COMMENTS AND REQUEST FOR PUBLIC PROCEEDINGS OF INTERNATIONAL PIPELINE RESILIENCE ORGANIZATION
The International Pipeline Resilience Organization (“IPRO”)1 hereby submits the following Comments on the above-captioned Advanced Notice of Proposed Rulemaking (“ANOPR”) issued by the Department of Homeland Security’s (“DHS”) Transportation Security
Administration (“TSA”).2 Although these Comments are being submitted past the filing deadline, IPRO requests that they be seriously considered when TSA prepares its Final Rule -- a necessary step and a commitment to a finality that TSA made in the past. IPRO has long supported TSA’s cybersecurity mission for pipelines (as part of “surface transportation”) and acknowledges its determination to enhance its internal cybersecurity personnel and capabilities and to prescribe its Directives in response to the ransomware attack on Colonial Pipeline in 2021.
IPRO finds a critical gap in TSA’s pipeline cybersecurity approach still exists. Without the depth and expertise that comes with administering the Natural Gas Act and the Interstate Commerce Act, TSA may struggle to master the digital and operational complexities of energy pipelines as it tries to prevent and/or mitigate impactful assaults on pipeline operations, including mitigating impacts on the electric industry, one of the largest end users of the energy pipeline systems. Apprehensions about that security gap are reflected in the comments submitted by PJM Interconnection, L.L.C. (“PJM”) in this docket.3
IPRO recommends some correctives to TSA’s current process of selective pipeline assessments, evolving directives, and relatively opaque results. A more workable partnership with the industry would echo the early development of reliability standards for electric utilities and a greater commitment of resources to gathering this information about cyber risks and the threat environment from the industry. Although IPRO applauds TSA for opening this broad inquiry, it's late in the game. It recommends that TSA engage in workshops or a hearing to develop a more strategic approach that adds certainty and partnership to what appears to have been exploratory to date. Judging by recent Congressional testimony, that view is shared elsewhere.4
In this Comment, IPRO proposes a more pipeline-driven cybersecurity approach. A full description of this approach is available5 for individual pipelines, the TSA, and policymakers to critique. The IPRO approach depends on the voluntary participation of pipelines but is intended to make pipelines, collectively, a partner with the government is instituting an assessment process, monitoring compliance, selecting or developing appropriate standards, and reporting results that are transparent to the maximum extent possible. IPRO’s approach extends beyond, and is offered in support of, the formality of TSA and the Oil and Natural Gas Coordinating Council ("ONGCC"). It does not supplant accepted cyber standards or impose a rigorous process without the participation of pipeline operators and IT departments. While flexible, it is not intended to enshrine broad optionality in terms of how its procedures apply. Perhaps more importantly here, it cannot be implemented without the support of TSA or whichever part of government oversees this complex industry in the future.
IPRO points out that, without a Congressional reliability mandate like that which empowers NERC to set and enforce standards (under the statutory oversight of the Federal Energy Regulatory Commission, or “FERC”), TSA’s recent efforts to meet the challenge of creating an enforceable pipeline cybersecurity regime have little precedent. To its credit, TSA recognized that its approach to pipeline cybersecurity had to be flexible and relatively transparent. However, TSA is charged with ensuring that all the entities in the sprawling oil and natural gas pipeline industry, even if under-resourced or deemed not “critical,”, are sufficiently educated and staffed to protect their operational technology from disruption and, with that, the public’s stake in secure pipeline operations and the reliability of electric generation downstream.
While it appears to IPRO that pipelines may be individually (and possibly collectively) less prepared for cyber intrusions than entities in the electric power industry, the solution is neither a vast new institution like NERC nor the indeterminate rulemaking inquiry in this docket. IPRO, therefore, requests that the proposed and final rules in this proceeding include new mechanisms that ensure pipeline participation in adapting cybersecurity requirements to individual pipeline capabilities and the IT and OT realities of the business. This step forward should take the form of a public-private partnership similar to the charter of IPRO which has as its objectives (1) articulated means of achieving recognizably high levels of protection from cyber intrusion, (2) administrative certainty, and (3) a manageable financial and administrative burden.
