Michael L. Krancer, Margaret Anne Hill, Thomas M. Duncan, and Frank L. Tamulonis III
What is the No. 1 worldwide security threat? The answer is cybersecurity. This is especially so for our critical energy production and delivery infrastructure.
A cyberattack presents the risk of unfathomable asymmetrical physical damage to life and property, as well as the potential for flat-lining the enterprise value of any targeted company. A congressional commission has estimated that in a prolonged nationwide blackout (in the context of an electromagnetic pulse attack), about 90 percent of the U.S. population would be dead from disease, lack of food and resources, and societal breakdown. That 90 percent won’t care whether the nation was struck by an EMP attack or a cyberattack.
According to the U.S. Department of Homeland Security (DHS), over the past several years the energy sector has incurred the greatest number of cybersecurity incidents. The Pennsylvania Public Utility Commission held a multiagency summit on cybersecurity Oct. 1, which was intentionally timed with National Cybersecurity Awareness Month. The PUC, to its credit, gathered in one room the DHS, as well as state and local agencies including the Office of Administration, the Pennsylvania Emergency Management Agency, the Pennsylvania State Police, the Pennsylvania Office of Homeland Security, and several large utilities to vet this problem and talk about preparedness, prevention and solutions.
So far, so good in Pennsylvania in getting the job done to protect critical energy infrastructure from cyberattacks. But, the summit stressed that the danger is not going away and that we must constantly work together to stay vigilant. Indeed we must. According to a Wall Street Journal report, a survey of 625 IT executives in the United States and Europe found that 48 percent said they think it is likely there will be a cyberattack on critical infrastructure, including energy infrastructure, in the next three years that will result in the loss of life. The costs of cybersecurity are also increasing at an alarming rate.
What are the threats, you ask? They are too numerous to list in this article, but here are a few: the Havex Trojan targets industrial control systems after it is mistakenly downloaded by customers; malware called BlackEnergy has targeted systems used in nuclear power plants; and an Iranian hacking campaign is under way that the FBI believes may be targeting the energy and defense industries. The Chinese, Russians and North Koreans can be added to the list of “usual suspects” as cybercrime, cyberespionage and cybersabotage have increasingly become their weapons of choice lately—and recent events show they are good and getting better at it. ISIS is also considered a dire threat in this regard.
In fact, nationalized cyberweaponization has become the norm for our enemies. According to Director of National Intelligence James Clapper, Russia’s Ministry of Defence is establishing its own cyber-command, which is expected to conduct offensive cyberactivities such as inserting malware into enemy command and control systems. In May 2014, the U.S. Department of Justice indicted five officers from China’s People’s Liberation Army on charges of hacking U.S. companies.
The highly interconnected nature of the national power grid and the increasing pressure placed on grid reliability by federal and state policies, including the U.S. Environmental Protection Agency’s recently issued Clean Power Plan and states’ renewable portfolio standards, could exacerbate the impacts of a cyberattack on energy infrastructure and potentially lead to “cascading blackouts.”
Power generation and delivery are not alone, of course. The oil and gas sectors are inviting targets as well. Some experts say that particular vulnerabilities exist at “single-point” assets such as refineries, storage terminals and other buildings, as well as “networked features” such as pipelines and cybersystems. Enemies may focus on a large-scale attack with the goal of temporarily halting the supply of oil and gas or even to create an environmental disaster.
Reminiscent of the time after World War I in which the world’s powers were sucked up in the vortex of a naval arms race and in came the Washington Naval Treaty of 1922, today’s superpowers are now doing something similar. President Obama appeared with Chinese President Xi Jinping on Sept. 25 to announce that the United States and China had reached an agreement on a number of issues related to cybersecurity. This U.S.-China agreement comes on the heels of China’s May cybersecurity agreement with Russia, and China’s recent attempt to enact laws requiring foreign firms operating in China to use China-approved encryption and reveal all source code for inspection. In the agreement, the United States and China agreed to cooperate “with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyberactivity emanating from their territory” and “to provide updates on the status and results of those investigations.” To review the timeliness and quality of responses to these requests, both countries have agreed “to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.”
