Keeping the Focus on Getting Cybersecurity Right
Mark Green
Posted July 14, 2021
A good cybersecurity discussion in the Wall Street Journal this week, featuring API’s Suzanne Lemieux, Accenture’s Jim Guinn and the University of Houston’s Chris Bronk. The conversation was a follow-up to the cyberattack on the Colonial Pipeline in May, which caused serious fuel disruptions along the East Coast.
We’ve previously pointed out that protecting the nation’s natural gas and oil infrastructure is critically important to maintaining U.S. energy affordability and economic competitiveness. Our industry recognizes this and has been deeply engaged with government agencies and a broad range of private sector stakeholders facing similar cyber threats, while pointing out that the Colonial attack underscores our country’s need for more energy infrastructure. A couple of important things highlighted in the Journal discussion:
Government information/intelligence needs to reach private companies
Information and intel sharing is critically important to check rapidly evolving threats. Unfortunately, the flow of information too often is too slow.
Lemieux: There’s a lot of intelligence coming through right now that just doesn’t make its way to private-sector operators who need it to make better defenses for their systems. We’ve seen a security directive from TSA that requires incident reporting. We want to make sure there’s a process in place on the government side to anonymize and share that information back with the sector so that we know what the current threats are. It takes months to declassify things. We need to really improve how they’re postured to share with the private sector.
Bronk: [T]he fundamental issue is getting the intelligence community to move information around. Declassifying intelligence and rapidly kicking it out to entities that don’t have the capacity to process classified information is just impossible. It’s not going to get better. When the Ukraine power-grid hack happened in 2015, we waited months for Homeland Security to give us a finalized assessment, and it was essentially something that other smart people had put together long before.
Companies are highly motivated to protect themselves
While the go-to response in Washington is to mandate basic standards and enforce them with fines, such an approach misses the fact that companies already have a keen business interest in protecting themselves. It also misses the point that top-down standards-setting is unlikely to be able to keep up with bad actors who are constantly creating new ways to execute cyberattacks.
Lemieux, API manager for operations security and emergency-response policy, said unlike the nation’s utility sector, which has the North American Electric Reliability Corporation regulating parts of its cybersecurity, the natural gas and oil industry has a vast supply chain of companies with different structures, ranging from owner-operated companies to complex, integrated corporations.
Lemieux: There’s a misconception that operators won’t take steps to protect against cyber threats unless they are mandated to by regulators. That overlooks the fact that companies across all industries have a business incentive to protect their data and operations from malicious actors.
Guinn: Everybody should have a baseline. If you achieve resilience beyond that, you should be incentivized for it, not penalized. If this turns into an audit exercise, you will be less successful.
We’ve made the point before: There’s a difference between being action-oriented and nimble to prevent and defeat cyber attacks and being primarily focused on process – believing that government standards, centralized authority and punitive enforcement measures are paramount to meet cyber threats. As Lemieux said, it’s a misconception that companies won’t protect themselves against these threats unless government makes them do it. That’s an obsolete narrative; too much is at stake in a company’s valuable assets. In terms of our industry, there’s also too much at stake for the economy and national security for energy infrastructure to be vulnerable to attacks.
Instead, there should be increased cooperation between government and the private sector, so the agencies developing key intelligence and substantive leads on cyberattacks share that information in timely and useful ways. API President and CEO Mike Sommers, in a recent interview with CNN:
“All of our member CEOs are focused on making sure that they have their cyber defenses in place, and we want to work with the federal government on making sure that there aren’t vulnerabilities to our energy supply. … This is an economywide issue. This isn't just something that exists within the oil and gas industry. Every American company has suffered these kinds of cyber attacks, and we need to make sure that we have a robust system in place that can fight back against these rogue actors.”
About The Author
Mark Green joined API after a career in newspaper journalism, including 16 years as national editorial writer for The Oklahoman in the paper’s Washington bureau. Previously, Mark was a reporter, copy editor and sports editor at an assortment of newspapers. He earned his journalism degree from the University of Oklahoma and master’s in journalism and public affairs from American University. He and his wife Pamela have two grown children and six grandchildren.