Accordingly, IPRO thanks TSA for the opportunity to provide input and urges TSA to utilize this rulemaking proceeding to explore how it can more thoroughly perform its role as a promoter of cybersecurity and whether oil and natural gas pipelines require a different, more flexible cybersecurity compliance methodology that promotes harmonization of cybersecurity requirements between the oil and gas pipeline industry and the electric industry to ensure the safety and reliability of both sectors.
I. BACKGROUND AND INTRODUCTION
Energy pipelines play a critical role in the modern energy network and will continue to do so for the foreseeable future. According to PHMSA, there are over 2.6 million miles of natural gas pipelines and over 200,000 miles of oil and liquids pipelines in the United States as of 2021.6 Those pipelines transport and distribute fuels to end users, including the electric generation sector.
Natural gas represented almost one-third of total US energy consumption in 2021.7 The majority of that natural gas was used to generate electricity. In 2021, natural gas was the largest source of electric generation in the United States, providing approximately 38% of the total electricity generated.8 Petroleum is the most significant portion of total US energy consumption at approximately 36%.9 The vast majority of that petroleum is used in the transportation sector, accounting for about 90 % of US energy use.10 Although petroleum accounts for less than 1% of the total electricity generated in the United States, it plays an essential role in providing the fuel source for a significant portion of the generation called on at peak electric demand.11
TSA is correct in assuming that important energy transportation networks need cybersecurity protection. However, IPRO contends that TSA has not yet proposed a comprehensive, forward-looking approach to cybersecurity. As such, this ANOPR falls short, especially in light of growing cyber threats. Senator Joe Manchin states, “Pipeline networks are becoming more dependent on internet-based control systems for their operations.”12 The Operational Technology (“OT”) and the Information Technology (“IT”) of oil and natural gas pipelines are increasingly at risk today. As OT/IT environments have become more connected through networks and IoT devices, security has become a critical concern and the risks to oil and gas pipelines inherently threaten electric system reliability. According to Skybox Security, new vulnerabilities in OT devices were up nearly 88% in 2021 compared to 2020.13 The high-profile cyberattacks on Colonial Pipeline and JBS meat processing almost two years ago caused general concern about the security of domestic industrial processes, especially from foreign state actors.
Given the perceived threat of energy system insecurity to national security, government responses like TSA’s programs and two directives have proliferated.14 IPRO submits that less is still known about the preparedness of natural gas pipelines to resist or respond to cyberattacks than about electric utility preparedness.
Part of the problem of inadequate data and potential lack of adherence to standards is attributable to historical and institutional differences between these energy industries; part of it is due to a lack of resources among smaller pipeline companies to invest in the best technologies or hire the necessary expertise; part of the difficulty relates to the challenge of keeping pace with best practices without receiving an institutional directive to meet specific and ever-changing threats. landscape. Regardless, pipeline disruptions from cyberattacks represent a potential breach in our national economic security, the implications of which could be widespread and substantial.15
There is no question that oil and gas pipelines want to make sufficient investments to protect their systems from the growing threat of cyberattacks if the threat is real and actual attack probable. Figuring this out is a key and relatively new element of reliability, resilience, and consumer protection. Understandably, expressions of deep concern among policymakers and regulators about the preparedness of the nation’s energy delivery systems to fend off or mitigate cyber intrusions have become common.16 The convergence of IT and OT within the oil and gas pipeline industry has created new vulnerabilities and a need for repetitive technological investments, intelligence, process improvements, and vigilance. While FERC and NERC share principal responsibility with all electric power providers to protect the services of the bulk electrical system from disruption, that well-trodden pathway has no equivalent in the natural gas and oil pipeline world, with the possible exception of the ONGCC. However, IPRO stresses a different point: these energy pipelines are a link in several critical supply chains. Electric reliability today depends in large part on the reliable delivery of oil and natural gas supplies.
IPRO contends that this docket offers a unique opportunity to raise critical aspects of cybersecurity before TSA, namely the interaction and inter-dependencies between natural gas supply availability and resource adequacy across the electric grid. For example, Winter Storm Uri demonstrated how a failure to deliver natural gas to power plants under adverse conditions could have catastrophic human and operational consequences.17 One can easily imagine a corresponding scenario where a major natural gas pipeline is shut down due to a cyberattack, leading to a cascading series of decreases in supply on upstream gas pipelines and corresponding shutdowns of any electric generation that runs on natural gas.
