Spurred by fears that nation-state cyber-attackers may shift their attention to United States critical infrastructure, lawmakers and federal regulators are increasingly talking about cybersecurity standards for the natural gas pipeline system, similar to what currently exists for the power grid. A new report from Moody’s Investors Service said imposing mandatory cybersecurity regulations would be “credit positive” for operators and the utilities.
“The implementation of mandatory standards for gas pipelines is credit positive because it would force any late adopters of the standards to strengthen their baseline defenses, which would in turn make them less of a target for cyber attackers,” according to a recent report from Moody’s Investors Service.
By “credit positive,” Moody’s means that imposing regulations would have a positive effect on utilities and operators’ credit-worthiness, or the ability to borrow money and attract investment.
Like the rest of critical infrastructure, gas pipeline operators increasingly rely on networks of sophisticated computers to manage the flow of natural gas across state lines. Tampering—or interfering—with these systems would cause a disruption in how natural gas is delivered around the country, which is why attackers consider these networks as “prized” targets, the analysts said. Pipeline operators are not required to report incidents if they aren’t deemed material by the company.
“The US natural gas pipeline industry, despite having become the primary supplier of fuel to the US power generation fleet, is not covered by federally mandated cybersecurity standards,” Moody’s analysts wrote. “Complete data on the number and scale of attacks is not readily available.”
Power Grids are Regulated
In contrast, the power sector is regulated. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) consists of nine standards and 45 requirements covering areas such as the security of electronic perimeters, asset protection, disaster recovery planning, personnel training, and security management. Utilities can use the standards as a baseline cybersecurity strategy and build upon them to address their specific requirements.
The Federal Energy Regulatory Commission also requires utilities to report attacks on electric grids, even when attacks do not cause service disruptions.
“Requiring entities to report attempted cyber intrusions, as well as successful ones, is an important step toward enhancing the collection and distribution of information on rapidly evolving cyber threats,” FERC Office of Electric Reliability Director Andy Dodge said at a recent hearing before the House Energy and Commerce Committee’s energy subcommittee.
The disconnect between the two industry sectors—despite the fact that they are tightly linked and dependent on each other—“leaves a significant vulnerability in the utility industry's cyber risk management,” Moody’s said.
Mandatory cybersecurity standards should be viewed as a starting point as it would help guarantee that all pipeline operators and utilities— even the late adopters—are investing in security defenses, “at least to the level required by law,” in order to avoid regulatory fines, Moody’s analysts wrote. Regulation would force operators to increase investments in this area to make the natural gas pipeline sector “more difficult targets for attackers.”
Federal standards would also help pipeline operators recover the costs of investment.
“As a regulated asset, natural gas pipelines charge rates that can be adjusted through rate case proceedings to recover prudently incurred costs,” Moody’s said.
Attempts to Self-Regulate
When it comes to critical infrastructure, there is a tug-of-war between companies urging self-regulation and regulators arguing that mandatory requirements would ensure that baseline defenses are in place for everyone. The previous American Has Association president and CEO Dave McCurdy has said the association’s member companies have made progress in improving their cybersecurity postures through various initiatives such as data sharing. Companies can assess their defenses with tools such as the Department of Energy’s Cybersecurity Capability Maturity Model.
The Transportation Security Administration currently runs the natural gas pipeline security program—and industry oversight is weak, a Government Accountability Office (GAO) audit report in January found. Part of the weakness stems from the fact that the TSA only has the equivalent of six full-time employees supervising the entire industry, which includes natural gas transmission pipelines and pipelines transporting oil and other hazardous liquids.
The number of TSA critical facility security reviews of pipeline facilities has fallen sharply since 2010, Moody’s analysts wrote in the report, citing the GAO audit.
“We know that regulation is not a panacea, but rather, for many, it is a ceiling and creates a burden of compliance which takes away from security efforts and resources,” McCurdy said in a message to the association’s members back in February. AGA would rather see the TSA receive more funding and authority to inspect and audit the cybersecurity of the pipeline systems, McCurdy said.
Investor Focus on Security
Moody’s has been increasingly focusing on security as part of its industry and company analysis, recognizing that cybersecurity is an important part of assessing the company’s risk profile. In March, Standard & Poor’s downgraded credit bureau Equifax as a result of its 2017 data breach. Moody’s also revised its outlook of Equifax and cited the breach as one of the reasons.
The ratings agency also recently announced a joint venture with Israeli company Team8 to assess how vulnerable businesses are to cyber-attacks and create a global benchmark. The framework would allow organizations to measure their defenses and preparedness in comparison to other businesses and over time. The venture is separate from the credit ratings service.