Addressing Pipeline Cybersecurity Regulations: Lessons from NERC CIP
Addressing Pipeline Cybersecurity Regulations: Lessons from NERC CIP
While government agencies bicker over who should own pipeline cybersecurity, we continue to gain no further credible cybersecurity protection. Most of the proposals I have seen discussed fail to recognize the central problem with voluntary guidelines and the need for regulatory models based upon consequence-driven analysis. This dragon has been slayed once already, but we continue to feel the need to revisit this again and again.
Here is a prime example of why voluntary guidelines do not work. Texas is no stranger to extreme winter weather. Sure, it is not Nebraska or Wisconsin, but 2021 was not the first time they had grid stability issues related to winterization. It just does not happen frequently enough to generate sufficient political memory to do anything beyond guidelines and self-reporting. Winter storms in 1989 led to the first of set rolling blackouts under ERCOT. Then in 2011, 4.4 million customers were affected by hour long rolling blackouts again. This prompted NERC to do a winterization study, which resulted in a set of voluntary winterization guidelines. The failure of the Texas power grid in 2021 was a result of not following NERC’s voluntary guidelines. It is a great example of the why voluntary guidelines can only do so much good.
Failures of Pipeline Security
Currently, U.S. pipeline cybersecurity is the responsibility of the Transportation Security Administration (TSA) because of the Implementing Recommendations of the 9/11 Commission Act of 2007. The office within the TSA in charge of this responsibility, when audited in 2018 by the GAO, had 5 people total, none of whom had cybersecurity experience. This was confirmed again during a congressional inquiry regarding the GAO’s report. TSA has no mandatory cybersecurity requirements, no rigorous auditing body, and no authority to provide either a carrot or a stick, issuing instead only voluntary guidelines.
Contrast this with the authority of the other two major Federal regulators of pipelines and other energy infrastructure. First, the Department of Transportation’s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) conducts investigations of all incidents as well as routine preventive inspections, field inspections and specific programmatic inspections of systems and procedures. They can and do issue warning letters, notices of probable violations and corrective action orders. Civil and criminal penalties are also possible, with fines and prison as possible consequences.
The second pipeline regulator is the Federal Energy Regulatory Commission (FERC). Chairman Glick and Commissioner Clements recently called for “mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector” within a recent statement. Though FERC has limited authority over interstate pipelines, it does control their major funding mechanism, the ability to set tariff rates. This is a crucial ability to be able to provide a cybersecurity “carrot” for pipeline companies. As a regulated monopoly, interstate pipeline companies are required to give equal access to pipeline transportation facilities. (This is because pipelines are not an efficient market, much like power transmission, and early movers would have an outsized advantage to destroy competition and choke both ends of a pipeline.) To accomplish this, FERC decides what operators can charge for access to their pipelines. This is a lever that in theory could be used to motivate pipelines to adopt more stringent cybersecurity practices, or equally used to punish them.
Any pipeline cybersecurity regulation that does comes forward, however, should be consequence-driven. This should be about applying risk management in the right ways and not allowing companies to hide behind weak self-assessments, and declarations of risk. Among those in the field, the term is consequence-driven analysis. This means studying a problem from the potential outcomes and backtracking into where the real risk lies. This can mean getting a little out there and pushing failure points to n-2 or n-3, etc., but the goal is to weed out catastrophic failures. As recognized by FERC leadership, NERC CIP standards stand as useful model. They were and are based upon consequence-driven analysis from the beginning. It is one of the few regulatory frameworks that I think gets it right.
The NERC CIP regulations have one goal. It is not to ensure your home gets electricity. It isn’t even to ensure your local utility survives a cyberattack. The goal is the safe and reliable operation of the grid as a whole. The goal is to prevent cascading failures across the grid resulting in what is called a “black start” of the grid. This means turning to a few specially designed plants and specific recovery paths to restart. A total blackout would result in outages of weeks or months.
What then are the possible incentives for adopting strict cybersecurity controls for the pipeline industry, and even going above and beyond? What are the penalties for putting profit in front of our nation’s welfare?
Let’s take another look at the NERC CIP standards. Utilities can seek at minimum some level of cost recovery for their regulatory obligations under these standards, and if they build the project right, there is even the ability to earn a return on investment. Additionally, FERC does not have the authority to regulate distribution. This is the last mile set of wires to your home. However, what FERC does have and has been openly considering is a way to incentivize utilities to voluntarily apply cybersecurity standards through its power to regulate tariffs and return on investment caps. They realize that we have not nationalized our critical infrastructure and that the owners of this infrastructure have a fiduciary and quite often legal responsibility to operate in a cost-effective manner.
Plus, with no incentives, especially for the smaller operators, this is another case where the big IOUs will be able to leverage their purchasing power to gain an even bigger advantage over the smaller operators, creating an imbalance and leading to more ownership consolidation, which leads to less resiliency. Incentives should be aimed at having a neutral impact on the industry as whole.
On the flip side there will be people who, even with incentives, will at best do the bare minimum to qualify for incentives, or at worst commit fraud or decide the reward is not worth the return and do nothing. This is where the “stick” part of the approach should come in the form of audits which can result in a penalty. An important caveat about audits and fining: the agency doing the fining should never ever receive the fine, nor should it be part of their operating budget. These are terrible models. Fines should be pooled and put back into industry either through free training or covering the cost of the incentive. They can be waived for timely remediation. There are plenty of good models for this.
The thing is, we need our critical infrastructure most during extreme events. Anyone who has spent time in a disaster zone will tell you that society operates on a very thin line when basic services we have come to depend on break down. We can all either choose to invest in doomsday prepping with bunkers and meals ready to eat or invest in ensuring our pipeline cybersecurity is more resilient in the first place. This is national safety insurance, and anyone in risk management will tell you, the bigger the pool, the more cost-effective it is.
We have been not only advocating for, but actually helping people build fundamentals-based OT cybersecurity programs for a while. In our experience, we’ve found that every major standard in use today (NIST CSF, NERC CIP, CIS Controls, etc.) shares the same five fundamental controls:
- Inventory of All Hardware Assets
- Inventory of All Software Assets
- Configuration Change Management
- Vulnerability Monitoring
- Event Log Management
I have two calls to action for you. First, I encourage you to read the 2018 report from the President’s National Infrastructure Advisory Council titled “How to Survive a Catastrophic Power Outage”. There is some really good information in here about what the nation needs to do to withstand a critical infrastructure failure. Second, I encourage you to call or email both your national and local representatives to voice your concerns about our nation’s critical infrastructure cybersecurity.
When you do call them, tell them we do not want to waste more time reinventing the wheel and arguing about agency authority. There is already a plethora of standards out there that can be used for pipelines, which all require similar cybersecurity controls, such as the NIST Cybersecurity Framework. We need to ensure that these companies have adequate funding to adhere to these regulations via methods like investment tax credits or tariff relief, while also ensuring that there are enough meaningful consequences to keep them motivated.
To learn more about TSA’s recent pipeline Security Directive and how to get started with implementing the five fundamental cybersecurity controls, join our webinar on June 16.
Webinar - Breaking Down TSA’s Cybersecurity Requirements for Pipeline Operators: What to Do Now
Watch Webinar Recording