October 18, 2022
American pipeline operators are at the forefront of efforts to safeguard domestic oil and gas infrastructure under the Transportation Security Administration’s (TSA) ever-evolving pipeline security initiatives. Utilities are being challenged to offer greater value and improve aging infrastructure management while ensuring uninterrupted and efficient service.
Defending against new threats and staying on top of constantly changing security guidance requires agility. Pipeline operators must adopt a continuous improvement ethos that supports infrastructure, efficiency and human capital.
Across a pipeline operation, multiple departments are often responsible for the health and maintenance of the systems involved. These may include groups such as information technology, cybersecurity, integrity management, risk management, ethics and compliance, and the executive team. Each is engaged and responsible for myriad daily tasks and has its own operational goals. Operators are having to consider threats they’ve never been asked to consider before, presenting new challenges between departments. Prioritizing security across departments and developing coordinated planning, safety and emergency management programs collaboratively is crucial to protecting pipeline operations.
If you had to pick the most common topics of conversation around the American dinner table today, it is likely that global conflict, rising costs and domestic energy supply are amongst them. Living at the intersection of these three topics lies utility companies tasked with building, operating and securing U.S. energy infrastructure while keeping customer bills in check — no small feat when you consider the headwinds they face.
One such headwind that’s been blowing particularly hard over the last few years is the constant poking, prodding and probing of America’s energy infrastructure from adversaries worldwide. Few missed the impacts of the Colonial Pipeline cyber incident in May 2021. Consumers, industry and government all took notice.
The U.S. government sprang into action by dusting off and updating its pipeline security guidelines (first published in 2010), bolstered by mandatory security directives for the most critical pipeline operators and recommendations for all others. Indeed, the situation is well in-hand then. Not quite.
Unfortunately, the Venn diagram representing those who speak the language of cybersecurity and those who speak energy pipeline operations presents the smallest of intersections. While PHMSA promulgates the federal pipeline safety regulations through its Office of Pipeline Safety, the guidelines were written by the TSA and the Cybersecurity and Infrastructure Security Agency (under the DHS). While the DHS cannot write regulations, it can create 12-month directives that land into legislation passed by Congress. This tends to confuse the industry allowing an incorrect interpretation, assuming it means that the order expires after 12 months. The reality is that when a directive is written, it is not going away. Instead, it is suspended or replaced by another directive or new legislation.
One need look no further than TSA’s Pipeline Security Guidelines to see that while they indeed refer to pipelines, they read nothing like the safety regulations that pipeliners have lived by day-in and day-out since the early 1970s.
A great deal of time has been spent since the directives were announced trying to understand and apply guidelines and “recommendations” that were purposely written in a non-prescriptive manner. Current directives apply to critical asset owners and are enforced in a regulatory fashion, and non-critical asset owners are encouraged to follow the guidelines. Often, it takes both security and pipeline experts to translate the opaque guidance, understanding which path to follow and then transferring it into an actionable approach.
Further compounding the language barrier issue is that of departmental silos. As much as the movie industry would like us to believe that cybersecurity intrusions comprise an attacker and a defender, mano a mano, throwing alpha-numeric bullets at one another in a battle of the blinking cursors, the reality is that cybersecurity defenses, like physical security defenses, are constructed in layers and involve people, processes and technology. How assets and systems are procured, installed, configured, operated, maintained and tested all play a role. Neither the smallest municipal operators nor the largest investor-owned utilities are likely to have one role or person with complete oversight of all OT and IT security aspects. Instead, we find numerous departments, each with its own perspectives, budgets and goals.
To establish and maintain an adequate security posture, not only must executive teams bring security expertise to bear but also align numerous disparate organizations around the common goal of securing the business. Effective strategies necessitate the engagement of corporate security, IT, asset/integrity management, compliance, HSE, field operations and, if they exist, the OT specialists. As it happens, TSA’s letters are landing in the executive offices of pipeline operators and only make it as far as the corporate security organization, but not into the awareness, let alone priorities, of those tasked with the operation of the pipelines.
Operators that recognize no obvious or perfect “owner” of this cross-departmental risk quickly install a leader with the big-picture thinking and ability to collaborate across departments to frame and resource an approach. This is especially true for operators of “critical” assets; they received several security directives and were held to firm deadlines to implement the specified measures.
For those who did not receive a letter from the TSA, there is still work to be done. PHMSA, Railroad Commission and state agencies have all included aspects of cybersecurity in their audits and inspections. Areas of specific focus include cybersecurity events in emergency-response (ERP) and transmission integrity management (TIMP) plans. These inclusions alone likely feel very different for operators whose plans primarily consider events driven by material or equipment failure, with the possible exceptions of third-party excavation damage and vandalism. It’s safe to assume that very few programs previously considered cybersecurity intrusions as a potential driver of loss of containment or loss of supply events. These requirements apply to operators of all sizes.
If you are still wondering how to bridge the worlds of cybersecurity and asset safety, one place to look would be in the concepts of enterprise risk management. Rather than bifurcating a pipeline into buckets of good pipe and pipe to be replaced, broaden the perspective to include and integrate the ideas espoused in API’s Recommended Practice 1173: Pipeline Safety Management Systems. Consider what could go wrong on any pipeline or asset, what impacts those risks pose and how to control or mitigate them. With a broader perspective, one can more clearly see how non-pipeline threats such as employee turnover, unavailable equipment, resource constraints and even acts of cyber terrorism can cause real-world challenges on the pipelines.
The bottom line is that operators of all sizes have work to do to meet TSA directives and guidelines. While malicious threats are real and becoming more sophisticated and persistent, the insider risks — rotating workforce, training cuts and simple lack of awareness — represent 80 percent of operations overall risks. Likewise, pipeline operators continue to inadvertently expand their attack surfaces through the proliferation of technology and software in the constant battle to serve customers in more reliable and affordable ways. Just as the last two decades have seen the expansion of safety programs, metrics and reporting, this decade is likely to be defined by the rise of cybersecurity. Before long, we will start each meeting with a safety and a security tip, as we should.
Michael Bradley is director of utilities for Everline, a provider of energy compliance, technical and security solutions.
Tags: Cybersecurity, energy security, pipeline security, September October 2022 Print Issue