Government cybersecurity oversight is a crowded space.18 The array of regulatory assignments across the Federal establishment can be bewildering.19 Moreover, there are multiple paradigms to follow. For instance, FERC (acting through NERC) “has instituted the most comprehensive requirements, standards, and systems . . . for incident reporting, information protection, systems identification and categorization, supply chain management, and information sharing” for the electric industry, as compared to other critical infrastructure sectors.20 FERC is both a rate regulator and operational conduct and planning enforcer.
Planners and regional grid managers like PJM rely on that well-tested but hardly flawless approach. So, as the threat environment continues to evolve, economic regulators continue to search for new solutions, and ways to obtain and share cyber information and prepare threat responses. Mechanisms like the proposed Energy Threat Analysis Center (“ETAC”) are devised to keep both government and industry abreast of changing threat conditions. Despite these undertakings, new adversaries continue to take advantage of the more uniform software packages, network protocols, facility designs, and training and the malicious insertion of malware into systems across energy infrastructures. According to an expert who ironically dubbed this new capability “PIPEDREAM”:
PIPEDREAM was developed by a highly capable strategic state adversary and is the first reusable cross-industry capability that can achieve disruptive or destructive effects on domestic industrial equipment. PIPEDREAM
cannot just simply be patched away. Once it’s in a network, it is a reliable tool for an attack, making detection and responsiveness capabilities as important as prevention.21
Senator Angus King called such undetectable threats “sleeper cells.”22 Although an extreme scenario, the potential for harm to the Nation’s Industrial Control Systems (“ICS”) from these latent menaces illustrates the need for hands-on implementation of cybersecurity standards and practices by joint public-private coordination, not just directives that also continue to evolve.23
A full inquiry about how TSA’s approach has fared in this crowded regulatory environment is beyond the scope of this proceeding and this Comment. IPRO believes that TSA has a vital responsibility under current law to help oil and gas pipelines avoid information theft, electrical outages, and other service interruptions caused by hackers skilled at finding vulnerabilities in critical ICS. TSA’s current Directive and this NOPR reflect TSA’s conscientious effort to tailor guidance to the needs of individual industry participants, perhaps without an independent understanding of those needs. History suggests that TSA may find it difficult to keep pace with the future evolution of the threat environment. On July 20, 2021, just over two months after the cyberattack against Colonial Pipeline, TSA issued mandatory cybersecurity directives ("SD1").24
That initial set of guidelines required the implementation of prescriptive measures designed to prevent cybersecurity incidents in a manner compliant with the current National Institute of Standards and Technology (“NIST”) standards and guidelines, unless specifically modified by TSA-approved alternative measures or action plans. The initial Security Directive was criticized by pipeline companies and cybersecurity experts that it was too rigid and did not give them the ability to craft strategies that would work best with their individual OT and IT operations.25 On July 21, 2022, TSA issued a revision to the initial Security Directive (“SD2”) that provides more flexibility to pipeline companies to meet the security requirements established by TSA, using a performance-based, security outcome model.
However, under SD2, companies were still required to follow the original guidelines of the first Directive until their individual plans were reviewed and approved by TSA.26 As the ANOPR explains, layers of cyber risk management (“CRM”) programs accompany the guidelines and require pipeline owner/operators to establish plans to achieve security and respond timely to cybersecurity incidents. This ANOPR gives TSA a vital opportunity to learn from its experiences with regulating under SD1 and SD2 to craft a model for pipeline cybersecurity that is more in tune with the operational realities of energy pipelines and the industries that depend on them.27
As we explain below, IPRO has a particular compliance model that puts research and compliance more directly in the hands of pipeline operators as part of a public-private partnership. This proceeding affords IPRO an opportunity to distinguish itself from other collaborative forums, like the ONGCC or agencies like TSA, in very specific ways. In response to PJM’s comment in this docket, IPRO also distinguishes itself from NERC. IPRO’s concerns about the adequacy of SD2 relate primarily to whether TSA or other government agencies are in a position to make it work in response to the changing cyber threat environment and changes in the energy industry without stronger partnerships and coordination with the industry. A more robust relationship between pipeline needs and obligations and the public’s interest in energy security is at the core of IPRO’s approach to regularizing cyber risk assessments, as we explain below and on our website.
