Facing Down the Management Challenges of Cybersecurity
1. GOVERNMENT AND COMPANIES MUST JOIN FORCES. Government agencies have broad enforcement and intelligence capabilities but tend to see things through the lens of national security. Companies have company- or sector-specific risk and operational information. Government and business expose each other to risks and therefore should institute public-private collaboration. Two measures are instrumental: (1) investment in cybersecurity begins with awareness of risk at the top of the organization; and (2) support for an institution like IPRO, which is positioned to evaluate and facilitate A two-way sharing of responsibility, will enhance the visibility of otherwise-hidden vulnerabilities.
2. SHARING THREAT INTELLIGENCE. The oil and natural gas I-SAC and the Oil & Natural Gas Subsector Coordinating Council (ONGSCC) bring relevant companies and trade groups together. Directly or indirectly, pipeline cyber issues arise at PHMSA (DOT), CISA (Pipeline Cybersecurity Initiative) and TSA (DHS), CESER (DOE) and FERC. The interaction between pipelines and agencies, through these various channels, depends on some longstanding relationships but does not ensure information is timely or consistent. In a fast-changing cyber environment, executives and their government counterparts don’t always reciprocate. Experience shows that big concerns remain.
3. ALIGN CYBER EDUCATION WITH PERSONNEL NEEDS. The well-known shortage of cybersecurity personnel can best be alleviated by (1) pipelines working together to attract cybersecurity professionals to the industry and deepening the understanding of cybersecurity among pipeline operators, and (2) relying on IPRO to conduct assessments of system preparedness and prescribe controls, which would otherwise be done by individual pipeline personnel and/or government auditors.
4. SHARPEN INCIDENT-RESPONSE CAPABILITIES. Although IPRO will focus on prevention through implementation of controls, it may perform educational and training functions and work with cyber intelligence gathering agencies like CISA (DHS) and CESER (DOE) to plan for contingencies and also safeguard the privacy and intellectual property of pipeline companies. Such pipeline sector-specific training would be impractical and scattershot if not conducted by a single overall industry program like IPRO.
5. BUILD SECURITY INTO DESIGN. Instituting cybersecurity best practices is the most reliable way to minimize the consequences of human error from failing to detect a phishing attack to downloading malware. Promoting public awareness and upfront training, consistent with industry principles is necessary. However, industrial control systems (ICS) require a higher level of understanding of industry standards and best practices that pipelines need to instill in key personnel, either individually or collectively. For regulated natural gas pipelines, installation of cyber protections through the initial federal certification process would be easier and less expensive than bolting on new measures or technologies later. Vulnerabilities left unaddressed and subsequently exploited by malefactors invite regulators and public policy makers to fill the void.
