We have long recognized that effects of cyber-attacks are not limited to the virtual space, and can affect our physical environment. For example, a stolen trade secret may lead to a competitor who copies the design, to lost sales, to lost jobs. However, the relationship between cybersecurity and physical security is far more direct and significant in the energy sector. There are many examples of devastating impacts stemming from energy infrastructure disasters, and the energy sector’s ever increasing automation and reliance on the digital world for its operations vastly increases its vulnerability to cyber-attacks. The energy sector comprises one of the 16 categories of critical infrastructure designated by Presidential Policy Directive 21. The potential direct effects on consumers and businesses expose the energy sector to enhanced risk (vis-a-vis non-critical industries) of reputational injury, government investigation and enforcement, and private litigation, all stemming from cyber incidents.
The government’s awareness of these risks is on the rise, resulting in an effort to standardize the energy sector’s cybersecurity compliance obligations, and suggesting an impending flood of regulatory activity in the coming years. Any new regulations would be layered on already complex, multi-faceted, inter-agency regulatory regimes, which vary by industry sub-sector (e.g., oil and gas, power, nuclear, etc.), type of asset (e.g., pipeline, LNG, transmission, storage, generation, etc.), entity (e.g., natural gas company, electric wholesale generator, public utility, local distribution company) and activity (e.g., exploration & production, gathering, transportation, processing, generation, retail sales, wholesale sales, marketing and distribution).
Various cybersecurity requirements implemented through existing regulatory regimes already are mandatory, so many companies have incorporated cybersecurity measures into their compliance programs. Often, however, these cybersecurity measures are implemented in isolation through an IT solution that may not adequately consider or address the causal link between a cyber incident and an energy infrastructure failure which, as discussed below, may have catastrophic effects.
In a series of posts, we will explore the cybersecurity concerns that the energy sector must consider and the strategies that energy companies should use for addressing and mitigating their cybersecurity and legal risks.
Energy infrastructure disruptions – New York City lessons
New York City is a perfect canvas to view how failures in energy infrastructure – even minor ones – can disrupt the lives of consumers, government and businesses. Less than a month ago, on March 30, 2015, we detected migrating smoke in our offices in Midtown Manhattan from what turned out to be a deadly natural gas explosion on the city’s Lower East Side. Officials have now said that the explosion was caused by an illegal configuration of natural gas piping, and that it resulted in two deaths, nearly two dozen injuries, and the collapse of three buildings. The explosion and the smoke also interrupted economic activity in Midtown and throughout Manhattan.
On a much greater scale, and still etched in the memory of many New Yorkers, is the Northeast Blackout of 2003: the most widespread blackout in US history. The blackout affected 50 million people across eight states and in Canada, including 14.3 million people in New York City and the surrounding areas. Beyond loss of power, the 2003 blackout caused concerns over potential contamination of water supply. It disrupted transportation systems (including shutdown of regional and Amtrak rail service), mobile communications, cable television systems and even some radio systems. Factories came to a stand-still or were shut down to conserve energy. According to some reports, at least 11 deaths were attributable to the blackout. The total cost of the event topped an estimated $6 billion dollars.
The disturbing but very relevant — question today is: What if the devastation of these events was the result of a cyber-attack on our energy infrastructure?
Threat of cyber-attacks against the energy infrastructure
Cyber-attacks against energy infrastructure are already a reality. In 2014, a cyber-attack perpetrated by “UglyGorilla” — a hacker alleged to be based in China —infiltrated the computers of a US public utility company. The attacker sought to access pipeline schematics and natural gas flow regulation systems, including network areas that allowed remote shutdown of energy infrastructure systems. We know that similar attacks have wreaked havoc abroad. Stuxnet targeted and commandeered industrial controls to derail the Iranian nuclear program by inflicting physical harm on the facilities. And recently, a cyber-attack targeting a steel mill in Germany caused plant facilities to fail and shutdown a furnace, causing massive damage. This is likely the tip of the iceberg in the new era of cyber-warfare.
According to the NSA Director Admiral Michael Rogers, it is only a matter of “when,” not “if,” there is going to be a “traumatic” event caused by a cyber-attack on energy infrastructure. Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) works with government and private industry to reduce risks to critical infrastructure. In 2014, ICS-CERT reported that the largest portion (32%) of the 245 cybersecurity incidents to which the organization responded involved the energy sector. In 2013, 59% of the 256 cybersecurity incidents responded to by ICS-CERT occurred in the energy sector. Admiral Rogers is not alone in his view that our energy infrastructure is under an imminent cyber-attack threat (as early as this year). A major insurance company has compared the current energy cybersecurity threat landscape to a “time bomb” and has estimated that the cost to oil and gas companies may reach nearly $2 billion by 2018.
