Collaboration between government and the private sector to ensure the security and resilience of America’s critical infrastructure is no longer optional—it is an essential element of the collective defense posture that homeland security requires. With adversaries now deliberately targeting our country’s most critical infrastructure through cybersecurity means, it’s important to remember that neither government nor industry alone can effectively identify, analyze, prioritize and manage the threats we face. This is a team effort that necessitates a deeper integration between the public and private sectors. It also requires a new paradigm by which we approach risk management in a strategic and collaborative manner.
The 2.5 million miles of pipelines crisscrossing the United States, though mostly underground, are more than just a tangible example of an increasingly interconnected energy grid. They are a key part of the nation’s economy. Transporting most of our country’s energy needs, as well as other critical commodities, the physical pipeline infrastructure and its accompanying cyber networks play an integral role in powering America’s economic and national security and in fueling the American way of life. Identifying and mitigating cybersecurity risks to this network are a matter of critical importance.
This is an issue that has seen increasing public-private partnership, most recently through the launch of a national Pipeline Cybersecurity Initiative.
Recognizing the need to work together is always a key first step, and enabling this kind of collaboration is a core part of the mission for the newly named Cybersecurity and Infrastructure Security Agency, or CISA, at the Department of Homeland Security. As the federal lead for cyber and physical infrastructure security, we are working with our partners in government and industry to define national critical functions, identify risks across sectors, and use our tools and resources to mitigate those risks and protect our infrastructure.
CISA’s National Risk Management Center exists to address long-term risk management challenges, including pipeline cybersecurity. The NRMC is a planning, analysis and collaboration center working in close coordination with the critical infrastructure community to address the most serious threats to national critical functions—those functions that are so vital to the United States’ national security, economic security, public health and safety that their degradation is simply unacceptable. Providing fuel to generate power and enable commerce is one of these critical functions.
Enter the Pipeline Cybersecurity Initiative. Hosted by the NRMC, this initiative represents both good governance and sound resilience planning.
By leveraging the Transportation Security Administration’s Sector-Specific Agencies expertise and the CISA’s technical cybersecurity capabilities, the NRMC was able to develop a road map for identifying and mitigating vulnerabilities to the pipeline ecosystem using existing resources at DHS. This initiative uses three different voluntary assessments—ranging from single- and multi-day inspections to self-assessments—to help our industry partners identify and mitigate potential vulnerabilities. This effort will be executed in partnership with the American Gas Association, government and other industry stakeholders.
In December 2018, the NRMC completed its first comprehensive assessment under this program. This initial assessment served as a test-bed to ensure that the tools and other techniques used by the NRMC team will offer the detail and data necessary to conduct the comprehensive analysis needed to ensure critical services and products flow through pipeline systems without problems.
The assessment was a resounding success, and the NRMC looks forward to working with federal and state partners, as well as industry groups both within and outside the United States, to improve, enhance and ensure the security of America’s pipeline systems.
As a result of the unqualified success of the first assessment, the center has scheduled the remaining nine assessments for 2019. These assessments of pipeline assets will yield important information that will be integrated into long-term pipeline cybersecurity risk analysis, planning and coordination efforts with pipeline owners and operators.
When the Pipeline Cybersecurity Initiative was announced at the October 2018 Oil and Natural Gas Subsector Coordinating Council Meeting, subsector Chairman Jay Montgomery remarked, “This just makes too much sense.”
That’s precisely the point.
The CISA looks forward to continuing our work with frontline industry partners to combat emerging threats head-on. We value the expertise and leadership that comes from industry, and it is our aim to support private-sector innovation with smart, voluntary government solutions that meet national security challenges.
Robert Kolasky is the director of the National Risk Management Center, a planning, analysis and collaboration center housed within the Cybersecurity and Infrastructure Security Agency.