The world of malevolent actors in cyberspace “does not recognize traditional boundaries,” said American Gas Association President and CEO Dave McCurdy.
“It doesn’t care if you’re a country or a business or an entity,” he said. “If you are connected to the internet in some way, then you are a potential target.”
As an integral thread in the fabric of the nation’s critical infrastructure, the natural gas sector recognizes the responsibility to fortify its cybersecurity capabilities. By making cybersecurity a top priority, AGA has become a leader in the pursuit of excellence through relationship building, information sharing and capacity building.
“This is the most challenging, pervasive threat to our economy,” said McCurdy. “Health care, telecommunications, finance, energy—it’s all connected. We need them all. It doesn’t work without energy. We understand our role in that interconnected, dynamic web of society and economies, and we have a crucial role to play.”
On Sept. 11, 2001, McCurdy was in Tokyo, addressing the Organisation for Economic Co-operation and Development about the need for corporate defenses against cyberthreats. The events of that day in the United States brought the issue into sharp focus. In recent years, high-profile cyberattacks have elevated cybersecurity to a top priority in executive suites and board rooms worldwide.
The natural gas industry, always attuned to physical security, made the shift naturally, said McCurdy.
“The beauty of AGA is its proactivity,” he said. “Our membership really leans forward and provides leadership on such issues as safety and operations.”
At the prompting of the AGA board in 2012, the association created a cybersecurity task force to develop policy, advocacy and analysis strategies on behalf of AGA members, said Kimberly Denbow, AGA senior director, security, operations and engineering services. Under Denbow, an internal “cyber team” implements the strategies, spooling out its expertise in training, information sharing and analysis, advocacy and legislative affairs, and operations and engineering—toward the goal of enhancing members’ cybersecurity capabilities.
Many natural gas companies use the military “defense in depth” strategy, layering security tools and mechanisms to delay and halt an attacker’s advance. Just as a multilayered system protects England’s crown jewels in the Tower of London, natural gas companies devise technological obstacle courses to protect their own crown jewels—the Supervisory Control and Data Acquisition, or SCADA, systems that manage operations—from attack, said Denbow.
“The whole idea is to ensure that our SCADA does not get compromised,” she said. “You don’t want to risk your crown jewels being compromised. You’re making sure that pipeline is operated by entities that are supposed to operate it, and not by a third party.”
AGA and its members help ensure that the interlocking set of government standards and guidelines regarding physical and cyber safety is a workable, practical navigation tool for everyday practices.
Those guidelines start with building and maintaining relationships of trust and mutual respect between the industry and regulators. In order to achieve their own desired outcomes, AGA members utilize Transportation Security Administration Pipeline Security Guidelines and such available guidelines and resources as the National Institute of Standards and Technology, or NIST, Framework for Improving Critical Infrastructure Cybersecurity and the U.S. Department of Homeland Security Industrial Control System Computer Emergency Readiness Team, or ICS-CERT.
Government standards did not emerge from a bureaucratic vacuum. Acting as a linchpin, AGA helps apply the expertise and on-the-ground experience of natural gas operators with the national security perspective of regulators.
The effort yields continuous improvements in the practicability and dynamism of government cybersecurity standards and models. TSA’s original 2011 Pipeline Security Guidelines underwent revisions, announced in April 2018, at the encouragement of and in collaboration with AGA and its members. The effort incorporated the U.S. Department of Homeland Security’s ICS-CERT, the central hub for cyberthreat-indicator sharing between government and the private sector.
“They’re the experts in industrial control systems, and ultimately, that’s the crown jewel that we protect,” said McCurdy.
AGA led the industry’s effort by collecting, compiling, coordinating and resolving industry comments on the guidelines’ physical security and cybersecurity sections, said Denbow.
“When TSA first came out with the guidelines, it was understood that TSA would continue partnering and using voluntary guidelines instead of regulations, but industry had to do its part, which was implement the guidelines,” Denbow said.
AGA also led the industry’s input into revising the guidelines’ questions for operators in TSA corporate security reviews. Everything aligns with NIST’s umbrella cybersecurity framework that all 16 critical infrastructure sectors can adopt—which AGA has been urging among its membership.
Add up the efforts, and the outcome is a culture that seeks to exceed compliance and stresses excellence. Natural gas understands the need for regulation, but embracing a proactive approach, “not sitting back waiting to be directed or guided or governed,” McCurdy said, demonstrates the industry’s sincerity in “making sure it’s relevant and effective.”
“Compliance means you’re dealing with challenges or threats that may have been priorities at the time they were developed but may not be the most important challenge you currently face,” he said. “We want to make sure we’re flexible.”
As Denbow put it, “Regulations take a long time. Cybersecurity is a constantly changing environment.”
Plus, she noted, prescriptive regulations can make life easier for perpetrators probing for soft spots in the operating systems of the regulated. The industry-regulator collaboration lets companies know “the expectations and end goals but leaves it to the operators to know their systems best, and to know how to get there.”
Among AGA’s tools to help operators build and maintain cybersecurity wellness is the Downstream Natural Gas Information Sharing and Analysis Center, the secure portal known as the DNG-ISAC.
“I make the cyber sausage,” said John Bryk, AGA’s cyber and physical threat intelligence analyst. “I take all the information coming from the government, the private sector, fusion centers, requests and news alerts, and turn it into operational intelligence.”