II. CORRESPONDENCE AND COMMUNICATIONS
All communications regarding this comment should be addressed to the following individuals:
/s/ Randall Stremmel
Randall Stremmel
Founder and Vice President
International Pipeline Resilience Organization
15331 Misty Dawn Trail
Cypress, TX 77433
randall.stremmel@resilientpathsolutions.com
(937) 418-8489
James J. Hoecker
Frederick G. Jauss IV
HUSCH BLACKWELL LLP
1801 Pennsylvania Avenue, NW, Suite 1000
Washington DC 20006
james.hoecker@huschblackwell.com
fred.jauss@huschblackwell.com
(202) 378-2316
Counsel for the International Pipeline Resilience Organization
III. COMMENT
A. TSA’S BLIND SPOT: THE SECURITY OF THE ENERGY SUPPLY CHAIN
The ANOPR highlights the TSA’s prominent blind spot. It inexplicably ignores the vital interconnection between nearly half of the Nation’s electricity generation and the continued operation of the pipeline infrastructure that provides the fuel to those power plants. IPRO contends that TSA must elevate and broaden its attention to the risks to electric reliability caused by the growing and evolving threat of cyberattacks likely to originate in the oil and natural gas pipelines that comprise a critical part of the electric industry’s supply chain.
As FERC came to recognize over the last decade, coordination between electric generation and natural gas pipelines is critical to ensuring both sectors' reliable and efficient operation.28 Accordingly, under the statutory authority in Section 5 of the NGA29 and Section 206 of the FPA30, FERC has issued orders requiring regional transmission organizations and natural gas pipelines to coordinate their respective scheduling practices and ensure that capacity release is occurring efficiently.31
However, the electric industry and natural gas pipelines that serve that industry, are “especially vulnerable to cyberattacks” due to the “unique interdependencies” between those industries.32 As was demonstrated in the 2021 cyberattack against Colonial Pipeline, even a minor ransomware attack can result in significant disruptions in the supply chain when owner/operators are unprepared. FERC Chairman Phillips correctly stated that a more severe attack against the operational technology systems of a pipeline can “stop energy infrastructure from working at times when consumers most need it.”33 As in the Colonial case, a shutdown of a natural gas pipeline due to a cyberattack is likely to impact the electric generation served by that pipeline, putting additional stress on an already overtaxed and underdeveloped electric grid. Of course, pipelines are often not interactive in real time like the electricity system is, in theory giving pipeline operators precious time to compensate for the loss of facilities or supplies. As one writer explained, “Going down for the count is not an option in an OT environment. It’s critical that these utilities remain operational, even in the event of an attack. This is known as being ‘cyber resilient.’”34
Oil and natural gas pipelines are not subject to coordination or oversight by an industry- driven reliability body equivalent to the central role played by NERC. That said, IPRO is not requesting that the TSA attempt to take on the role of NERC in imposing a Critical Infrastructure Protection (“CIP”) regime identical to NERC’s or to seek such authority from Congress. Instead, IPRO seeks establishment of an institutional intermediary based on the cooperation of pipelines collectively and dedicated to using a flexible but ongoing and predictable methodology for ensuring cybersecurity compliance that promotes rational harmonization of cybersecurity standards and requirements among the oil and gas pipeline industry and, insofar as necessary, with the electric industry to ensure the safety and reliability of those industries.
B. WHAT PJM GOT RIGHT (AND WRONG) ABOUT TSA’S APPROACH
By correctly pointing out the critical importance of the interstate oil and gas pipeline industry to electric reliability, PJM’s filing highlights the radically different methods and structures employed by the electric power industry to ensure its reliability and cybersecurity as compared to the model of cybersecurity oversight of the energy pipelines upon which electric reliability depends so heavily for fuel. PJM, perhaps speaking for others in the electric industry, urges TSA to harmonize the cybersecurity of pipeline and electric power operations by creating a reliability institution like the North American Electric Reliability Corporation (“NERC”) and applying the uniform standards and protocols of the electric industry to pipelines.
