Cybersecurity that defends natural gas utilities from ever-evolving threats demands more than “check the box” compliance. In today’s atmosphere, there is a strong need for a supportive environment where gas utilities can confirm strengths, probe for weaknesses and share ideas.
The American Gas Association’s cybersecurity peer review initiative is meeting that need. The effort parallels the steady migration of cyber elements into gas-utility front lines, heightening awareness of cyber threats that are infiltrating not just office spaces, but also field operations. Through cybersecurity peer review, natural gas utilities scrutinize their efforts—with a little help from their industry colleagues.
“What do we think we do well, what do we think others do well and where do we think we have a lot of opportunities?” asked Niyo L. Pearson, supervisor, cybersecurity of ONE Gas in Tulsa, Oklahoma. “A lot of people have a lot of great ideas on how to approach these things.”
AGA’s cybersecurity peer review arose from converging trends. In a timely confluence, the Transportation Security Administration’s 2011 pipeline security guidelines—both the physical and cybersecurity sections—were due for revisions by 2018, which is when the National Institute of Standards and Technology cybersecurity framework standards for all 16 critical infrastructure sectors were also slated for upgrades.
“To us, it made total sense that if we were revising the guidelines with TSA, we should make sure the cyber section aligns with the NIST cybersecurity framework elements,” said Kimberly Denbow, AGA senior director, security, operations and engineering services.
NIST framework implementation is mandatory for government organizations but “more of a guidance” for private entities, said Denbow. In a measure of natural gas utilities’ willingness to adopt or align with the voluntary framework, AGA and its members collected industry input from across the value chain.
Then, AGA and its members helped TSA develop on-site review questions based on the guidelines’ revised cyber sections. AGA also pulled in the U.S. Department of Homeland Security Industrial Control System Computer Emergency Readiness Team, or ICS-CERT, because “they are the cyber gurus from an industrial controls perspective in our government,” said Denbow. “The guidelines focus in on control systems, because those are the crown jewels of natural gas operations.”
That’s when those 60 TSA questions became the basis for the AGA cybersecurity peer review. The idea was inspired by AGA’s success with operations peer reviews and facilitating members’ use of the U.S. Department of Energy’s Cybersecurity Capability Maturity Model, or C2M2, tool, said AGA Chief Information Officer Jim Linn.
In the cybersecurity peer review’s pilot iteration, four utilities scrutinized each other’s plans, three grilling one at a time in roundrobin style. That resource-intensive format gave way to a revised, regional approach, with about a half-dozen utilities convening to discuss the questions and each participating company’s answers.
Highly regarded cyber risk consultant Axio facilitates the conversations, while AGA staff listen for trends useful in advocacy and for opportunities to address within the membership. In 2018, up to 30 utilities engaged in the process. For 2019, at least three more sessions are planned.
ONE Gas helped develop the TSA questions and participated in the fourmember pilot test. Peer-to-peer discussions of the TSA questions are cost-effective and essential to “helping benefit not just the big utilities, but all natural gas utilities,” said Pearson. “This has to be something that can be measured not just for companies our size, but also for the co-ops and the smaller entities and still make them successful in creating a good security hardening.”
In Pearson’s purview, “security hardening” requires aligning regulators’ guidelines with “compensating controls” for real-world circumstances—for instance, protecting the electronic firmware that monitors downstream devices and safeguarding it from physical attack.
“It’s about trying to find emphasis in the industry on maturing security operations but understanding that you can’t apply the same kind of logic from corporate security to operational technology,” said Pearson. “The space is so dramatically different.”
Vermont Gas Systems IT Manager Corey Johnson sees opportunities—and threats—in operations’ lean toward more technology. Moves such as networking SCADA points may revolutionize information collection, but they also increase cyber vulnerabilities.
“It has evolved, and the IT people and the operations people have to be on the same page,” he said.
Pittsburgh, Pennsylvania-based Peoples Gas chose to participate, “first and foremost, believing it could only benefit us as a company to learn where we’re strong and where we’re not so strong in complying with the pipeline security guidelines,” said Chief Cybersecurity Director Kevin Turkovich. “It’s about always wanting to improve, because if the bad actors get in, it’s going to make our lives a living hell.”
Turkovich also sought outside validation or correction of views on the guidelines themselves, which are always open for interpretation, “no matter how detailed the standards are.”
“It’s easy to sit in your company with your own team, when groupthink can take over and everyone agrees to what [the guidelines] mean,” he said. “That’s a risky proposition.”
Chief Information Security Officer Carla Donev joined Indiana-based NiSource from a retail background and has found the utilities sector to be “the most collaborative and engaging environment I’ve ever been in,” she said. When AGA asked NiSource to participate in a cybersecurity peer review, the answer was, “Why not?”
“From a cyber perspective, we’ve been holding things close to the vest previously,” Donev said. “We’re changing that, and this peer review helped us change that. We want to be more in front, be more vocal and learn more from others.”
Just as utilities mobilize to help each other when natural disasters strike, they must also share their cybersecurity insights. While sending key personnel to cybersecurity peer reviews is essential to success, participants still found that preparation was necessary and worthwhile for the benefit extracted.
Xcel Energy’s motivation to participate was “enterprise-wide,” said Senior Cybersecurity Engineer Nikki Hegdahl. “We seek to improve the cybersecurity environment not only at our company, but across the industry,” she said.
