Hackers last week infiltrated a communications platform provided by Energy Services Group LLC, which Bloomberg reports impacted five pipeline operators. This has provided increased focus to an ongoing thrust for cybersecurity regulation of the energy industry and its subset, the pipeline industry.
In February, Energy Department Secretary Rick Perry announced that $96 million in funding would be used to create an office to address cyber threats to energy. Further, congressmen and senators on both sides of the aisle have been pushing for increased regulation in the last few years, increasing in the last few months.
“These attacks are a wake-up call that addressing our aging energy infrastructure needs to be a priority… Bad actors are looking at any way to weaken the American energy sector.”—U.S. Rep. Robert Latta, R, Ohio of the House Committee on Energy and Commerce, stated in an email sent on April 5th.
“Our energy infrastructure is under attack… A year ago, I called for a comprehensive assessment of cyber attacks to our grid by Russians. We don’t need rhetoric at this point—we need action.” Sen. Maria Cantwell D, WA.
This should be a matter of concern to owners and managers of pipeline companies and their suppliers, as this is a similar path taken to the mandatory NERC CIP regulations of the power industry. Even though the NIST framework laid out by the TSA for the pipeline industry is currently voluntary, so too were the NERC standards before March 2007. When regulation does come, it is almost a certainty that the regulations will mirror or at least closely follow the current TSA NIST framework. This presents an opportunity for pipeline companies to get ahead of the curve and begin implementing a cybersecurity structure now. Not only will doing so help prevent costly cyberattacks and increase asset value, but a slow, incremental run-up to compliance is much cheaper and easier than the last-minute scramble seen in the US defense industry and its suppliers with DFARS and international companies and their suppliers with GDPR.
While getting started early will save companies money in the long run, creating a cybersecurity program is still a long and costly endeavor. Thankfully, there are alternatives to simply re-creating the big, expensive cybersecurity departments of the largest companies. SecurityGate.io has created an automated platform that allows companies to assess, manage and remediate their cyber risk according to any compliance standard in any field, including the voluntary (for now) TSA pipeline cybersecurity NIST based framework. This platform drastically reduces the cost and time necessary to implement cybersecurity for your company. Contact us for more information on how to implement SecurityGate.io at your organization.
References:
