Natural gas pipeline operators must enhance their cybersecurity protocols to avoid breaches like the one that shut down the Colonial Pipeline refined products conduit in May, a panel of experts agreed Wednesday.
Electronic bulletin boards (EBB) are especially vulnerable to hacks, said the panelists participating virtually in the LDC Gas Forums Midcontinent conference in Chicago.
The energy industry “is probably not at the forefront in terms of adopting the latest technology,” said NatGasHub.com CEO Jay Bhatty.
He explained that “today when you hit click, and you submit your gas nomination, it leaves your home or your office. It’s traveling over the public internet and it’s traveling unencrypted…most companies are likely not using encryption software to encrypt their nominations.”
[Tune In: Join NGI Price & Markets Editor Leticia Gonzales as she sits down with EIA Energy Economist Stephen York to discuss the recent ramp up in natural gas prices, the fundamentals driving it and where the price might be headed for the upcoming winter. Listen now.]
This puts data at risk of being intercepted by hackers, said Bhatty. He urged companies to “check the entry/exit point of your data when it leaves your employee laptops and computers, how is it getting to its destination, and how is the data getting from the destination back to you.”
Fellow panelist Marcin Toczydlowski, director of Process IQ Co., stressed the importance of two-factor authentication for EBBs.
“Password-only authentication is bad and will get you hacked, full stop,” he said. Toczydlowski said single factor authentication is the “biggest problem in the energy industry” from a cybersecurity perspective.
Another common mistake is to email unprotected Microsoft Excel spreadsheets containing sensitive information. Bhatty said users should use password protection to encrypt their spreadsheets.
Panelist Danial McGrath, advanced system director for energy at FIS, agreed, stressing the importance of “password hygiene” to prevent attacks.
“Excel, while it’s very easy and flexible to use, is also becoming an offline tool,” Bhatty said. “A lot of companies are realizing that Excel is not centralized. It resides on individual computers, employee laptops, and so their data can’t be centralized.”
As a result, companies in sectors such as banking increasingly are phasing out or limiting the use of Excel, or requiring employees to obtain Information Technology, aka IT, department approval before using it.
One easy step for pipeline companies to protect their data is to hire a cybersecurity firm to conduct a penetration test, aka a pen test, to find the weak areas of a network.
Bhatty also noted that FERC has “gently been nudging the industry towards more automations and cybersecurity, reducing the cyber threat.”
All three panelists stressed the importance of robust cybersecurity regulations. However, they said industry must take the lead in fortifying its networks against attack.
Regulatory initiatives in the cyber arena “have a tendency to create a lot of complexities,” Toczydlowski said.
Bhatty agreed, saying that “sometimes a regulator will tend to use a hammer instead of a chisel” in crafting rules or guidelines. He cited the North American Energy Standards Board, aka NAESB, as an industry group that has helped the Federal Energy Regulatory Commission craft effective regulations.
The American Petroleum Institute (API) in August also published the third edition of its Standard 1164, Pipeline Control Systems Cybersecurity.
Toczydlowski praised the API standards, as well as guidelines published by the Cybersecurity & Infrastructure Security Agency.
“The challenge,” he said, “is implementing them and making sure that you follow their instructions.”
The Transportation Security Administration also has handed down new cybersecurity directives for pipelines in the wake of the Colonial attack.Leaders from the energy, technology, and financial sectors, meanwhile, vowed to help harden the country’s vital infrastructure against cyber attacks following a summit last month with President Biden.