In addition to this recent agreement, the United States and China are believed to have a framework in place for a cyberwarfare agreement that would prohibit either country from launching an initial cyberattack on the other’s critical infrastructure during peacetime. One hopes for, but experience shows cannot count on, better success now on cybersecurity than with the Washington Naval Conference.
Additional American domestic efforts to improve national cybersecurity are coming from both the executive and legislative branches. Executive Order 13636 requires the National Institute of Standards and Technology, part of the U.S. Department of Commerce, to create a framework to reduce cybersecurity risk for organizations within critical infrastructure sectors, including the energy sector. The framework is based on existing standards, guidelines and practices. Compliance with the framework, however, is voluntary.
The Department of Energy’s Office of Electricity Delivery and Energy Reliability also focuses on cybersecurity and works with the DHS, industry, and other agencies to reduce the risk of energy disruptions from cyberattacks. The office designed the Cybersecurity for Energy Delivery Systems (CEDS) program to assist the energy sector asset owners (electric, oil and gas) by developing cybersecurity solutions for energy delivery systems through integrated planning and a focused research and development effort. CEDS co-funds projects with industry partners to make advances in cybersecurity capabilities for energy delivery systems.
The Department of Energy’s Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2), developed in partnership with the DHS, is an 83-page document that helps improve cybersecurity capabilities and includes reference material and implementation guidance specifically tailored for the oil and natural gas segments of the energy sector. The model can be used to strengthen cybersecurity capabilities in the ONG subsector; enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities; share knowledge, best practices and relevant references within the subsector as a means to improve cybersecurity capabilities; and enable ONG organizations to prioritize actions and investments to improve cybersecurity. The ONG-C2M2 is designed for use with a self-evaluation methodology and toolkit.
Before the Senate now is a bill sponsored by Sen. Richard Burr, R-North Carolina, S 754, the “Cybersecurity Information Sharing Act” (CISA), which requires the director of national intelligence, the DHS secretary, the secretary of Defense, and the U.S. attorney general to create a system to promote the sharing of a broad range of cybersecurity information.
CISA would give private entities, including oil and gas companies, greater liability protection for sharing personal data related to certain cybersecurity information. CISA has faced strong opposition, mainly due to concerns that it may impinge on individuals’ Fourth Amendment right to privacy. If agencies are to store personal information, they must maintain highly sophisticated cybersecurity systems. CISA, however, does not include any requirements or funds to promote these systems. Twenty-two amendments are on the Senate floor, many of which limit the events that provide legal immunity and reduce the ability for agencies to share information with one another. The DHS has expressed concern because the bill allows other agencies to collect this information, potentially reducing the DHS’s current role in this space.
Others have criticized CISA for not going far enough. CISA only creates a framework for information-sharing intended to allow agencies to identify how best to protect against future cyberattacks. What some expect, or hope, to follow CISA is ultimately the enactment of minimum standards for corporate cybersecurity systems. A vote on the bill is expected soon.
Pennsylvania is acting as well, with the PUC in particular showing exemplary leadership. Public utilities are required to develop and maintain a written cybersecurity plan under 52 Pa. Code Sections 101.1-101.7. The PUC took the occasion of its October cybersecurity summit to release its second edition of the PUC “Cybersecurity Best Practices for Small and Medium Pennsylvania Utilities.” The best-practices document is available on the PUC’s website (goo.gl/oMPaae). The document is a magnum opus loaded with information including ways to prevent identity or property theft; how to manage vendors and contractors who may have access to a company’s data; what to know about antivirus software, firewalls and network infrastructure; how to protect physical assets, such as a computer in a remote location or a misplaced employee device; how to respond to a cyberattack and preserve forensic information after the fact; how to report incidents; the potential benefits of engaging a law firm in advance of a breach; and a list of federal cyberincident resources.
In light of the enormous asymmetrical physical and financial damage that cyberattacks can inflict, as well as our apparent vulnerability to those attacks, one thing is clear: A good defense (and perhaps even offense) against such mischief is going to require not only continued efforts, but also an ever-increasing amount of attention, teamwork, effort, and human and financial capital investment going forward.
“Energy Sector Beware: Cybersecurity Now Top Security Threat,” by Michael L. Krancer, Margaret Anne Hill, Thomas M. Duncan, and Frank L. Tamulonis III was published in The Legal Intelligencer on October 16, 2015. To read the article online, please click here.