Cyberthreats are a clear danger to the natural gas industry, but even top industry officials aren’t sure how big.
“We know they can get into our systems,” said Ron Jibson, incoming chairman of American Gas Association, told reporters Friday morning. “What we don’t have a good feel for is why do they want to? To prove they can, or is it truly to do damage?”
The most serious recent incident was the attack on Saudi Aramco in August, when a computer virus erased data on three-quarters of the government-owned oil company’s computers. Iran has been blamed for the attack, though a group calling itself “Cutting Sword of Justice” originally claimed responsibility. The infected computers only handled Aramco’s internal communications network and didn’t disrupt any oil production or shipments.
That attack was enough to shake U.S. lawmakers into action and spurred a failed attempt at passing the Cybersecurity Act of 2012, which passed the House but saw dueling versions stall in the Senate. The White House is also circulating a draft cybersecurity executive order to lay out how to better protect energy infrastructure and water systems from attack.
“Obviously, the lifeblood of this country is the ability to deliver energy, and if someone was able to disrupt the flow of energy through the electric or gas system, certainly that would be disruptive,” Jibson said.
Cybersecurity has been on the industry’s radar for more than a decade as the threat moved “from the basement of a teenage hacker to nation-states and other organized entities and groups driven by different motivations,” said Dave McCurdy, president of AGA. The know-how to cause significant damage to the energy distribution system is out there and requires constant and “dynamic” vigilance, McCurdy said.
“This isn’t a situation where you can go and buy a software product and say, ‘We’ve protected ourselves,’” he said. “Daily, they’re getting better. They’re finding ways to get into systems. We can’t ever sit back and say we’ve accomplished what we need.”
There’s no one-size-fits-all level of security, he said. In addition to protecting internal business systems, as seen in the Aramco attack, the industry must also guard the operating systems used to deliver natural gas.
“We want to keep [attacks] at the perimeter,” McCurdy said, “but we have to make sure certain systems are the most protected. We’re a critical infrastructure industry. We are critical for the country’s operation.”
Sen. Tom Carper (D-Del.), the likely chairman of the Senate Homeland Security and Governmental Affairs Committee, has said he plans to try to pass cybersecurity legislation early within the next congressional session. McCurdy said he’d like to see more information sharing between the government and the industry on cyberthreats.
The failed Senate bills offered a good starting point for new proposals, McCurdy said, but any measures to standardize security measures between the government and industry need to add to the existing cooperation between the two.
“We don’t want them to disrupt those areas that are working,” he said. “We can support a bill, but they have to build a better consensus and build on those foundations.”