Cyber and physical security of natural gas pipelines and the power grid were the focus of discussion in the Senate February 14 and among state regulators before the Senate hearing, with FERC Chairman Neil Chatterjee telling both audiences he is pleased with progress made by the Transportation Security Administration (TSA) on pipeline security.
The use of voluntary standards for pipeline security, compared with mandatory standards for the power grid and critical infrastructure protection (CIP), was brought up several times during the Senate Energy and Natural Resources Committee hearing. Sens. Debbie Stabenow (D-Mich.), Angus King (I-Maine), and others pressed Chatterjee on whether he believes mandatory standards are needed for pipeline security, with King asserting “of course there should be mandatory standards for pipelines” given the growing interdependence between pipelines and gas-fired generation.
Chatterjee said mandatory standards for pipelines are one way to address security concerns, but not the only way. He expressed a preference “to continue productive steps” made by TSA and provide the agency the opportunity to respond to some of the security concerns raised in different forums, including a Government Accountability Office report and an op-ed Chatterjee co-authored with Commissioner Richard Glick in 2018. Congress “shining a light” on pipeline security will help the agencies involved and industry take steps to address issues raised in the hearing, Chatterjee said.
Karen Evans of the Department of Energy, James Robb, president and CEO of the North American Electric Reliability Corp. (NERC) and David Whitehead, COO of Schweitzer Engineering Laboratories Inc. also testified at the Senate hearing, outlining steps DOE, other government agencies, and the energy sector are taking to address power grid cybersecurity. Evans and Chatterjee referred to the upcoming technical conference at FERC with DOE on security investments and cost recovery practices at the federal and state level.
Fostering partnerships with others is “the most important responsibility I have” to keep infrastructure secure and enhance response and recovery measures, said Evans, assistant secretary for Cybersecurity, Energy Security and Emergency Response (CESER).
Robb assured the lawmakers that the electric utility industry is taking cyber threats very seriously and making it top priority, noting that the power grid is the only critical infrastructure in the U.S. with mandatory reliability standards. “But standards alone are insufficient” and act as a floor, with efforts on information sharing, constant vigilance on situational awareness, alerts coming from NERC, and secure web portals to keep grid infrastructure secure, Robb said. NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) serves as a conduit for information and coordination among agencies and industries such as the gas and water sectors, he noted.
At the recent National Association of Regulatory Utility Commissioners’ (NARUC) winter policy meeting, several panels touched on pipeline and power grid cybersecurity measures, with input from government officials and industry representatives. A few common themes at both NARUC and the Senate hearing were difficulties with classified information, or how best to share information when many do not have government security clearance with access to cyber threat information, and a change in posture; from preventing intrusion to minimizing damage stemming from a cybersecurity breach.
FERC conducts security assessments of LNG facilities with the Coast Guard and works with NERC on cyber awareness, asking asset owners how long it would take to detect an intrusion, said David Andrejcak, deputy director of the Office of Energy Infrastructure Security at FERC. Most entities “know they will be penetrated” at some point with a cybersecurity breach, so besides trying to avoid penetration they are working to isolate and minimize any damage to grid control systems, Andrejcak told the Critical Infrastructure Committee at NARUC.
The utility sector is stepping up efforts on cyber mutual assistance, added Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute (EEI). The traditional mutual assistance among utilities has help from utilities in a region restore power after storms or natural disasters, and the cyber mutual assistance is being enhanced to address cyber measures, since the level of resources varies among large and small utilities in the U.S., Aaronson said.
In a remark that was similar to comments at the Senate hearing, Aaronson told the NARUC gathering “you cannot regulate security,” because the minute a regulatory measure is developed, bad actors are working on ways to get around it. He quoted Thomas Fanning, chairman, president and CEO of Southern Company, who often says cybersecurity is not an information technology issue but a leadership issue.
The challenge of balancing regulation and innovation on cybersecurity protection came up several times during the Senate hearing, with Whitehead commenting that regulatory protections can only go so far and become outdated quickly in the current environment. Touting software and hardware capabilities outside of the utility sector, he said “the best way to predict the future is to invent it.”
Working with utilities and agencies on innovations to keep bad actors – and foreign nations such as China and Russia — off their cyber intrusion game will be more successful and an enhancement beyond regulatory protections, Whitehead said.
Sens. Bill Cassidy (R-La.) and Martha McSally (R-Ariz.) questioned Evans, Chatterjee, and others about information sharing, since security clearances and classified information make it a challenge. “Where are we in breaking down some of these barriers?” because the discussion about delays on gaining security clearance and declassifying information “sounds like a hearing from 19 years ago,” when McSally was a Senate staffer, she said.
Cybersecurity talent is hard to find, and larger energy companies have more resources than smaller ones to stay on top of emerging issues, Chatterjee told Cassidy. Evans added that CESER was established by DOE Secretary Rick Perry to address the information-sharing challenge Cassidy and others raised. “We have several programs underway,” and since the office was only established four months ago, she asked lawmakers to give her the opportunity to show progress in the area of threat declassification and sharing information.
“You sense my frustration,” Cassidy said.
The security efforts at TSA could be a weak spot since one pipeline can provide fuel for 10 or more major power plants, Senators noted, asking Chatterjee if the agency is up to the task. Chatterjee referred to concerns he and Glick raised in their op-ed about the limited staff at TSA devoted to pipeline security, and the legislation introduced on the issue. He noted that he has met with TSA Administrator David Pekoske and “I’m pleased with the response I’ve seen” from TSA leadership on the concerns raised by GAO and others.
King decried the calmness of the hearing and expressed frustration that there is not a greater sense of crisis on cyber intrusions. “We are in a very dangerous place” and “I hope I’ve conveyed that” to his Senate colleagues and the witnesses he said. Part of his frustration stems from the multiple committees with jurisdiction on pipeline safety, national intelligence, and cybersecurity matters.
“You have good cause to be frustrated,” said Sen. Lisa Murkowski (R-Alaska), chairman of the energy committee. She agreed with King that multiple committee jurisdiction is an issue and there are “silos” within that dynamic.
Sen. Joe Manchin (D-W.Va.), ranking member on the committee, was among those lawmakers who referenced a recent warning from Dan Coats, director of national intelligence, that Russians may have the capability to disrupt power networks and a Chinese cyber attack could disrupt a natural gas pipeline for weeks. “Energy cybersecurity is national security,” Manchin said, asking Robb how well smaller utilities can protect their assets with limited resources.
All utilities are required to meet reliability standards their responsible for, Robb said, adding that the cyber mutual assistance efforts can provide smaller utilities with expertise and assistance when needed.
Murkowski asked the witnesses about the best way to stay ahead of bad actors in the cyber world, and Whitehead referred to software, code-writing and hardware development to protect infrastructure. Chatterjee and Evans referred to best practices the government and industry are taking to enhance cyber protection. The March 28 technical conference should address incentives to make sure utilities are making the right investments and cost-recovery mechanisms from regulators, Chatterjee said.
By Tom Tiernan TTiernan@fosterreport.com