PJM may be directionally correct about the need for a more predictable and institutionally sound response to the threat environment than TSA alone can provide when it comes to protecting pipeline operations against cyber intrusions and potential environmental and economic catastrophes that could result. However, a NERC for pipelines is, strictly speaking, neither likely nor necessary. NERC, as a creation of diverse elements of the electric power industry, worked for that industry for over a half-century as a voluntary public-private partnership. Its adoption into to federal law in
2005 as an independent reliability organization was broadly supported as an indication of how the electricity system operations had changed and how challenging reliability had become in the intervening years. There has never been an analog to NERC for energy pipelines. As we explain further below, creating such a complex institution as NERC for pipelines would be unpopular and expensive. On the other end of the regulatory compliance spectrum, a fair reading of the ANOPR suggests that TSA is just beginning to ask individual pipelines about their basic cybersecurity practices, e.g., the method, number, and timing of risk assessments done and which standards are applied.35 IPRO feels compelled to observe that TSA should know the answers by way of investigation, continuous communications, and standards enforcement, not as the result of general input from advanced rulemaking.
Try as it might to strengthen the practices and protections of oil and natural gas pipelines through mandated instructions and data requests, individual pipeline operations differ, and TSA will always be playing ‘catch-up’ and doing its best to accommodate those differences and still ensure compliance with applicable standards. A single collaborative made up of the industry participants that takes lead responsibility for assessing and mitigating the risks inherent in the energy supply chain seems to us a more practical approach. Similar to the original NERC, such a ‘bottom-up’ mechanism would act as an institutional partner that effectively reports to with TSA and other regulators with expertise and jurisdiction over cybersecurity and these specialized delivery systems for fossil energy. This would add the transparency and rigor that PJM appears to be looking for without the government acting as the sole guarantor of pipeline cybersecurity. TSA, DOE, and FERC can surely agree that having a pipeline industry partner in the form that IPRO has promoted would both ease the burden on the government and involve the considerable cybersecurity expertise of pipeline companies in developing cybersecurity performance assessment procedures that build on what the industry already knows. In our view, this is a challenge for the industry, not just TSA. But TSA can take the first steps toward this collaborative model.
IV. RECOMMENDED NEXT STEPS FOR PIPELINE CYBERSECURITY AND REQUEST FOR PUBLIC PROCEEDINGS
IPRO requests that TSA engage in public workshops or a public hearing to develop a more strategic approach to energy pipeline cybersecurity that adds certainty and partnership to what appears to have been exploratory to date. IPRO agrees with TSA that assessing the OT and IT needs of pipeline operators and the oil and gas pipeline industries is critically important. TSA has had two years since the Colonial Pipeline incident to steeped in pipeline operations and technology. TSA should therefore be prepared to quickly follow this ANOPR with public proceedings and a Notice of Proposed Rulemaking that initiates new approaches that support and encourage the adoption of cybersecurity enhancements for the oil and natural gas pipeline industries.
Proceeding with a Notice of Proposed Rulemaking and a Final Rule in this area will allow the regulated community, the public, and other interested governmental entities to assist in developing an administrative record to support the TSA’s efforts. In IPRO’s view, these issues have not been fully ventilated except perhaps in this rulemaking and in TSA’s individual pipeline auditing processes. TSA needs to determine the institutional prerequisites for a public-private partnership in which the industry, acting through IPRO or similar collaboratives, should then contemplate how it will interact with this industry partner to ensure compliance with appropriate standards and to meet current cybersecurity needs and anticipates the new threats to the natural gas and electric systems.
The basis for IPRO’s approach is not only the apprehension we share with PJM that TSA may lack the resources and capabilities necessary to address pipelines’ operational needs and vulnerabilities without a significant expansion of its mission and organization. The risk of underachievement is great. The IPRO approach is also based on the need to recruit industry leaders and experts as the primary pipeline cybersecurity leaders, not individually, but through a new institution that they help create and fund. Therefore, IPRO proposes to team up with TSA and other Federal counterparts to help identify and meet the needs of oil and natural gas pipelines of all sizes and locations. If TSA were to commit to exploring that scenario, IPRO contends that pipeline companies would consider joining actively in that self-regulatory effort, hopefully (our perspective) through the good offices of IPRO.
