Illustration by Richard Mia
Death and taxes are inevitable, said Ben Franklin. Maybe he should have added regulations—which are sometimes sensible, but often burdensome.
That is exactly where an industry association can help lift the burden.
As cyberthreats rise to a critical level, the American Gas Association has seized a unique opportunity to contribute to riskbased, minimally prescriptive regulations regarding cybersecurity. That opportunity has become a leading initiative in AGA’s multipronged approach of collaboration, calls, conferences and exercises to strengthen the cybersecurity capabilities of members.
“We know regulation is going to come,” said Carl Johansen, systems manager, information security assurance and compliance, Con Edison. “That part is inevitable. We need to really ensure that regulations are effective, efficient and achievable.”
The natural gas industry is accepting its share of responsibility for protecting the nation’s critical infrastructure, said Peter Grandgeorge, national security and resiliency adviser, Berkshire Hathaway Energy. (In his work with AGA, Grandgeorge represents MidAmerican Energy, which is part of the Berkshire Hathaway Energy family of businesses.) “At the end of the day, AGA members need to understand the cybersecurity risk and manage that risk,” he said. “Government can impact something like ransomware to a point; however, because the risk ultimately lies with industry, there is an onus on industry to manage that risk.”
Since its inception under the U.S. Department of Homeland Security, the Transportation Security Administration, or TSA, has held the authority as the federal regulator for pipeline security. This includes natural gas distribution as well as transmission. Prior to the 2021 ransomware attack on Colonial Pipeline, TSA applied a structured oversight model by which pipeline operators voluntarily complied with the TSA Pipeline Security Guidelines, encompassing physical security and cybersecurity measures.
After the incident, TSA leveraged its authority to issue security directives—regulations targeted at select transportation infrastructure and with mandated time-sensitive actions. The pipeline security directives specifically focused on cybersecurity of TSA-designated critical pipeline systems, which amount to nearly 100 pipeline companies that transport oil-based fuels and/or natural gas across the United States—including around 30 AGA member companies. Security directives are not subject to rulemaking administrative procedures and may be renewed annually for the duration of the imminent threat.
The first iteration of directives was entirely prescriptive, inapplicable and unachievable. Affected owners/operators expended millions of dollars to comply with the directives but with minimally realized security improvement.
Meanwhile, AGA was already corralling members to protect industry cybersecurity interests with its Natural Gas Security Committee, Cybersecurity Strategy and Regulatory Action Committee, and collaborative efforts with other pipeline trade association partners. So, AGA encouraged TSA to do the same with the TSA-designated critical pipeline systems’ owners/operators. “Every pipeline operates differently, depending on how they’re constructed,” said Amanda Sramek, AGA director, security and preparedness. “AGA suggested that TSA engage with the owners/operators to discuss why some of its regulations as written were not achievable and how there were better ways to achieve the required outcome.”
TSA took the advice. In an unusual move, it invited pipeline operators to offer constructive feedback on the security directives, hosting technical roundtables with the owners/operators so it could gain insights into the conflicting interpretations of the directives’ language. “TSA really valued hearing the operators explain why the requirements as written could promote compliance but at the expense of security,” added Sramek.
With that rare invitation, pipeline operators “can’t step away,” and they must present a unified message, said Benjamin S. Warren, director, gas transmission and distribution, energy operations, Citizens Energy Group. Thanks to that input, TSA recognized riskbased and outcome-focused requirements provide more flexibility to morph with dynamic cyberthreats and to address the wide swath of operational variation. This made the security directives attainable, measurable and applicable “to a company that has 1.2 million customers as well as a company that has 280,000 or a company that has 20,000,” Warren said.
Each iteration of the directives has further recognized the importance of adaptable performance- and risk-based approaches—accountable for potential outcomes and adaptable to the needs of differing utilities. “We have good, structured and honest conversations,” Johansen said. “I think we’re all on the same page about the need to protect these assets. We just potentially have different means and methods on how to go about it.”
The process has ensured that, even where regulations stated that a pipeline owner/operator “will” or “shall” take a certain step, the “how” was left up to each operation. This was an important result to ensure that even as federal, state and local regulations “pancake” on top of one another, organizations can respond quickly to threats. “If layers are added, it can make things more complicated,” Grandgeorge said. “Organizations need to be able to effectively manage their own businesses to address risks.”
“That’s a win-win for everybody,” Johansen added. “We get to be more financially responsible, as we have that obligation to our customers as a regulated utility.”
That financial obligation is a key point. “The overall effort requires collaboration because the industry strives to provide low-cost, reliable energy in the natural gas environment, and any added security costs can change the cost for the customer,” Grandgeorge said. “That’s where AGA is so important. It’s heavily used by government to get the important piece of collaboration with industry done and gain feedback on security directives. It’s also the critical conduit back to members translating what the government said into what the government means.”
The process has helped AGA members see the issue through the lens of the TSA, which is responsible for protecting millions of miles of pipeline, said Grandgeorge. At points in the process, industry players projected the implications of proposed requirements and recommended alternatives, “and the government listened, and the result was something that provided everyone with value,” he added. Now in its fifth iteration, proposed pipeline cybersecurity regulations could be issued before the end of this year.
