January 2021, Vol. 248, No. 1
Features
Action Remains Best Defense Against Pipeline Cyberattack
By Krystal Scott and Ewaen Woghiren, Jones Walker LLP
Can a group of businesses as geographically and functionally diverse as the midstream sector of the oil and gas industry find common solutions to today’s most pressing challenges? When it comes to cybersecurity, we believe the answer is “Yes.”
In 2018, Jones Walker LLP’s energy and cybersecurity teams conducted a survey of the maritime industry’s cybersecurity preparedness. We wanted to help maritime companies better understand the cyber-threats they face and develop a set of takeaways and actionable best practices that could enable participant companies to increase their cyber-resilience.
In early 2020, we focused our analysis on the natural next step in our nation’s energy infrastructure: midstream oil and gas companies. Companies in this sector employ tens of thousands of individuals, manage millions of miles of pipelines and terminals from coast to coast, and rely on a vast array of data management, communications, decision support and other technologies to conduct day-to-day and strategic operations.
Midstream companies are also diverse by other measures. Businesses in this sector vary greatly in size, from fewer than 50 to more than 10,000 employees. Some entities focus primarily on offshore operations; some have mainly onshore operations; and others have both offshore and onshore operations.
While a majority of midstream companies operate pipelines – which run through remote areas as well as highly populated urban neighborhoods – many also own and manage storage tanks, oil tankers and barges, fleets of trucks, and railway assets. They also transport various commodities including natural gas, oil, liquefied natural gas (LNG) and natural gas liquids.
This sector’s sheer complexity raises significant cybersecurity challenges. With an almost infinite number of connection points between people, technology and equipment, cyber-criminals, hackers, terrorists and other threat actors almost have their choice of targets. Following are just a few examples of cyberattacks from over the last decade:
Chinese state actors hacked pipeline SCADA systems; pipeline gas compressor stations have been targets of “brute force” attempts to compromise networks; Russian hacker group Energetic Bear attacked U.S. energy companies, including petroleum pipeline operators; and a major U.S. gas compression facility was hit by ransomware that gained entry via a spear phishing attack that crippled the facility’s operational technology network.
Threat actors’ motives for committing cyber-crimes also vary, ranging from simple extortion, fraud and intellectual property theft, to retribution for perceived wrongs, exposure or destruction of sensitive data and the disruption of core services.
Given all these incentives and the growing frequency of cyberattacks on midstream delivery systems, the question isn’t whether an attack is likely to occur, but when.
Why does all of this matter? What are the risks of a cyberattack on a pipeline system? Among other consequences, a major cyber-breach could result in additional disruptions to commodity prices, widespread energy shortages or outages, and loss of life and property.
Less severe consequences include declining customer confidence, potential law-enforcement investigations and physical damage to facilities. The general consensus among those knowledgeable about cybersecurity in the energy space, however, is that a data breach can typically lead to an eight-figure loss.
With all of these issues and risks in mind, our 2020 investigation had several primary goals: (1) assess the current state of cybersecurity preparedness in pipeline companies, distributors and other sector participants; (2) identify key weaknesses in the midstream space; (3) develop clear, practical and cost-effective breach-prevention and response strategies.
Situation Today
In addition to the midstream sector’s sheer complexity, a confluence of issues and events have made it particularly vulnerable to cyber-threats. First, there is relatively little comprehensive, coordinated federal oversight.
Permitting is regulated by the U.S. Federal Energy Regulatory Commission (FERC); safety is regulated by the Department of Transportation (DOT); and security is regulated by the Department of Homeland Security (DHS), primarily through the Transportation Security Administration.
Other federal and private entities also play a role in pipeline security, but by and large, energy companies are forced to rely on a patchwork of systems.
Commodity prices are another challenge. By early 2020, midstream oil and gas companies faced price pressures as a result of overproduction, petroleum wars between OPEC+ member countries and shifting consumer and industry demand. As the global COVID-19 pandemic gained steam, entire economies began to shut down, leading to a steep drop in energy demand.
In response to the pandemic-related closures of on-site facilities, companies have quickly, and sometimes haphazardly, implemented remote-work arrangements.
For pipeline networks in particular, this has meant increased reliance on autonomous systems to manage pipeline operations. These operations have expanded vulnerabilities and reduced physical, procedural and technical barriers to threat actors.
In the face of all these operational and financial challenges, midstream companies must make difficult, complex choices. We believe, however, that companies do not have to compromise cybersecurity to remain profitable in this challenging economic climate. A review of our survey data underscored this point.
