The natural gas and oil industry agrees that cybersecurity is one of the most significant challenges of our time. It’s no secret that we face cyber threats from nation-states, international cyber criminals and other malicious actors threatening U.S. energy infrastructure – it’s all documented in a July report from the Department of Homeland Security (DHS). What you may not know, however, is that industry is tackling the cybersecurity challenge head on.
Americans deserve to know what industries are doing to protect them from cyber threats. That’s the basis for a new report: “Defense-in-Depth: Cybersecurity in the Natural Gas and Oil Industry,” focused particularly on cybersecurity for the hardware and software that manage, control and monitor systems in energy infrastructure. A joint project of the American Petroleum Institute and the Oil and Natural Gas Subsector Coordinating Council, the report chronicles industry efforts to secure energy infrastructure and shows how America’s natural gas and oil industry makes cybersecurity a priority.
The natural gas and oil industry shares the same cybersecurity goals as policymakers and the public: protect energy infrastructure from cyberattacks and maintain the reliable availability of energy for homes, businesses and vehicles. Everything our industry does on cybersecurity is aligned with this objective.
Natural gas and oil companies orient their cybersecurity programs around best-in-class standards and proven frameworks, resulting in programs that can be adapted to their specific needs and are flexible and agile enough to respond to a constantly-changing threat landscape. Most, if not all, companies in our industry treat cybersecurity as an enterprise risk – the highest level of prioritization. boards of directors and senior executives take ultimate responsibility and accountability for cybersecurity, and they oversee the cybersecurity programs that the new report describes.
There is no evidence to suggest that the natural gas and oil industry is more vulnerable than others to cyberattacks. Cyber threats are not new or unique to pipelines; they are present across the energy system, including at coal and nuclear plants. How do we know? Because our industry maintains a close collaboration with the U.S. government in sharing cyber threat indicators.
Information sharing is key – both within the industry and with the U.S. intelligence community. To be forewarned is to be forearmed, and industry-wide defenses are strengthened when individual companies share threats with each other and with the government. In 2014 we formed the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) for this exact purpose. Today, through the ONG-ISAC, natural gas and oil companies engage in bi-directional sharing of actionable cyber intelligence with each other and with cybersecurity units within DHS, the Department of Energy and law enforcement agencies.
For simplicity, let’s focus on natural gas. This clean and abundant fuel is now the nation’s leading source of electricity generation, powering nearly one in three U.S. homes and helping to bring carbon emissions to 25-year lows. In addition to our industry’s defense-in-depth cybersecurity programs, the very ubiquity that’s made natural gas so dependable and affordable is also a security asset. The production, distribution and storage components of the natural gas system are geographically diverse and flexible, creating resiliency that is further reinforced by multiple fail-safes, redundancies and backups.
A Natural Gas Council study earlier this year showcased the industry’s performance during extreme weather conditions. Focusing on three historic weather events between 2017 and 2018 – Hurricanes Harvey and Irma and the Northeast winter storm dubbed the “Bomb Cyclone” – the study uncovered no meaningful service disruptions.
Whether physical threats from Mother Nature or manmade cyber threats, the natural gas and oil industry’s preparation and multi-dimensional structure show that we are up to the cybersecurity challenge. That reality should factor heavily in the ongoing debate about the government’s role in cybersecurity. The threat landscape changes constantly and staying nimble is essential to responding effectively. That’s why the current public-private collaboration is proving effective in the natural gas industry’s cybersecurity response. It balances the necessity of government/industry information sharing with the imperative to stay flexible and agile.
America’s natural gas industry is deploying these tools to guard against cyber threats because delivering the energy that Americans rely on is our priority. Let’s take stock of everything that our industry is doing on cybersecurity – much of it in collaboration with the U.S. government – before we consider changing the regulatory regime or jurisdiction for natural gas pipelines or any other assets that our industry operates.