Cybersecurity is Energy Security. That’s Why We’re Protecting It.
There has been a lot of talk about the security of natural gas and oil pipelines when it comes to cyber threats – whether they are somehow more vulnerable to cyberattacks than other infrastructure, and whether there should be increased government regulation of industry’s cybersecurity programs.
Let’s clear up any confusion that may still be lingering: industry is deeply engaged in efforts to understand the threat, coordinate with cybersecurity experts across the board, and stay ahead of our adversaries. These statements of increased vulnerabilities are not based on corroborated intelligence and do not align with current threat reporting.
Our industry utilizes best-in-class international cybersecurity standards, close collaboration with government, and proven frameworks that – in contrast to prescriptive government-imposed standards or regulations – are the best ways to stay ahead of emerging threats and bolster the cybersecurity of natural gas and oil companies and the energy infrastructure they operate.
Government standards and regulations can quickly become outdated. Our industry is responding to threats in real time. Beyond the fact that the methods we use have been proven, time and again, they afford companies the necessary flexibility and agility to respond to a constantly-changing cyber threat landscape – something that just isn’t possible when resources must be dedicated toward static rules that are quickly made obsolete.
The report issued recently by the U.S. Government Accountability Office conducted at the request of Senator Cantwell and Congressman Pallone, affirms what we’ve been saying all along - natural gas and oil companies recognize that their assets are the targets of a growing number of increasingly sophisticated cyberattacks.
We recognize that these attacks are perpetrated by a variety of attackers including nation-states and organized international criminals. These attacks pose risks that could compromise the viability of a company and the critical services our industry supplies to the nation - we take this very seriously.
What the report leaves out is the fact that our industry works closely with the government agencies responsible for cybersecurity throughout the full natural gas and oil value chain – from Coast Guard regulatory oversight in maritime and maritime-facing facilities to Transportation Security Administration regulatory oversight of pipelines, as well as information sharing with the U.S. intelligence community via the Department of Homeland Security/National Cybersecurity & Communications Integration Center, plus the Department of Energy, FBI and others – all to ensure collaboration and communication at every point.
Beyond industry’s work with government, companies are also continuously sharing with each other cyber threat indicators and other security information through Information Sharing and Analysis Centers established in accordance with federal law – and participate in peer-to-peer learning through trade associations – to bolster individual companies’ cyber capabilities and provide critical lines of defense.
Our companies also engage premiere cybersecurity firms that specialize in protecting and defending critical infrastructure systems, utilizing some of the best talent in the world. This isn’t a passive operation; most, if not all, of the largest industry companies manage cybersecurity as an enterprise risk – the highest designation – like safety or geopolitical forces with oversight from Boards of Directors and Senior Executives.
Like I stated, we take this very seriously.
There appears to be a misconception between cyber threats and vulnerabilities in the calculation of risk to natural gas and oil pipelines. There is no denying that the natural gas and oil industry – as with most modern industries – faces cyber threats on an ongoing basis.
To be sure, the natural gas and oil industry’s reliance on proven risk management-based frameworks and public-private collaboration, rather than prescriptive regulation, is the most effective and robust method of bolstering the cybersecurity of our industry companies and the critical infrastructure they operate.
It's essential that companies be afforded the necessary flexibility and agility to respond to the increasing sophistication and adaptiveness of cyber adversaries, and that government and industry continue to partner to share cyber threat intelligence and strengthen cyber defenses.
We agree with Senator Cantwell - our nation's energy assets are critical to the safety, security and economic well-being of the country. This is precisely why we continue to protect it, in the most effective way possible.
Robin Rorick is the Vice President of Midstream and Industry Operations at the American Petroleum Institute.