production and localized networks they operate on." But he contended that small US shale operators with fewer resources to invest in cybersecurity "could be an easier target, albeit being a much smaller target" in terms of payout potential for a cybercriminal.
Lemieux said API is "just continuing to build expertise and build relationships across the industry to make sure that we are as prepared as possible."
The group is also focused on overcoming challenges to implementing new cybersecurity protocols and ensuring its voice is heard as new regulations are likely to be put on the table in 2022.
Following the attack on Colonial, the Transportation Security Administration issued two security directives, making the pipeline sector subject to mandatory cybersecurity requirements for the first time. Those directives sunset in May and July of 2022 but are expected to be renewed while TSA crafts rules for a permanent cybersecurity program for pipeline systems.
"TSA itself will admit that they rushed to impose the security directives," providing limited opportunities for stakeholder input and ultimately diminishing the effectiveness of the directives, the Association of Oil Pipe Lines' John Stoody said.
Among the implementation challenges are mandates that apply to both IT and OT systems, which are operated differently and cannot handle new requirements in the same manner, according to API. Patching, for instance, can be completed relatively quickly on an IT system but must be conducted in a test environment and in consultation with equipment vendors for an OT system to ensure that any changes do not create system reliability concerns.
Companies and trade groups are working with TSA to educate it on different system configurations and come up with alternative measures or action plans to meet the new cybersecurity protocols.
But "TSA was not resourced to do the directives and they didn't get any additional personnel or funds to implement this," Lemieux said. "They're running with limited resources and they're under arbitrary timelines that just forced us into a challenging environment for both the operator and for the TSA. We don't see that necessarily changing in 2022."
Pipeline trade groups have jointly asked TSA to conduct an advanced notice of proposed rulemaking to ensure adequate industry input on what constitutes "reasonable, applicable, auditable, and sustainable regulations."
"What we didn't want is a regulatory proposal to pop out of the hat like a rabbit and repeat the same mistakes of the security directives, which were developed in isolation without knowledge or awareness of some of the technical issues that any type of proposal like that would face," Stoody said.
TSA had said an ANPRM is under consideration, and is a tool the agency has successfully exercised in the past.