A Letter From James J. Hoecker our CEO.

Aug 30

To: Pipeline Friends August 2021

Re: Are Your Pipeline’s Operations Vulnerable To Cyber Attack? Here’s What To Do About It

In this critical moment, pipeline executives must manage cyber risk more proactively, collaboratively, and with an eye on kinetic wars yet to come. Cyber vulnerabilities are business risks. It’s time to take a fresh look at pipeline cyber protection.

THE THREAT ENVIRONMENT. For over twenty years, our industry was focused on preventing terrorists from physically attacking pipelines. In the last four years, however, the nature of the threat has changed gaining media and public attention in 2021. Powerful new cyber challenges for pipeline operators have arisen everywhere to threaten service reliability, pipeline financial health, insurance costs, and business and regulatory relationships.

The trends are not encouraging! In June, a ransomware attack crippled a global shipping company, causing $300 million dollars in losses. A municipal water system and an interstate pipeline system were attacked as well. The operational technology (OT) systems of those companies were exposed. The operations of a major food supplier were later disabled by hackers. In short, the impacts of virtual threats on the physical world are a big and immediate concern.

Without effective protection, cyberattacks will increase pipeline direct costs (including operational failures and ransom payments) and indirect costs (customer lawsuits, insurance, regulatory investigations, reputational damage, and lost opportunities).

GOVERNMENT RESPONSE. The White House is asking private industry to collaborate in improving cybersecurity among Industrial Control Systems (ICS). Our extensive consultations with federal cyber agencies indicate that government does not always understand either the operational realities of pipelines or which curative or preventative measures are most effective for pipelines in defending themselves. External pressures will nevertheless compel them to act. Such pressures may translate to offers of help and cooperation or future one-size-fits-all requirements and burdensome audits. As the head of NERC told Congress after the Colonial Pipeline attack, “it is time for policymakers to refocus on ensuring that gas infrastructure is as secure as the grid it supplies.”

As you know, CEOs are responsible for steering the company through perilous seas, both in business and operations. They must chart a course to avoid liability, bad contracts, unprepared staff, and minimize the risk to ICS from third-party vendors, unsecured protocols, rogue access, and insider threats. IT and OT personnel must be accountable for complying with standards, best practices, and better controls before any cyber disruptions occur. If OT assets, controls, and vulnerabilities in ICS are not visible or well-understood, budgeting for cybersecurity will be impossible, hiring and retaining competent (and increasingly scarce) cybersecurity personnel will remain a challenge, and responding to regulatory audits could become more burdensome. These factors escalate business risks.

WHAT WE PROPOSE. The solution is more effective industry collaboration in the form of an industry-focused, self-regulatory, pipeline-driven organization -- the International Pipeline Resilience Organization (IPRO). By handling cybersecurity collectively and at scale, IPRO can achieve a high level of affordable cyber preparedness for pipelines at an affordable price. IPRO will collaborate across pipelines and with established information-sharing groups and regulators. At its core, IPRO is a plan to assess each pipeline’s vulnerabilities and prescribe appropriate controls that effectively manage risks to the business. The IPRO model would establish a single technically sound assessment process that has credibility with pipeline management and, equally important, with state and federal regulators. The collaborative process will benefit pipeline risk managers and generate business advantages for the C-suite. The benefits are described in IPRO’s advisories and materials.

WHAT YOU SHOULD DO. In our four decades of working with natural gas and oil pipeline matters -- as FERC Chairman, an energy lawyer, and as Senior Enterprise Cyber Security Manager at Enbridge, respectively -- we learned this: despite their vulnerabilities, fuel pipeline companies want to control their own fate, manage their own risks, and take charge of protecting their assets. IPRO epitomizes that approach. IPRO will leverage pipeline resources to maintain that control in cyberspace.

OUR REQUEST TO YOU is straightforward. Give us an opportunity to explain how IPRO can heighten pipeline preparedness, especially for companies that have underinvested in cyber protection, to lower risks and costs, and explain what the cyber future holds.

IPRO wants your company’s support and leadership.

Sincerely,