Operationally, natural gas utilities have long talked with each other about maintenance and operations, Warren said. Good ideas and best practices are flowing among companies with widely varying service territories and security approaches.
Now, AGA’s intervention is also helping TSA understand the implications of the security directive requirements. As TSA conducts audits for compliance with the developing directives, “AGA-led working sessions for members create opportunities for members to discuss their experiences, sharing what went well and what didn’t,” Warren said. Despite naturally occurring regional differences, the conversations allow members and AGA staff to identify and raise concerns for TSA to address at headquarters and drive consistency among the regional inspectors.
“Everyone is in a fluid environment and trying to mature their cybersecurity approach,” said Grandgeorge. Because the potential impact is so high with cybersecurity, MidAmerican Energy provided seed funding for another AGA initiative, the Downstream Natural Gas Information Sharing and Analysis Center, or DNG-ISAC. “AGA was using the convening power to drive best practices prior to the 2021 pipeline ransomware event, but AGA and DNG-ISAC have shifted into overdrive over the last three years.”
To further strengthen members against cyberthreats, AGA is now staging a national natural gas exercise every two years. In partnership with INGAA—the Interstate Natural Gas Association of America—the tabletop exercise, called NGX, is designed to prepare participants for “what a really bad day would look like,” said Sramek.
Exercises push the boundaries of business continuity plans, while invited government partners get a peek at how their regulations and proposals affect response capabilities.
AGA’s leadership in NGX represents “a significant investment in our industrywide maturity,” said Grandgeorge, as staff learn from and face fluid crises and as plans are stress-tested. “Testing gets everyone in the workforce aware and hopefully engaged.”
The 2024 Natural Gas Exercise was held in conjunction with the AGA/EEI/INGAA Fall Security Conference in Tulsa, Oklahoma. Especially for lesser-resourced small and midsize utilities, participating in the exercises is the right thing to do, checks off a compliance requirement and saves money, Warren said. “With these exercises, members can learn, and they can actually have contacts at the end for people across the nation.”
As words like “collaboration” and “partnership” are repeated in government documents such as the National Security Memorandum-22 and an upcoming report on the National Cyber Incident Response Plan, the natural gas industry must “do some heavy lifting to maximize the opportunities,” Grandgeorge said.
The industry does its part by investing in equipment, systems, cyber talent and—crucially—threat intelligence on bad actors at work globally, which helps recipients prepare for similar threats. AGA contributes to the industry knowledge base, with the DNG-ISAC issuing alerts to members and raising awareness of such red flags as suspicious activity, plus hardware and software vulnerabilities, said Sramek.
Other government entities AGA works with include CISA, the Cybersecurity and Infrastructure Security Agency. After gathering and consolidating input from members in summer 2024, AGA submitted comments for CISA’s latest proposed rules, Cyber Incident Reporting for Critical Infrastructure, or CIRCIA. Comments included recommendations for clarification and focused scoping as well as praise for CISA’s emphasis on reporting incidents with real impact on systems, instead of directing operators to spend time reporting run-of-the-mill phishing attempts. “You really want to report incidents that impact the flow of natural gas,” said AGA’s Amanda Sramek.
Through conferences, workshops and virtual meetings, AGA continues to prepare its membership for compliance with the security directives, Sramek said. AGA has also put its Cybersecurity Strategy and Regulatory Action Committee into overdrive—this committee serves as a purposefully small, working committee dedicated to providing structured insight to cybersecurity regulations and policies impacting natural gas pipelines.
Warren credited AGA’s deftness at bringing together member voices and communicating with regulators—and for supporting TSA’s strategy to spread beta-testing of critical regulations over multiple years. Without such collaboration, Warren would tell fellow members on calls, “TSA could say, ‘We’re done talking.’” Instead, he said, ““From a TSA perspective, they’ve not only welcomed it, but they’ve asked us in as an organization.”
Added Grandgeorge, “AGA has been really helpful in making that rising tide that lifts all boats.”
As navigating purchasing grows more complex, AGA’s voluntary Cybersecurity Procurement Language Tool and Cybersecurity Procurement Language Resources help members write vendor contracts that protect themselves and their customers.
“We encourage members to use them, especially when dealing with third-party vendors, which has become more of an issue with supply chain vulnerabilities,” said AGA’s Amanda Sramek. “We don’t know where suppliers get materials. It’s the challenge of trying to hold the vendors accountable for what second and third parties put into these components.”
Citizens Energy Group’s Benjamin S. Warren says it has been able to parse out helpful segments of AGA’s procurement tools. Berkshire Hathaway Energy’s Peter Grandgeorge added that procurement tools can help smaller organizations manage the challenges of acquiring materials stocked with pieces from countries known to be cybersecurity risks, such as China.
“The industry is trying to drive out risk as early [as we can] in the life cycle of capital assets that have lifetimes measured in decades,” Grandgeorge said. “At the same time, businesses need to meet customers’ energy needs. Turning to peers, trade organizations and government partners helps build a strategic approach.”
