The oil and gas industry and the Transportation Security Administration are engaged in a cautious negotiation about new cyber protections for the nation’s pipeline infrastructure.
The Trump administration is worried that the nation is more dependent than ever before on pipelines that are vulnerable to hacking, thanks to the natural gas boom, according to one oil industry official involved in the discussions.
The industry favors voluntary safety standards, but doesn’t want to see Congress create a new watchdog along the lines of the one that oversees electricity markets.
This month, the TSA is assessing individual companies to determine the nature of potential threats. An official for the Department of Homeland Security, which houses the TSA, said the agency aims to “help our industry partners identify and mitigate potential vulnerabilities to their networks.”
Companies are eager to cooperate with these assessments, said Don Santa, president and CEO of the Interstate Natural Gas Association of America, representing the pipeline industry. “We believe the initiative will lead to a better understanding of the unique risks that pipelines face, the actions being taken to combat them, and opportunities to further strengthen our security posture as an industry.”
Last spring, hackers successfully gained access to major pipeline firms in a series of incidents. One attack victimized TransCanada, the company building the Trump-touted Keystone XL pipeline, as well as Energy Transfer Partners LP, the company associated with the Dakota Access pipeline in North Dakota that Trump pushed forward.
Industry officials welcome the prospect of sharing information about attackers with the government. What the industry doesn’t want, officials say, is for the administration or Congress to enact new cyber regulations on pipelines, similar to those the electricity and nuclear power sector have had to comply with over the last decade.
A legal consultant who has been following the talks at the Department of Homeland Security says what the government is aiming for is something akin to the North American Electric Reliability Corporation.
NERC is an electric grid watchdog established by Congress in the wake of the 2003 blackout that struck the Northeast and Midwest. It develops and enforces reliability and cybersecurity standards with the Federal Energy Regulatory Commission.
The oil industry doesn’t like the idea, because NERC can levy fines of $1 million per violation, per day, for not meeting its standards.
“We don’t believe NERC standards for our industry are appropriate,” said an official representing the oil industry. “With the changing pace of the threats and technology, prescriptive regulations aren’t really going to get us to a more secure infrastructure.”
But large industrial end-users of natural gas disagree. They are calling for NERC-like mandatory standards, indicating that a fight could be on its way over cyber protections for pipelines between the energy users and energy producers.
The Industrial Energy Consumers of America, representing the chemical industry and other large users of natural gas, is urging Congress to pass a bill pending in the Senate to include mandatory standards.
“When so much is resting on the reliability of natural gas pipelines, we cannot help but be concerned that the natural gas pipeline security requirements under the Transportation Security Administration are voluntary, not mandatory,” the group said in a Feb. 12 letter to lawmakers.
Paul Cicio, the president of the group, wants the Pipeline and LNG Facility Cybersecurity Preparedness Act to be modified to include enforceable nationwide natural gas pipeline security standards.
Sen. John Cornyn, R-Texas, reintroduced the bill late last month, and it has been referred to the Science Committee. The bill would place both the physical and cybersecurity of pipelines under the purview of the Department of Energy.
Cicio wants the cyber program to be modified to resemble the NERC process, he said in a letter to Cornyn sent this month.
“Given NERC’s action to ensure electric grid security, natural gas pipelines are the weak link in U.S. national energy infrastructure,” Cicio explained. He added that Duke Energy recently settled a $10 million fine with NERC for not fully complying with its security standards.
The TSA, which is coordinating the cybersecurity effort with the oil and gas industry, has been slow-walking the development of mandatory standards, according to Cicio.
He also pointed out that TSA lacks the resources and staff to take on the task, which has the companies he represents nervous.
The compliance cost of meeting new regulations could drive up the price of natural gas for both manufacturers and utilities. “However, one successful attack could shut down tens of thousands of manufacturing facilities at costs of tens of millions of dollars per day for each facility,” Cicio noted.
“The economic harm could be staggering,” he told Cornyn.