Energy sector regulators focus on cybersecurity
A malfunction or an operational failure of energy infrastructure has a cascading impact on other critical infrastructure, including transportation, communication and water systems. It is for this reason that our energy infrastructure is a prime target for cyber-terrorists, and why the government is pursuing an aggressive regulatory agenda in this sector.
Faced with the potential devastating effects of cyber-attacks on our infrastructure and the increased risk due to digitization, the Administration has placed cybersecurity at the forefront of its legislative agenda. The existing statutory and administrative landscape is complex, owing to the numerous federal and state regulators and independent quasi-public organizations with regulatory oversight involving energy infrastructure.
A significant step in the standardization of cybersecurity protocols for the energy sector came in January 2015, when the US Department of Energy, Office of Electricity Delivery and Energy Reliability issued the Energy Sector Cybersecurity Framework Implementation Guidance. This guidance is intended “to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives” of the NIST Cybersecurity Framework.
The Cybersecurity Framework itself is currently voluntary, but it’s already being implemented by businesses. It bears mentioning that the energy sector has experienced an evolution of the North American Electric Reliability Corporation’s (NERC) Reliability Standards, from a voluntary standard before the 2003 blackout, to a mandatory requirement after the event. Query whether in the context of the Cybersecurity Framework, Congress — many members of which have institutional memory of the 2003 blackout — would make a catastrophic cyber-security event a prerequisite to legislative action codifying the NIST Cybersecurity Framework. The voluntary nature of the Cybersecurity Framework should not be viewed as lessening the government’s call to action for businesses that own and operate much of our existing energy infrastructure to address cybersecurity.
It is important to note that the NIST Cybersecurity Framework is one of many emerging cybersecurity benchmarks, and compliance with the framework does not provide a safe harbor for failure to comply with existing cybersecurity requirements. For example, various existing NERC Critical Infrastructure Protection (CIP) Standards are mandatory, which subjects the relevant regulated entities to potential enforcement action and penalty assessment. The CIP Standards relate to critical cyber-asset identification, security management controls, electronic security perimeters, physical security of cyber-assets, among other protocols. The North American Energy Standards Board (NAESB) has developed cybersecurity standards that are mandatory for various segments of the energy industry. In the case of natural gas companies, for example, NAESB’s cybersecurity standards mandate the use of digital signatures and self-certification to support mutual entity authentication.
Our take
The challenge in addressing current and future infrastructure cybersecurity compliance strategy in the first instance lies in cutting through the vast web of laws, regulations and the alphabet soup of inter-agency arrangements expected to play a role in the ever-evolving energy cybersecurity space. After regulatory lines are drawn, the challenge becomes maintaining a clear path to compliance in cyberspace, where the government often plays catch-up to the ingenuity of hackers and cyber-terrorists, who are not bound by the same legislative and administrative processes. Compliance becomes even more difficult when the industry is, in effect, left to reconcile its current operations with imperfect or outdated regulatory schemes.
Nonetheless, the cyber risk exposure is too great for the energy industry to ignore. In light of the current cybersecurity risk environment, failure to take reasonable, preventative steps to mitigate cybersecurity risk, may subject the private sector to government investigative and enforcement action. Government action in turn carries a hefty price tag whenever an energy infrastructure failure has significant public consequences. For many companies, the potential for public censure alone provides enough of an incentive to take prudent compliance steps. For public companies, the additional exposure to potential shareholder suits effectively makes heeding the government’s call to action almost compulsory.
The highest priority for energy companies wishing to mitigate their potential liability for cybersecurity breaches is understanding which regulators might come looking for answers in the event of an cyber incident, and what information and documentation they will seek. The second step is understanding government expectations with regard to prioritization of energy assets and their associated risk. The second step is necessary for cost-effective compliance program development and implementation. Notably, owners and operators of energy infrastructure assets are at higher risk of being targeted for investigations because, often, they are the first and last line of defense against cyber-attacks. But all industry participants that collect energy infrastructure data or otherwise participate in the energy sector must assess their risk profile to determine the appropriate cybersecurity compliance level and requirements.
In sum, proactively developing a targeted, comprehensive energy security plan that combines cyber and physical security measures is key to placing a company in the best posture to withstand government and public scrutiny in the event of a catastrophic cyber incident — an occurence which according to commentators is a foregone conclusion. When it comes to energy cybersecurity, the best defense is a good offense.
Stay tuned as we explore energy cybersecurity in upcoming posts.
