IPRO ANALYZES TSA’S PIPELINE CYBERSECURITY REGIME

Written By James Hoecker

WASHINGTON, D.C. --- Today, the International Pipeline Resilience Organization (“IPRO”) called upon the Transportation Security Administration of the U.S. Department of Homeland Security to revamp its framework for ensuring the cybersecurity of oil and natural gas pipelines, whose Informational Technology (“IT”) and Operations Technology (“OT”) remain subject to cyber attack for lack of transparency, a dedicated workforce, and a thorough enforcement program. Energy pipelines are a vital link in the Nation’s energy economy and an especially important part of the fuel supply chain for electrical generation. IPRO contends that TSA and other agencies that share jurisdiction over pipelines have failed to provide a coherent mechanism for ensuring that pipelines comply with the highest security standards and best practices, as exists for the electric power industry under the North American Electric Reliability Corporation (“NERC”).

IPRO’s comment to TSA in response to its Advance Notice of Proposed Rulemaking (Docket No. TSA-2022-0001) highlights the work still to be done even after TSA’s response to the 2021 Colonial Pipeline ransomware attack and despite its two cybersecurity Directives. TSA’s rebuilt staff and goal- setting arguably remain inadequate to the shifting demands of the current threat environment, as highlighted by this ongoing rulemaking that still reflects TSA’s need for basic pipeline cybersecurity information. PJM Interconnection submitted its concerns for electric reliability in this regard. While IPRO does not entirely support a “NERC for pipelines,” it strongly urges TSA to take the initiative to marshal pipeline security resources in a more coherent and collaborative way, in the interest of both the gas and oil pipelines, and the electric generation companies which depend on them.

“We don’t know when or if to expect a Proposed or Final Rule from TSA. They are outgunned by events,” stated Jim Hoecker, head of IPRO and former Chairman of FERC. “Energy infrastructure, like all industrial control systems (ICS), is becoming more digitalized and interconnected, and therefore more vulnerable. In response, IPRO has offered TSA and the pipelines a self-regulatory, voluntary model for making systemic improvements that ensure pipeline operations are as secure as possible. The pipelines and all ICS owners have learned important lessons from Colonial and other attacks, but one ‘blind spot’ that remains unaddressed is how to galvanize companies in common support of better compliance instead of relying on the directives of federal or state regulators.”

“The convergence of IT and OT has modernized the electric power industry but has created a need for perpetual technological investments, intelligence, process improvements, and vigilance,” stated Randall Stremmel, cybersecurity analyst and co-founder of IPRO. “It’s no wonder that pipelines – especially those with fewer resources and less cyber expertise – feel burdened by this state of affairs and the prospect of ever-increasing federal and state cybersecurity regulation if and when cyber intrusions increase.”

“FERC’s proposed approach to rewarding cybersecurity investments -- electric utilities get incentives, gas pipelines don’t -- is another blind spot,” claims Fred Jauss, FERC regulatory attorney and Counsel to IPRO. “The disparity is not sustainable and may even undermine electric reliability. This just illustrates how, when cyber attacks drop from the front pages, solutions to our collective cyber challenges don’t get addressed by the many agencies that have inherited jurisdiction over energy delivery services like oil and natural gas.”

About IPRO

The International Pipeline Resilience Organization was founded in 2020 as a member-driven, 501c(6) non-profit corporation whose purpose is to work on behalf of two critical energy delivery industries -- oil and natural gas pipelines (including natural gas liquids and refined products pipelines). IPRO processes are designed to identify pragmatic controls that would reduce or eliminate the risks of cyber or physical intrusions and the resulting disruption of services. As a voluntary organization open to all parties interested in its mission, the IPRO concept focuses on enterprise-wide cyber challenges and solutions that will achieve durable security for the North American energy supply chain, including the vertically integrated market for natural gas and electrical generation

For further information:
James Hoecker 202-378-2316/202-549-0584
james.hoecker@huschblackwell.com

James Hoecker
Previous

COMMENTS AND REQUEST FOR PUBLIC PROCEEDINGS OF INTERNATIONAL PIPELINE RESILIENCE ORGANIZATION
Next

Collaboration is critical to shield America’s Oil & Gas Pipelines from Cyber Attacks.