To summarize, IPRO would help pipelines collaborate to establish a mechanism that is a voluntary, industry self-regulation and committed to ensuring that all pipelines meet cyber best practices. It would do so by means of an ongoing assessment procedure, an ICS risk assessment architecture, promotion of training, programs, and a culture of compliance. As we have described elsewhere, IPRO processes also entail on-site visits, questionnaires, and a range of post-assessment services that can deliver reputational benefits, shareholder confidence, and lower operating costs.
In contrast to TSA’s approach to pipeline cybersecurity in SD1 and SD2, IPRO’s approach leverages and builds upon existing programs and practices in the natural gas or oil pipeline industries. While IPRO employs established frameworks and standards, its Cyber Performance Assessment (”CPA”) process is proprietary. Additionally, it is specifically designed to help individual companies apply established standards and practices properly. IPRO promotes conformity and understands the special needs and characteristics of individual pipeline’s industrial control systems and best practices across the entire pipeline network.36 IPRO’s CPA program methodologies and procedures are specifically designed for assessing oil and gas industries maturity levels. This includes identifying and recommending remediation of cyber and physical intrusion and disruption risks to individual pipeline facilities and pipeline systems.37
Finally, IPRO notes that regulators and pipeline companies (especially smaller companies lacking the resources to manage cybersecurity going forward) are currently disadvantaged in measuring and achieving cybersecurity performance when compared to the elaborate and Congressionally authorized reliability regime administered by NERC under FERC oversight. IPRO would act as an intermediary organization—to the extent it is supported by the industry itself
-- to enhance the transfer of information and expertise among the companies and between the industry and government. To be clear, IPRO does not recommend adopting an organization equivalent to NERC early implementation of NERC could prove instrumental in coordinating industry cybersecurity practices and compliance with standards, providing security and technical support at scale and lower cost, thereby making pipeline security more predictable. TSA and its Federal counterparts should therefore take up this proposal as part of this proceeding.
Respectfully submitted,
/s/ Randall Stremmel
Randall Stremmel
Founder and Vice President
International Pipeline Resilience Organization
15331 Misty Dawn Trail
Cypress, TX 77433
randall.stremmel@resilientpathsolutions.com
(937) 418-8489
James J. Hoecker
Frederick G. Jauss IV
HUSCH BLACKWELL LLP
1801 Pennsylvania Avenue, NW, Suite 1000
Washington DC 20006
james.hoecker@huschblackwell.com
fred.jauss@huschblackwell.com
(202) 378-2316
Counsel for the International Pipeline Resilience Organization
1 The International Pipeline Resilience Organization was founded in 2020 as a member-driven, 501c(6) non-profit corporation whose purpose is to work on behalf of two critical energy delivery industries -- oil and natural gas pipelines (including natural gas liquids and refined products pipelines). IPRO processes are designed to identify pragmatic controls that would reduce or eliminate the risks of cyber or physical intrusions and the resulting disruption of services. As a voluntary organization open to all parties interested in its mission, the IPRO concept focuses on enterprise-wide cyber challenges and solutions that will achieve durable security for the North American energy supply chain, including the vertically integrated market for natural gas and electrical generation. https://www.pipelineresilience.org/
2 Enhancing Surface Cyber Risk Management, 87 FR 73527-01 (Nov. 30, 2022), as modified by, 87 FR 78911-02 (Dec. 23, 2022). Although the ANOPR applies to other forms of surface transportation under TSA jurisdiction, IPRO is not offering any comment regarding cybersecurity of freight or passenger railroads or rail transit.
3 “Comments of PJM Interconnection, L.L.C.” Docket No. TSA-2022-0001 (Feb. 1, 2023)
4 See Senate Energy and Natural Resources Committee: Cybersecurity Vulnerabilities to the United States’ Energy Infrastructure, March 23, 2023, CQ Transcription (“ENR Hearing Transcript”).
