An unfortunate reality of guarding our nation’s infrastructure, including petroleum and natural gas (PNG) and the energy grid, is that, for each advancement made to ensure its protection, somebody out there is thinking just as hard about how to undo our work. Add to that the threat of natural disasters and human error, and it’s clear that specialists in cybersecurity and other aspects of the PNG industry need to do everything possible to stay one giant step ahead of these disruptors.
Targeting Natural Gas & Oil
According to a report from ITEGRITI, an American firm dedicated to protecting critical infrastructure, the most significant threats come from nation-states, criminal gangs, cyber-terrorists, and even disgruntled insiders. “The energy and utilities industry is a prime target for malefactors,” John Iwuozor wrote in the piece from May 2022. He cited the ransomware attack in 2021 that shut down the East Coast’s fuel supply for a week to the tune of a $4.4 million payment, let alone the costs to businesses and consumers affected by the disruption. Due to the settlement, he added, “The oil, gas, and utilities industry are now becoming prime targets for these hackers.”
Industry Preparedness Handbook (API)
Equally important to understanding the threats to our infrastructure is having plans in place to prevent disruptions or to be able to react to them as quickly as possible. The American Petroleum Institute (API) released an extensive Industry Preparedness Handbook last summer that addresses potential threats and provides guidance on being proactive and resilient in the face of attacks and disruptions.
In a section titled Preparing for a Crisis at the State and Local Levels, for example, the handbook outlines preparation with a series of Dos and Don’ts:
- Know Who Does What
- Know What Not to Do
- Know What Matters
- Practice Practice Practice
Whether it be a hurricane, flood, or terrorist attack, the PNG industry is working to develop critical relationships with public officials, first responders, and industry partners to prevent and respond adequately to potential crises.
The API handbook maintains that roles and responsibilities assigned during a disruptive event are often outside the scope of normal business operation, so having rehearsed protocol can be the key difference between being proactive and reactive. “Be aware of the critical services in your region, the products needed to maintain those services, and the impacts of not receiving those services.” Exemplifying the trickle-down effect of crisis, the handbook notes that “interruptions to product deliveries can affect the ability of first responders to fuel vehicles, the ability of citizens to heat their homes, and the ability of hospitals to keep generators running.” An extreme yet tangible example of such a scenario can be seen every day as Russia continues to attack infrastructure in Ukraine.
Collaborative exercises between PNG operators, public officials, and those providing emergency services can help to ensure that all parties “have an understanding of how systems function, how response is carried out, and what the expectations for restoration should be.”
Department of Energy Steps In
These plans, which evolve as quickly as the industry itself, are receiving attention and financial support from the U.S. Department of Energy, which announced in November 2022 an investment of $45 million for states to enhance research, development, and demonstration of projects to create new technologies to address emerging threats and limit disruptions to energy systems. An additional $250 million was earmarked for similar developments at rural and municipal levels. State legislators are also on board with the initiative by requiring utilities to prepare cybersecurity plans to protect facilities and crucial electronic data.
In his piece for ITEGRITI, Iwuozor cites a joint effort between the federal government and the private sector known as the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems as that giant step needed to ensure the security of U.S. energy infrastructure. The information gleaned from these endeavors can help identify vulnerabilities in systems before they are compromised. The private sector has access to the technologies, Iwuozor related, and the government has the resources to invest in continued development of the tools and plans we need to keep our energy sector safe for the foreseeable future.