The Little Engine That Could is an American story that was crafted into a children’s book by author Watty Piper in the 1930s. The story is used to teach children the values of optimism, hard work and imagination, with its memorable phrase: “I think I can. I think I can. I think I can. I thought I could. …” This story can be extrapolated to describe the Downstream Natural Gas Information Sharing & Analysis Center, or DNG-ISAC—its conception, its journey and its ultimate destination.
Spring 2012 brought about an awakening of the natural gas industry to the viability of natural gas pipelines as a cyber target for certain nation-states. One chilly mid-March day, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, contacted the American Gas Association regarding a pending security broadcast of grave significance.
The alert would reveal the discovery of a major cyber campaign aimed at domestic natural gas pipeline computer networks—a campaign that had been in the works for months prior and that had successfully compromised a handful of natural gas operations networks. Jumping into action, AGA staff compiled a comprehensive list of hundreds of AGA member utility and transmission company senior executives and operations management and channeled alerts to these key leaders as quickly as it received them from ICS-CERT. Although AGA member companies were encouraged to register to receive the alerts directly from the government, AGA continued to serve as the primary information resource for many members, as well as receive information from members about suspicious cybersecurity activity.
Pressure had been growing from the federal government for the Oil & Natural Gas Subsector to re-establish an Information Sharing & Analysis Center. ISAC models revered by the government at that time included the Financial Sector ISAC and the Electric ISAC (formerly known as Electric Sector ISAC).
In 2014, AGA’s board approved a program that would capitalize on collaboration, home in on threat information and analytics relevant to natural gas operations, provide a user-friendly web portal, and deliver a secure community in which natural gas security professionals could exchange information. This program would be known as the Downstream Natural Gas ISAC, or DNG-ISAC.
AGA built the DNG-ISAC in close coordination with the E-ISAC. This made the most sense given so many utilities are combination gas and electric and were already participating in the E-ISAC. In addition, domestic gas utilities would have interests similar to electric utilities on the security threat-front. The analogy commonly used in describing the programs is that the DNG-ISAC and the E-ISAC make up the two homes in a duplex. Each unit has its separate entryway and autonomy, but a shared wall dividing the two is like a window for improved coordination and shared threat information.
The original DNG-ISAC was fiscally self-sustainable through funds from participating utilities. AGA Chief Information Officer James (Jim) Linn, a leading member of the DNG-ISAC team, emphasized the need for broader engagement. “It is AGA’s civic duty to fund the DNG-ISAC operation and make the threat analytics and other information-sharing benefits of the DNG-ISAC available to all AGA member utilities, not just to those who can afford to pay for it.”
Linn also saw a path for members of other trade associations, such as the Interstate Natural Gas Association of America and the Canadian Gas Association, to join. The concept was presented to AGA’s board, which agreed: AGA would fund the DNG-ISAC for all AGA member utilities to participate, and members of other trade associations could participate for a fee paid for by that association. A DNG-ISAC board was brought together; Linn was appointed the executive director; governance was established; and a more powerful web platform was developed.
In the five years since the DNG-ISAC was formed, it is undeniably on its way to becoming an indispensable tool for combating threats ranging from moneylaundering scams to cyberattacks to pipeline protestors.
The website (www.dngisac.com) offers up information on threat alerts, both probable and possible, most relevant to natural gas operations. The DNG-ISAC community provides approximately 10 percent of the total threat information. This is in line with what other ISACs have seen. Linn sees benefit in more members engaging, whether that’s visiting the platform regularly to stay informed about what threats are out there or reporting suspicious activities involving a utility. “I think people sometimes undersell the value of what they can share,” Linn said.
The other 90 percent of information is posted by John Bryk, the DNG-ISAC’s dedicated cyber and physical threat intelligence analyst. Bryk monitors alerts from government agencies, such as the FBI and the Homeland Security Information Network, and quickly disseminates and posts the relevant information, along with his analysis, in the DNG-ISAC. Bryk also participates in monthly classified meetings with the U.S. Department of Energy, the ONG-ISAC and the E-ISAC, in which cyberthreats are shared and discussed. If there’s anything a natural gas utility executive needs to know, the information from these meetings is appropriately crafted by Bryk to meet security classification requirements and in straightforward terms, then posted to the DNG-ISAC. All AGA member utilities can obtain access to the DNG-ISAC as well as post information.
Bryk would like to see more postings by industry security operators. That’s because the DNG-ISAC might be able to offer more warnings if more information is shared. “If what someone shares isn’t a big deal, no harm is done. But if someone does see something odd and doesn’t share it, and an event does happen … well, you can fill in the blanks. Bad news doesn’t get better with time,” Bryk said.
It’s clear the DNG-ISAC has made a measurable difference in protecting natural gas utilities from cybercriminals.
In 2017, a powerful malware known as NotPetya appeared in Ukraine. NotPetya could travel from computer to computer on its own, destroying all information on the infected computer. Bryk learned about NotPetya while he was working alongside the E-ISAC, when he received a direct message over Twitter from a colleague in Ukraine. “We got ahead of the NotPetya problem, put out warnings, described what it looked like and how it was spread,” he said. “We found solutions that cyber-defenders had come up with, back when everyone was dealing with the predecessor virus, Petya.” A link was posted by the natural gas and electric ISACs and members notified before the U.S. government’s first warning.
While Ukraine bore the worst of NotPetya, the virus spread throughout Europe, Australia, Russia and the United States, and the damage was severe to some companies, topping a few hundred million dollars to replace tens of thousands of PCs and servers.
The DNG-ISAC has also been able to warn its members about other looming problems, from malware attacks and old-fashioned saboteurs to protesters and arsonists.
Unfortunately, it appears there will continue to be more than enough to keep the DNG-ISAC busy. Linn thinks the industry will need to keep its guard up for terrorist attacks that are designed to disrupt utilities from delivering natural gas—“as a display of power and abilities.”
Bryk, meanwhile, believes that supply chain security will continue to grow in concern. “If parts are not manufactured in the United States, we have little or no control over what happens to them before they reach our operational networks. This is not a problem that the private sector can solve. It requires government ... the Department of Commerce, State Department, FBI, wise trade agreements.”
It’s suspected that more natural gas pipeline sabotage incidents are on the horizon. An increasing number of activists are anti-pipeline and anti-natural gas, and we need to be paying attention. Part of the challenge we have is that activism is not generally perceived as terrorism. Events of the past couple years have demonstrated that a person can do things in the name of being an activist without being perceived as a criminal or terrorist, even though the outcome and impact to public safety could be very similar.
Today, after the DNG-ISAC’s five years in existence and having achieved the near-term goal of establishing a functioning ISAC for the natural gas industry, one might ask, “What’s next?” Current plans include establishing a closer and more integrated collaboration with the E-ISAC; implementing a new portal for better reporting, analysis and ease of use; and encouraging member participation. We also encourage all AGA members to use the DHS mantra, “See something; say something,” and share more actively on the portal. Finally, with so much consolidation in the utility industry and fewer natural gas-only utilities, we are limited only by our imaginations, and someday we could have one Energy ISAC for the entire industry.
Kimberly Denbow is the senior director, security, operations and engineering services, at the American Gas Association.
The DNG-ISAC that Could
Much like The Little Engine That Could, the story of the DNG-ISAC reflects the values of optimism, hard work and imagination.
The imagination to find the opportunity and maximize it: “We think we can.”
The hard work to bring this to fruition: “We think we can.”
The optimism industry continues to experience: “We think we can.”
And the success of demonstrating the DNG-ISAC made it: “We thought we could. …”