Before attending the cyber peer review, Xcel had conducted a cyber review of its own gas facilities using TSA guidelines, so “the timing just fell into place,” she added. Many participants agreed that the cyber peer review aligns with existing tasks and initiatives.
ONE Gas’ Pearson prepared by collecting documents, diagrams and reference points. Organizing by topic kept the focus on the discussions “instead of trying to find documents,” he said.
At Peoples Gas, Turkovich said he spent “considerable time” with a technically skilled manager, reviewing each guideline to “make sure I understood exactly how we were complying. I made a lot of notes. I went to the meeting alone but armed with my technical folks’ knowledge.”
NiSource’s Donev attended with a docket of answers submitted by her team members, creating a team perspective to share as she answered each question.
Participants agree that implementing lessons learned from cyber peer reviews involves more than resetting code and bolstering firewalls. Many have returned home with heightened awareness of corporate culture as a bastion of cybersecurity.
At the intersection of cyber and operations, “that human factor gets us in trouble,” said Donev. “My biggest job is education. I’m a teacher, and I’ve got to educate this entire company about what cybersecurity means.”
Xcel Energy’s Hegdahl agrees that cyber elements and networking “introduce a potential risk. It’s up to us to identify those threats and vulnerabilities, and how we can work with the operations team to help mitigate that. In operations, our No. 1 focus should be availability, and sometimes, we have to take creative measures to implement cybersecurity to protect those systems so they can maintain their availability and function as they were designed.”
Turkovich left his session with a better grasp on how to “get a broader understanding and buy-in of these pipeline security guidelines.”
“Certain parts of the business operations and certain individuals often think cybersecurity is IT’s job,” he said. “It’s an ongoing struggle to educate them that everybody needs to contribute by making smart decisions. IT can’t put a protective bubble around the company.”
Cybersecurity peer review participants aren’t required to implement any of the findings, but they are embracing opportunities to hone their practices and incorporate lessons learned. AGA had seen similar results with C2M2, as members would “take it upon themselves, based on the initial outcomes, to make significant changes,” noted Linn.
The beauty of the group setting, he added, is learning how peers handle challenges and improvement areas. When companies freely share ideas around resources used for such areas as access control systems and procurement language, their peers receive “tangible things they can look into.”
Participation can also help utilities prepare for TSA corporate security reviews. Though CSRs are “a request and a partnership” with the agency, advance scrutiny of the questions with peers offers the opportunity to “know what’s coming,” said Linn.
Peer review focuses a lens on strengths and gaps through a constructive, collaborative and “no-risk process,” Turkovich added. “This was not an official, formal audit where there could be findings and penalties. What better way to start going down that path than with a voluntary peer review?”
Johnson found that the workshops aligned with Vermont Gas’ efforts to view cybersecurity as “a team environment.” He has slotted ideas from the review into regular cybersecurity projects and continuous improvement initiatives “so they don’t get lost by the wayside.”
It’s important to note that no written reports emerge from any of the reviews, and all participants sign nondisclosure agreements.
“Cyber has a lot of sensitivities around it,” said Denbow. “We want the companies to feel comfortable sharing details in the confines of the workshop but also knowing that what happens there stays there.”
The format instills a shared understanding of the review’s purpose, said Donev. “You want people to come who are going to be open and honest. You don’t want the one who’s saying everything is unicorns and rainbows, because we all know that doesn’t exist.”
Face-to-face peer reviews “build trust and rapport,” said Pearson. “I know none of this stuff is going to go beyond these walls. I can be transparent. I can learn.”
Participating utilities are not segregated by size, which allows sharing of “nuggets of information,” said Denbow. “The small utilities can learn a lot from the large utilities, and the large can definitely still learn from the small utilities, but they also have a responsibility to share their knowledge.”
Small Vermont Gas benefits from its power to convene all personnel “and get a game plan,” said Johnson, so he was able to share strategies and tools that can “scale to the larger companies.”
“No matter the size of the company or the number of customers, the challenges were the same,” whether technical, cultural or regulatory, he said.
As cybersecurity peer review progresses, AGA hopes to encourage all member companies and utilities to participate, said Denbow.
Xcel plans to keep sharing with AGA members, said Hegdahl. Its presentation at the 2019 Fall Joint AGA/EEI/INGAA Security Conference, “When Availability Matters: The Road to IT/OT Convergence of Security Standards,” addresses operational technology security, which cyber peer review participants had grappled with.
Since hosting a cyber peer review, NiSource has joined other informationsharing groups and “collaborative conversations,” said Donev. “Typically, when one of us sees something, a handful of others are seeing the same thing. Having those contacts among people who know is invaluable.”
Support from senior leadership is essential to success and productivity, participants agreed. Strong leadership encourages cyber personnel to “use all the tools possible, because it’s such a dynamic thing,” Johnson said. “There are no ‘prescriptive rules 1 through 5.’ It changes instantly, so it’s imperative that everyone understands that and is working toward always making it better, with the understanding that you’re never going to get to 100 percent.”
Johnson found value in the opportunity to expand his network, learn from others, gain insight into the everchanging landscape and perhaps catch a few problems early. And this opportunity comes amid an escape from the day-to-day tasks of “putting out fires.”
“There are very few opportune times where you get to spend an entire day to take a deep dive on any subject,” he noted, “let alone cybersecurity.”