Colonial Pipeline Hack: Time for Cybersecurity Standards in the OIl & Gas Industry?

At least as far as the energy – and, more specifically, the natural gas – industry is concerned, 2021 cannot seem to catch a break. The Texas winter freeze news cycle has barely thawed and spring has brought fresh problems in the form of a cybersecurity attack that has stopped operations at Colonial Pipeline.

The natural gas pipeline company transports 2.5 million barrels of natural gas per day across 5500 miles, from Houston, Texas to Linden, New Jersey. Colonial has stopped transporting gas as a “precautionary measure” on Friday and says it will resume operations later this week.

News reports about the incident are vague. For example, the scope of the attack is unclear. Colonial claims that its IT systems are affected but not its control systems, meaning the hack has not crippled its operations.

The attack has occurred at a time when the US economy is opening up after the Covid shutdown. Travel, across land and air, is expected to pick up. But the lower Atlantic region, which is supplied by Colonial, had just 23.8 million barrels of inventory stockpiled i.e., 9% less than the 5-year average at this time. This means that the Northeast supply disruption could turn into a serious issue, if it is prolonged.

“If the pipelines are up and running, the impact will not be significant or lasting,” Roger Read, Wells Fargo analyst, told the Wall Street Journal. If it lasts longer, however, inventory levels on the East Coast will shrink and lead to a gasoline price increase. Indeed, motorists across the United States are scrambling to fill up their tank and North Carolina has already a state of emergency due to the disruption.

Is It Time for a Cybersecurity Framework for the Oil & Gas industry?  

More than anything else, the ransomware attack exposes the gaping cybersecurity hole in the country’s energy infrastructure.

While they may be considered inadequate, the NERC cybersecurity standards provide a common framework for electric utilities to bolster their networks against cyberattacks. No such framework exists for the oil and gas industry. The absence of standards could have a domino effect on the electricity industry because natural gas is the biggest source of electricity generation in the United States. One would think that, given the fuel’s importance, protecting critical infrastructure would be a priority, even mandatory. But that isn’t the case. It is voluntary, from the cybersecurity perspective.

The National Institute of Standards and Technology Cybersecurity Framework is used by natural gas pipeline operators to protect their networks. Natural gas companies and operators have customized and adopted different standards defined in the framework, based on their business model. The American Gas Association and its operators rely on “voluntary” action to enhance the physical and cyber security of the nation’s 2.5 million miles of natural gas pipeline, according to a 2016 report by the Natural Gas Council. “The reliance upon voluntary mechanisms including proven frameworks and public-private collaboration, rather than compulsory standards or regulations, is the best way to bolster the cybersecurity of industry companies and the critical infrastructure they operate,” the report concluded.

But a voluntary effort does not ensure a uniform and concerted response and makes different parts of the industry more vulnerable. A 2020 report by the Livermore National Laboratory at Berkeley concluded that the "sheer number" of regulatory bodies and trade groups offering best-practice recommendations made it difficult to "create a comprehensive, directed, and coherent strategy that is applicable to all players within the ONG industry." In other words, the absence of standards has created an array of differing (and confusing) implementations. Hackers have taken advantage of these vulnerability in the energy industry and utility industry, with the result that the sector is the most susceptible to ransomware attacks in 2020.     

In a WSJ interview, Suzanne Lemieux, the American Petroleum Institute’s manager of operations security and emergency response policy criticized the electricity sector’s framework for creating compliance costs with few security payoffs. True, the costs associated with cybersecurity compliance run into billions of dollars. However, natural gas companies do not require permission from regulators to spend on cybersecurity. The size and market capitalization of even publicly-listed electric utilities is small in comparison to energy giants. Cybersecurity spending, even if substantial, will help ensure reliability in supply and further boost their profits.