Security is one of our basic needs, whether as an individual, a company or an industry. For an industry as large and complex as natural gas, where the stakes for customers, employees and businesses are so high, security rises to an obligation, and it’s one we all take very seriously.
Yet, although natural gas utilities have always been diligent about testing their individual parts of the greater whole, the industry itself has never had its own comprehensive security exercise until September’s NGX-2022, which brought together nearly 300 industry professionals representing 50 natural gas utilities, transmission companies and municipalities for a virtual tabletop drill.
Modeled after GridEx on the electric side, NGX is giving the natural gas transmission and distribution community the opportunity to work through complex and challenging security issues that impact multiple components of the industry.
Initially, the American Gas Association had planned a much smaller event. But after consulting with our member utilities, it became clear that they—and the industry as a whole—desired more. Because members had considerable experience testing their own systems, a limited drill wouldn’t offer much more than what they were already doing, nor would it give them an opportunity to work with other areas of the natural gas industry.
For a truly comprehensive exercise, we realized we needed to test our coordination with transmission companies as well as other partners. We invited the Interstate Natural Gas Association of America, the trade association that represents the natural gas transmission industry, and several other partners, including the American Public Gas Association, individual municipalities, and the U.S. Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response. So, our early vision of 80 to 100 AGA member participants quickly grew to 285 participants from across the industry.
Next, we needed a big scenario—something that went beyond testing specific responses and could instead evaluate larger processes and the all-important communications aspect. Such a scenario exposes the intersections between checklists and true business continuity. In the process, it brings together people with different outlooks and experiences, which ultimately creates a more comprehensive learning experience.
Developing such an exercise requires more than simply coming up with a difficult problem to overcome. In fact, Steve Swift, a supervisor with Ameren’s crisis management group who helped us prepare for the scenario, said that exercises frequently derail before pen ever touches planning process paper. That’s because “the first question everyone normally goes to is, ‘What’s our scenario?’ and that’s not the important piece,” he said. “The real question is, ‘What are we trying to test?’”
We determined that the objective of this exercise was for industry operators to test their corporate response plans, particularly such touch points as internal and external communications, the coordination between business entities, and the response to complex and deliberate security incidents. To do that, we created a scenario in which a malware event impacting data systems cascaded into multiple complications involving cybersecurity, physical security and business continuity.
Among the challenges presented by the scenario were:
These challenges were designed to raise important procedural questions including:
Norwich University Applied Research Institutes, a nonprofit that studies national security issues and facilitates cyber exercises, provided planning and support for the half-day exercise. Its Distributed Environment for Critical Infrastructure Decisionmaking Exercises platform allowed participants to receive different injects, which were then funneled into the corresponding breakout rooms for additional discussion and problem solving.
An after-action plan compiled the top takeaways from each phase of the event, along with some successful responses and other considerations. This material can be used by participants when updating business continuity plans.
NGX-2022 was an amazing success. Participating companies from the natural gas industry, as well as our many observers, took away valuable lessons and identifiable opportunities to enhance their security plans.
Among those observing the exercise were members of the electric industry. Our relationship with the electric industry has always been strong: Not only have natural gas utilities been invited to the North American Electric Reliability Corporation GridEx exercises, which are the largest grid security exercises in North America, but we’ve benefited from the insight and advice of professionals involved on the electric side. In fact, Nicole Penman, a program manager for enterprise resiliency at Xcel Energy, sits on AGA’s Security Committee. Like Swift, she was a key figure in helping us develop NGX-2022 and works mostly on the electric side of the energy equation. That unique perspective allowed both Penman and Swift to appreciate the value of sharing information across all boundaries, which, in turn, strengthened the exercise itself.
“To help make the drill as realistic as possible, I engaged with our gas operations and security personnel,” Penman said. “Every company has its own internal operational learnings, but with this exercise, participants were able to learn from everybody’s experiences, thus allowing us to take those best practices and enhance our own procedure and response.”
Added Swift: “We tend to be very good within segments, because all the participating companies do their own things internally. But it’s when we get to these bigger events that we start thinking about the processes between departments and integrating the different pieces.
“That is where the real progress is made. When you’ve got a bunch of different people with different outlooks and different experiences, they make a different exercise than you would get if you did it internally. And that’s really beneficial.”
What Comes Next
NGX-2022 was the first of what is planned as a biennial event. The next event, NGX-2024, will be held the year after 2023’s GridEx, giving participants the chance to create an even worse day with even better lessons learned.