Editor’s Note: The authors are correct, “Public-private partnerships are the foundation for effective critical infrastructure protection and resilience strategies, and that timely, trusted information sharing among stakeholders is essential to the security of the nation’s critical infrastructure.” Public-private partnerships and approrpiate information sharing will need to be the cornerstone of any critical infrastructure cyber defense regulatory regime if it is to be effective, irrespective of whether the protections are mandatory, voluntary or hybrid.
From: Politico/Opinion Contributor
By RON JIBSON and DAVE MCCURDY
America’s natural gas utilities operate more than two million miles of pipelines – the safest energy delivery system in the nation. Nothing is more important to us than the safe and reliable delivery of natural gas to the more than 177 million Americans who use it for heating, cooking, and hot water, as well as the industries such as steel and chemical manufacturers that are experiencing a rebirth due to the abundance of affordable natural gas.
Our nation is the top producer of this clean energy source, which provides an opportunity to meet our national goals of boosting our economy, improving our environment and increasing our energy security. We envision a future where natural gas runs a significant number of our vehicles, generates power and supports other forms of renewable energy. Utilities will continue to build the 21st-century energy infrastructure to deliver the promises of natural gas.
This new era of energy delivery comes with new challenges. Ensuring the protection and resilience of the nation’s critical infrastructure is a shared responsibility among multiple stakeholders. When it comes to critical infrastructure operators, there are two types of companies: those that have been hacked and those that have been and don’t know it yet. Our industry is working with government at every level to detect and mitigate these cyber attacks.
Natural gas utilities actively engage in cybersecurity management, with the primary objectives of minimizing cyber vulnerabilities and increasing a system’s ability to detect malicious cyber traffic, mitigating impact, and implementing security measures that do not disrupt the safe and reliable delivery of natural gas to customers.
Cybersecurity effectiveness in the natural gas industry is maximized in the diversity of the protective approaches employed. In general, operators across the industry use the “defense in depth” strategy to protect their control systems. This military strategy, adapted to cybersecurity defense, seeks to delay the advance of an attacker and entails the “layering” of tools and mechanisms as appropriate for the particular operating system so to protect against, detect, and mitigate compromise. This strategy begins with corporate cybersecurity governance consisting of policies, standards and guidelines. Constantly changing risks are regularly assessed and mitigated.
Public-private partnerships are the foundation for effective critical infrastructure protection and resilience strategies, and that timely, trusted information sharing among stakeholders is essential to the security of the nation’s critical infrastructure.
We have encouraged all of our member companies to take advantage of the cybersecurity tools available through our partnerships with the Transportation Security Administration’s Pipeline Security Division and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team. Officials from DHS have met with our board of directors and member companies to review and assess threats.
There is no silver bullet. Cybersecurity is a continuous process that requires companies to constantly manage their cyber risk. This entails assessing business, process control, IT, and personnel safety systems for related weaknesses and balancing the cost of addressing vulnerabilities with impacts on safety, reliability, deliverability and cost-efficiency.
There is general agreement in basic principles for cybersecurity legislation, including: expanded cybersecurity information sharing between the government and the private sector; liability protections for companies that share sensitive information with the government; federal support for cybersecurity research and development; and, criminal penalties for violations.
When crafting cybersecurity legislation or a related executive order, government should focus on what industry vitally needs: more robust cybersecurity information sharing between the government and private industry that delivers real-time communication, technical assistance and mitigation strategies. Furthermore, prescriptive regulation not only hinders a robust cybersecurity program but weakens through standardization. Policy that standardizes cybersecurity processes ignores the fact that system diversity is key to thwarting cyber attacks. Furthermore, any policy that changes the existing and successful cybersecurity partnerships could potentially undermine the productive working relationships already in place.
The American Gas Association represents more than 200 local energy companies committed to the safe and reliable delivery of clean natural gas. We work to make sure utilities are informed, involved, protected, and represented accurately in policy discussions and work in collaboration with others in the both the natural gas and utility industry. Maintaining the safety and trust of our customers is our top priority.
December is critical infrastructure protection and resilience month, an opportunity to examine the systems that are the lifeblood of our nation and how we can protect them from current and future threats. As we approach a new year, we will continue to work with the relevant federal agencies to keep our nation’s natural gas pipelines safe while we urge lawmakers in Washington, D.C. and throughout the country to take strong but prudent steps on this vital issue. Most importantly, we will take the actions necessary to continue to deliver safe, efficient energy to all Americans.
Ron Jibson is the incoming chairman of the Board of Directors of the American Gas Association for 2013 and the Chairman, President and CEO of Questar Corp. in Salt Lake City.
Dave McCurdy is the president and CEO of the American Gas Association and a former Chairman of the House Intelligence Committee.