5 A full explanation of the IPRO model is available on its website: https://www.pipelineresilience.org/
6https://portal.phmsa.dot.gov/analytics/saw.dll?Portalpages&PortalPath=%2Fshared%2FPDM%20Public%20Websit
e%2F_portal%2FPublic%20Reports&Page=Infrastructure
7 https://www.eia.gov/energyexplained/us-energy-facts/
8 https://www.eia.gov/energyexplained/electricity/electricity-in-the-us.php
9 https://www.eia.gov/energyexplained/us-energy-facts/
10 https://www.eia.gov/energyexplained/use-of-energy/transportation.php
11 https://www.eia.gov/todayinenergy/detail.php?id=31232
12 Id. See, e.g. Final Report of the United States Cyberspace Solarium Commission at v-vi (March 2020) (available at https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view) (arguing that Congress needs to act on cybersecurity threats to improve deterrence); Atlantic Council, Securing the Energy Transition Against Cyber Threats: Report of the Atlantic Council Task Force on Cybersecurity and the Energy Transition at 6 (Jul. 2022) https://www.atlanticcouncil.org/wp-content/uploads/2022/08/Securing-the-Energy-Transition-against-Cyber- Threats.pdf (“Abundant examples both domestically and internationally show that the cyber threat [to energy systems in the US] is real.”).
13 Vulnerability and threat trends report 2022, Skybox Security (2022), https://www.skyboxsecurity.com/resources/report/vulnerability-threat-trends-report-2022/?modal=true.
14 Allison Good, “US utilities prepare for heightened cybersecurity risk from Russia,” S&P Global Commodity Insights, (March 1, 2023), available at https://www.spglobal.com/marketintelligence/en/news-insights/latest-news- headlines/us-utilities-prepare-for-heightened-cybersecurity-risk-from-russia-69134779
15 See, e.g., Final Report of the United States Cyberspace Solarium Commission at 9 (March 2020) (available at https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view) (arguing that a cyberattack on a natural gas pipeline could cause localized, temporary effects on critical infrastructure for days or weeks).
16See, e.g. Final Report of the United States Cyberspace Solarium Commission at v-vi (March 2020) (available at https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view) (arguing that Congress needs to act on cybersecurity threats to improve deterrence); Atlantic Council Report at 6 (“Abundant examples both domestically and internationally show that the cyber threat [to energy systems in the US] is real.”).
17 Federal Energy Regulatory Commission, North American Electric Reliability Corporation, FERC-NERC _Regional Entity Staff Report: The February 2021 Cold Weather Outages in Texas and the South Central United States at 15-16 (Nov. 16, 2021) (discussing that natural gas fuel supply issues were the root cause of a significant portion of the outages and derates).
18 International Pipeline Resilience Organization, Pipeline Cybersecurity in the Shadow of the Ukraine War (Mar. 14, 2022), https://www.pipelineresilience.org/news/pipeline-cybersecurity-in-the-shadow-of-the-ukraine-war (noting the myriad agencies that have oversight over natural gas and oil pipelines but concluding that “few have any agreement or understanding about how pipelines operate or what pipelines can or should be doing to prepare for this threat environment.”).
19 To illustrate, within the Department of Homeland Security (“DHS”), the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Transportation Security Administration (“TSA”) are responsible for pipeline cybersecurity. CISA is designated the lead cyber police officer at the Federal level. TSA’s pipeline jurisdiction derives from its role overseeing security of transportation. Within the Department of Energy, the Office of Cybersecurity, Energy Security, and Emergency Response addresses emerging threats to any energy infrastructure. At the Department of Transportation, the safety of pipeline operations is overseen by the Pipeline and Hazardous Materials Safety Administration (“PHMSA”) whose mission includes the transportation of natural gas and oil deemed hazardous to the environment and human health. These activities naturally affect agencies of government responsible for national security. For further description, see generally U.S. Gov’t Accountability Off., GAO-20-629, Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy (2020).