Available since 2014, the DNG-ISAC delivers timely intelligence that’s actionable through specificity, analysis and plain English. Threats come in many forms and behave differently depending on the operational technology they encounter, so DNG-ISAC drills down to the details that make the information useful to all stakeholders, whether they’re in information technology or budgeting.
“Some ISACs focus on streams of data, the 1s and 0s that are very helpful at the network level, but it might not help you as a company understand the threat, and it certainly wouldn’t help you as a board chairman or CEO,” said Bryk.
DNG-ISAC members enhance the service’s functionality through platforms for comments, questions and sharing. A partnership announced in April 2017 allows the DNG-ISAC and the North American Electric Reliability Corporation’s Electricity ISAC, or E-ISAC, to exchange information and improve security collaboration. The partnership gives DNG-ISAC and E-ISAC members access to each other’s monthly briefings.
AGA also supports operator efforts to review and build cybersecurity capacity. Trainings and evaluations align with the NIST Framework, the U.S. Department of Energy’s Cybersecurity Capability Maturity Model, or C2M2, and other tools. The approach equips companies of all sizes to customize their priorities and protections.
“We give opportunities for companies to evaluate themselves and see those pieces where they’re doing well and where there’s room for improvement,” said AGA Chief Information Officer Jim Linn, who is also executive director of the DNG-ISAC. “In terms of room for improvement, there are times when I can make observations or suggestions or connect them with other members who have done well in those areas.”
Member-to-member connections and sharing are essential to cybersecurity strength sectorwide. Among the opportunities AGA fosters are Peer Cyber Reviews—four-member round-robin site visits and assessments. The visits review a company’s cybersecurity against the NIST Framework, which becomes “hugely beneficial” in preparing operators for TSA security reviews, Denbow noted.
In an age of combo utilities, AGA recognizes the intertwined aspects of cybersecurity across sectors, said Mark Engels, senior enterprise security advisor for Dominion Energy in Richmond, Virginia.
“Natural gas being a critical fuel for electricity generation, AGA has been out in the forefront trying to advance the fact that natural gas companies—regardless of the fact that pipeline companies do not have mandatory and enforceable cybersecurity requirements like the electric sector—are doing the work to protect their assets from cybersecurity and physical security attack,” he said.
AGA’s defense of a voluntary approach helps members spend their cybersecurity dollars on programs, “and consequently less on having to demonstrate to regulators that they’re doing what they say they’re doing,” said Engels. Dominion Energy also capitalizes on the “conduit” AGA provides to communicate and share among utilities of all sizes.
“We’re all in this together because we recognize the threat from not only the adversaries who want to do harm, but also the regulators who want to paint a broad picture about the industry in general,” Engels said. “If a smaller company is targeted, then the assumption is that they need to impose jurisdiction over the entire industry.”
Niyo L. Pearson, supervisor of cybersecurity/cyber operations for ONE Gas, headquartered in Tulsa, Oklahoma, sees AGA’s promotion of interaction among peers and sectors as a powerful tool for filling in gaps and disseminating leading cybersecurity ideas—no matter where they originate. After all, he noted, nation-state malefactors and cybercriminal syndicates collaborate to advance shared interests. The good guys should do the same, he said.
“We’re all in the same ecosystem,” said Pearson, whose team operates within enterprise security. “By sharing, we learn, we grow together and, ultimately, as a whole, we protect each other.”
The natural gas sector recognizes the imperative of cybersecurity excellence because the consequences of acting otherwise could place operational controls in malicious hands, said Brian Caudill, AGA senior director, federal affairs.
“We cannot afford from a critical infrastructure perspective, from a customer perspective, from a shareholder perspective, from a public utility commission perspective, from a regulator perspective—whether that’s at the federal or state level—to be disengaged or appear disengaged,” he said. “Either one of those won’t work. There are too many people paying attention, and with good reason.”
AGA’s visible presence in legislative affairs spotlights its vigilance among lawmakers, Caudill said. On Capitol Hill, he explains how natural gas companies ensure cybersecurity and engage with regulatory agencies.
“They want to know details,” he said. “We want to make sure they understand who is responsible. Who has some sort of statutory authority over pipeline security? Right now, it happens to be TSA. The Hill wants to know who’s in charge.”
Relevance is the value that ONE Gas gets from AGA and the DNG-ISAC, said Pearson.
“It’s more than just having that service,” he said. “It’s a cultural change that AGA has continued to advocate and the things they bring forward as continued avenues to push this collaborative message outward. We continue to push ourselves into other spaces, working with more and more individuals to provide different insight into different areas.”
The next step—or at least, a next step among many—involves applying metrics to the TSA guidelines and questions. The first four AGA members participating in a Peer Cyber Review honed down the guidelines’ questions to the 10 for which the answers provide a snapshot of industry cybersecurity health, said Denbow.
Findings will reveal areas needing the greatest attention. McCurdy called it “management by exception.”
“How do you identify a problem and focus on the exceptions where the problem really is? It’s how you put your resources toward changing that,” he said. “It’s a tool to identify areas that we need to improve on, and let’s go do it. Don’t wait for anyone else. Let’s go fix it.”
It all works, McCurdy said, because AGA and AGA-member boards, leadership and staff make cybersecurity a priority.
“If we were just concerned about minimum compliance at AGA, we wouldn’t be doing nearly any of this. “We’d be sitting back saying, ‘We’re good,’” he said. “That’s not the case. We’re going to be the best. We’re going to be excellent. We are leading, and there should be no doubt as to the role that our sector plays in this critical infrastructure.”