Energy Infrastructure Hardening With Industry and Government Cooperation
June 15, 2016
American energy infrastructure provides the backbone for the domestic economy. The U.S. not only leads the world in oil and natural gas production, we set a global standard in the diversification of electricity supply by shifting towards more generation from natural gas and renewable sources. Over the past decade, this rapid increase in domestic energy production and diversification has given the United States greater international leverage and independence, providing further growth across multiple industries and increasing our national security. However, given the “enabling function” that energy infrastructure (loosely thought of in three segments: electricity generation, oil, and natural gas) provides for all industries, sector security is acutely critical. Without a stable energy supply, health, welfare and the ability of the U.S. economy to function are all jeopardized.
Private sector companies own more than 80 percent of the country's energy infrastructure. This includes supplying fuels to the transportation industry, providing electricity to households and businesses, and generating other sources of energy that are integral to production and economic growth across the nation. With almost all industries relying on electric power, the American economy depends on the reliability and security of the energy sector. As a whole, the energy sector is becoming more aware of its vulnerabilities, leading to significant voluntary effort to increase planning and preparedness. Substantial information sharing and cooperation through industry groups has allowed for the dissemination of best practices among stakeholders in both the public and private sectors. These efforts, which have involved multiple energy sector owners and operators with extensive infrastructure protection experience abroad, are more recently focused on cyber-security.
And with good reason. One of the more public attacks on American critical infrastructure involved a hydropower facility held hostage by "ransom-ware" that refused to pay its hackers. According to the Department of Homeland Security, by staking out the moral high ground, the unnamed water utility may have had to say goodbye to customer files that weren't backed up before the cyber-attack. Worryingly, federal officials have stated that "ransom-ware" infections are on the rise in the United States, leaving a trail of encrypted computer files in their wake.
Also of concern, with the oil industry's downturn, the FBI is warning of increasing sector vulnerability to theft of technological secrets. Companies that long have faced the prospect of economic espionage must now be prepared for the possibility that workers who have been laid off could be targeted by foreign entities and competitors wanting to steal intellectual property. FBI investigations indicate that economic espionage and trade secret theft against U.S. oil and natural gas companies and institutes are on the rise. Federal agents recently met in private with 150 energy sector executives and managers to share a report centered on economic espionage. Defined as the theft of proprietary information by foreign actors, economic espionage has targeted trade secrets in the energy and production space as well as U.S. refinery operations. Officials, who cite China as a major offender, state that foreign interest expands beyond companies to include universities, think tanks and individual researchers. These activities have included hacking, the elicitation of material from former employees, unauthorized photography and dumpster diving.
Congress is aware of these vulnerabilities and has started to act. Members of the Senate Intelligence Committee from both sides of the aisle are working to address this cyber-threat to the energy industry. New legislation called the "Securing Energy Infrastructure Act," would establish a 10-member working group to develop a national strategy for isolating the electric grid from cyber-threats. Members would include representatives from federal government agencies, the energy industry, a state or regional energy agency, the national labs and other groups with relevant experience. The bill's "retro" approach looks to the past -- when humans, not computers, operated the grid -- to look for security options that could help harden the energy sector against potential attacks. In the House, the Homeland Security Committee just approved a measure to restructure the U.S. agency responsible for guarding critical infrastructure from cyber and physical threats. The "Cybersecurity and Infrastructure Protection Agency Act" would cement the Department of Homeland Security's status leading "national efforts to protect and enhance" cyber and infrastructure resilience, while shuffling roles at a key office. The latest legislation, now set in advance for a full vote on the House floor, would rebrand the National Protection and Programs Directorate (NPPD) as the "Cybersecurity and Infrastructure Protection Agency,” which would be required to conduct a national assessment of cybersecurity risks and physical threats to critical infrastructure such as oil pipelines and power grids. These results would inform spending decisions. Committee Chairman Michael McCaul (R-TX) authored the House measure and Senator Tom Carper (D-DE) has said he is working on similar legislation in the Senate. The House bill would maintain separate divisions for cybersecurity and infrastructure protection.
But, while Congress seeks to address these serious cyber-threats, the EPA recently issued a proposed regulation to require chemical facilities to provide greater public access to data regarding off-site consequence information, which deals with plants' estimates of the impacts of a catastrophic release on the surrounding area. The attorneys general from two big chemical-producing states as well as industry stakeholders have said that the new proposal may actually lead to an increased risk of intentional release to groups with malicious intent. This disconnect may prove counterproductive to the goals that both industry and the EPA presumably share – providing for increased sector security while allowing appropriate transparency and public access to information.
Clearly there is much more work to be done to address the very real threats to the energy industry’s critical infrastructure. The very real threats and potential devastating impacts from criminal and terrorist activity would send shockwaves throughout the U.S. economy. As technological capabilities expand, public and private sector stakeholders need to increase dialogue and coordinate efforts going forward to ensure that American citizens and companies remain safe.