IPRO

View Original

THE UKRAINE INVASION HEIGHTENS THE RISK FOR ENERGY PIPELINES

Washington, DC. The cyber threat environment, already risky, just got downright scary. Russia’s invasion of Ukraine and NATO’s retaliation may shake the stock market and jeopardize our 401K’s. Still, the outrageous military attack by Russia also placed our domestic natural gas and oil pipelines in the crosshairs of international cyber warriors! 

Among the economic penalties that NATO countries are imposing on Putin’s regime is a cancellation of the vital natural gas pipeline that Russia and Germany had planned to build to serve EU markets. As a result, the EU will be forced to find other energy resources, including the US. We already know that cyber warfare is one of Putin’s weapons of choice. Cyber retaliation is a predictable way for Putin to ensure the US feels the painful consequences of the sanctions. Putin will feel justified by the sheer symmetry of attacking US and Canadian gas and oil pipeline operations as a way of crippling both the North American economy and its energy exports. Moreover, such attacks are more likely to target pipeline operational technology (OT) than launching money-motivated ransomware attacks like Colonial’s recent misfortune. 

This vulnerability should not be underrated. As reported nationally, Maurice Obstfeld of the Peterson Institute for International Economics observed that Russia would love to roil digital life when the internet has become so central to modern economies. “The Russians are the best in the world at this. And we don’t know the extent to which they have burrowed into our systems.” (NYT, 1/24, B6) 

When critical pipeline infrastructures are challenged, will they be ready? Will Homeland Security’s Transportation Security Administration, a small agency charged with administering cyber standards and compliance for this sprawling industry sector, be up to that challenge? It’s a deadly serious question that’s impossible to answer in the opaque and fragmented environment that comprises domestic pipeline cybersecurity. As a Congressionally appointed commission stated less than two years ago, “the Government still lacks clear coordinated response mechanisms that build security into the cyber ecosystem and deter attacks of significant consequence.” 

It’s a little late for the industry or the federal establishment to be getting up to speed. Crossing our collective fingers is not an option. The Russians are coming! However, no single coordinated effort exists to help the industry ensure that controls are in place so hackers can’t sabotage compressors, foul-up gas or liquids processing, forcing tanks to overflow, blow out facilities, or cut off gas supplies to electric generators. Try as they might to understand the security risks, regulators have no ability to enforce compliance with best practices. 

What’s missing for the pipeline sector is the kind of coordinated, self-regulatory security mechanisms that govern reliability on the electric side and defray the need for more regulatory strictures. Under current circumstances, pipeline companies are destined to bear by themselves the costs and risks of today’s growing security threats. That’s neither smart nor fair. We contend that a more coordinated effort to hone industry standards, establish controls, and address the chinks in the energy supply chain is advisable. It’s in everyone’s interest to ensure that the security of this critical infrastructure network does not remain in question. 

Consequently, the International Pipeline Resilience Organization was created to bring pipelines together to prepare for a more dangerous cyber world. Pipelines risk managers should consider gathering under its flag. 

By:
James Hoecker 
Randall Stremmel 
Thomas Penn 
Emil Pena 

February 24, 2022 www.pipelineresilience.org