Security Status
To help midstream companies better understand the current cybersecurity landscape and make more informed, strategic decisions, we surveyed 125 key executives, security and compliance officers, and general counsel from companies of all sizes engaged in a broad range of activities.
We identified several key findings:
Planning equals a sense of preparedness. Of the respondents who reported that their companies have a cybersecurity response plan in place, 95% reported that they were very or somewhat prepared to prevent or withstand a cyberattack.
Overconfidence is a potential problem. Most respondents (more than two-thirds) said that their own companies and the industry as a whole were prepared for a cyber-breach. However, 28% reported that their company had been targeted in an unsuccessful attack, and 12% reported that an attack had resulted in a successful breach.
COVID-19 has given rise to increased security measures. Many companies appeared aware of the risks associated with an increase in remote work and made attempts to reduce those risks.
About two-thirds had published company-wide cyber-awareness warnings, and 45% had undertaken a review of their company-wide security posture. In fact, only 1% of respondents indicated that they had taken no additional steps as a result of the COVID-19 health crisis.
Employee behavior is a top concern … but not necessarily an impetus for action. Employee or individual contractor behavior, such as responding to phishing emails or failing to secure devices, was identified among midstream companies’ top cybersecurity risks.
But only about one in three respondents said that their company provided cybersecurity training to their personnel at least on an annual basis. An eye-catching 60% of respondents indicated that their company provides infrequent or no cybersecurity training at all.
Control systems and mobile devices are rated top tech vulnerabilities. SCADA and other industrial control systems, field-device management systems and mobile devices (smartphones and tablets) were seen as the top technology-based vulnerabilities by respondents. Such systems and devices can improve efficiencies, but a failure to protect them adequately can create holes in a cyber-defense strategy.
Companies guard their cybersecurity secrets too closely. While there was general agreement as to sector-wide threats, only 10% of respondents indicated that their companies participated in any industry-based or public-private partnerships aimed at sharing threat assessments, information and prevention best practices.
Sealing Leaks
We have identified key findings from the survey data in which high-value solutions could boost cybersecurity gains while acknowledging budgetary constraints. Few businesses today are in a position to dedicate a substantial portion of limited revenues to cyber-preparedness, but no business can afford to ignore risks altogether. There is a middle ground.
In addition to exercising other best practices, pipelines and other midstream companies should:
Develop a top-down approach. The cybersecurity message must come from and be modeled from the top. In our survey, we found high levels of executive engagement in developing and executing cybersecurity plans.
A full 90% of respondents said that their CEO/president participated in the company’s cybersecurity plan, and 89% indicated that chief information officers were also highly involved. However, just over one-third of companies (38%) had specifically appointed information security or compliance officers besides the CIO. Businesses should consider creating a manager- or executive-level position dedicated solely to cybersecurity.
Know your (fr)enemies. While 75% of respondents listed employee errors as a serious concern, third-party vendors were an unappreciated threat.
Less than 20% of respondents listed outside contractors and other service and product providers as a vulnerability, despite the fact that more than half of all cyberattacks are the direct or indirect result of third-party access to data and systems. (Even nontechnology vendors can be the conduit for an attack. In the case of a recent breach of Target Corporation, the access point was an air-conditioning subcontractor. For Delta Air Lines, the attack came through a customer services vendor.)
In their contracts, companies should include provisions that require that their vendors and contractors develop their own cybersecurity plans, participate in basic notification and coordination activities, and engage in joint testing and threat management programs.
Pipeline and other midstream companies should develop a written cybersecurity incident response plan. IASME Governance, ISO 27001/27002, National Institute of Standards and Technology and other frameworks serve as solid starting points. Work with outside counsel and independent consultants to test the plan regularly, identify weaknesses, update the plan accordingly and incorporate emerging updates and threats.
A solution does not necessarily need to be expensive. Regular cybersecurity training, encryption, multifactor authentication and other tools can serve as your first and most valuable line of defense. Don’t stop there, however. Work with experienced legal counsel, insurers and other experts to identify additional practical steps that can help you prevent and recover from a cyberattack.
Today, a number of public-private partnerships and cross-agency federal and state programs have been developed to help companies stay informed about emerging threats, coordinate strategies and develop new techniques to address growing cyber-threats.
For pipeline companies and other energy-industry participants, public resources include the Office of Cybersecurity, Energy Security, and Emergency Response and its Cybersecurity for Energy Delivery Systems Division, both of which operate within the DOT and work closely with energy-sector owners and operators to detect, address and share information about cyber-risks.
Comments