20 Atlantic Council, Securing the Energy Transition Against Cyber Threats: Report of the Atlantic Council Task Force on Cybersecurity and the Energy Transition at 15 (Jul. 2022)(“Atlantic Council Report”),
https://www.atlanticcouncil.org/wp-content/uploads/2022/08/Securing-the-Energy-Transition-against-Cyber- Threats.pdf (citing Hearing on Keeping the Lights On: Addressing Cyber Threats to the Grid, Before the House Subcomm. on Energy, 116th Cong. (2019) (statement of James B. Robb, President and Chief Executive Officer, North American Electric Reliability Corporation), https://www.nerc.com/news/testimony/Testimony and Speeches/House Energy and Commerce Cyber Hearing Testimony 7-12-19.pdf.).
21 Testimony of Robert Lee, CEO, Dragos, March 23, 2023 at 4, available at https://www.energy.senate.gov/services/files/8EABCA22-4601-4F93-89A4-1473F0572D32.)
22 ENR Hearing Transcript at *31.
23 The question of which Federal agency should conduct cybersecurity oversight of a regulated industry, wholly or in part, is a persistent and often unresolved issue, as the recent ENR Hearing attests. In particular regions, the electric industry relies very heavily on reliable gas transportation, stated the Chief Security Officer of AEP. “[W]e need that gas pipeline to be just as reliable as [the] electric grid. . . And if FERC can lead that, then I think . . .we can have the same progress for both industries.” ENR Hearing Transcript at *33. Robert Lee of Dragos added “I don’t really care which one [FERC or TSA] takes it, so long as it’s one. When TSA rolled out the regulations, no offense to them, but it was massively rushed, like a 24-hour heads-up, no understanding why we were doing it, what we were supposed to accomplish, only how to operate our systems. If you have followed the original TSA SD2 guidance to a T, you would have taken down pipelines in this country. TSA SD02Cis a lot better. . . Somebody needs to [ ]actually standardize instead of having competing requirements.” ENR Hearing Transcript at *34. Added Puesh Kumar, Director of the DOE Office of Cybersecurity, Energy Security, and Emergency Response Preparedness, “We need to ensure that the pipelines – and I would extend it to the broader oil and natural gas sector. We need to really up our cybersecurity
24 “DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators” https://www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners- and-operators?source=email
25 “Understanding, Implementing New TSA Pipeline Directive,” available at https://pgjonline.com/magazine/2022/december-2022-vol-249-no-12/features/understanding-implementing-new-tsa- pipeline-directive
26https://www.tsa.gov/sites/default/files/tsa_sd_pipeline-2021-02-july-21_2022.pdf at 2-3, 16-21.
27 Inside Cyber Security, “American Petroleum Institute urges TSA to draw lessons from experience with pipeline security directives,” Feb. 7, 2023, https://insidecybersecurity.com/daily-news/american-petroleum-institute-urges-tsa- draw-lessons-experience-pipeline-security
28 Order No. 809, Coordination of the Scheduling Processes of Interstate Natural Gas Pipelines and Public Utilities, 151 FERC ¶ 61,049 at P 2 (2015).
29 15 U.S.C. 717d.
30 16 U.S.C. 824e.
31 See Order No. 809 at P 17.
32 Incentives for Advanced Cybersecurity Investment, 180 FERC ¶ 61,189 (2022), Phillips Concurring Statement at P 6.
33 Id.
34 Robin Berthier, “What Mike Tyson can teach us about OT network Security”, (Dec. 20, 2022), https://federalnewsnetwork.com/commentary/2022/12/what-mike-tyson-can-teach-us-about-ot-network-security/ (In the ever-shifting cyber threat environment, thorough and continuous preparation is required but a strategy for recovery is also important. “Everyone has a plan until they get punched in the mouth.”)
35 See Section III, ANOPR, 87 Fed Reg. 73535-6.
36 IPRO’s CPA model is positioned in alignment with the new model of sustainable cybersecurity envisioned by CISA Director Easterly. “In sum, we need a model of sustainable cybersecurity, one where incentives are realigned to favor long-term investments in the safety and resilience of our technology ecosystem, and where responsibility for defending that ecosystem is rebalanced to favor those most capable and best positioned to do so.” “CISA Director Easterly Remarks at Carnegie Mellon University,” available at cisa.gov/cisa-director-easterly-remarks-carnegie-mellon- university
37 For more information, see https://www.pipelineresilience.org/
