Attacks and Vulnerabilities
Mining, Oil & Gas
News
Regulation, Standards and Compliance

FERC chairman calls for single federal agency with authority over pipeline reliability

January 24, 2022
FERC chairman calls for single federal agency with authority over pipeline reliability

The issue of securing energy infrastructure and the need to bring in legislation to enhance pipeline reliability came up at a hybrid legislative hearing held by the U.S. Committee on Energy and Commerce. The meeting also took up the concern of the designation of a single federal agency with authority over pipeline reliability. 

At the meeting, the chairman of the Federal Energy Regulatory Commission (FERC) highlighted that the “lack of mandatory reliability standards, especially for natural gas pipelines, poses a risk to the reliability of the Bulk-Power System due to the interdependency of our nation’s gas and electric infrastructure.” 

“There are currently 93 FERC-approved mandatory reliability standards for the Bulk-Power System, 12 of which address cybersecurity,” Richard Glick, said in his written testimony, last week. “These mandatory reliability standards have made great strides toward improving reliability of the Bulk-Power System. In contrast, there is no comparable mandatory reliability regime for natural gas and other pipelines that transport energy products, including gasoline and propane.”

In December, a bill was introduced in the U.S. House of Representatives that would direct the FERC to create a new, stakeholder-driven entity responsible for developing energy pipeline reliability and cybersecurity standards. 

Turning his focus towards the legislation, Glick said in his testimony that “H.R. 6084 is similar to the legislation adopted in EPAct establishing a mandatory reliability regime for the Bulk-Power System.” He highlighted certain features of the legislation that should help to address the risks, including the creation and certification of an Energy Product Reliability Organization (EPRO) similar to the process that led to the designation of the ERO. 

The legislation calls for the development of mandatory standards to ensure the reliable delivery of energy products. The EPRO would submit the draft standards to FERC for review, according to Glick. “Although the EPRO is responsible for the development of reliability standards in the first instance, the legislation would provide the Commission with the authority to order the development of reliability standards and to require the EPRO to issue emergency standards if warranted.” 

Finally, Glick said that the legislation would provide the Commission with the authority to review EPRO enforcement actions and to independently investigate and penalize violations of any reliability standard.

A FERC report had last year recommended the inclusion of the designation of a single federal agency with authority over pipeline reliability, “as it appears that no one agency has responsibility to ensure the systemic reliability of the interstate natural gas pipeline system.”

To address the risk that the disruption of natural gas production or transportation could negatively impact the operation of the bulk-power system, the report recommends that FERC, Congress, state legislatures, and regulatory agencies with jurisdiction over natural gas infrastructure facilities adopt new requirements for reliable operation of natural gas infrastructure. These recommendations include the designation of a single federal agency with authority over pipeline reliability.

Last year’s ransomware attack against the Colonial Pipeline illustrates the serious cybersecurity threats facing the nearly three million miles of pipelines that transport natural gas, oil, and other energy products across the U.S., Glick said. “As a result of that attack, Colonial Pipeline shut down for several days, causing price spikes and shortages from Texas to New Jersey. A similar attack against a natural gas pipeline serving electric generators has the potential to also impair the reliability of the electric grid.” 

“In my view, it is critical that energy pipelines also be subject to mandatory cybersecurity standards. In fact, former Chairman [Neil] Chatterjee and I publicly called for the establishment and enforcement of mandatory cybersecurity standards for pipelines several years ago,” Glick added.

Glick was joined by Deputy Secretary of Energy David Turk, who also testified at the hearing, and argued that a longer-term regulatory framework would be more suitable, as opposed to the emergency directive that TSA would have to renew after one year. 

Following the Colonial Pipeline cybersecurity incident, the Transportation Security Administration (TSA) proposed its first mandatory cybersecurity standards after relying exclusively on unenforceable guidelines. 

A Government Accountability Office (GAO) report from 2018 identified several concerns regarding TSA’s ability to effectively oversee pipeline system security, including meager staffing levels, lack of a strategic workforce plan to work toward hiring staff with the necessary expertise, limited usefulness of its risk assessment methodology, and failure to implement clear, measurable, and effective strategies for monitoring pipeline security reviews. 

While a more recent GAO report indicates that TSA has addressed some of these issues, it states that TSA still must develop data sources relevant to pipeline threats, vulnerabilities, and consequences of disruption consistent with the Department of Homeland Security’s (DHS) risk mitigation priorities, and review and update its 2010 pipeline security protocol plan. 

One expert recently stated that TSA currently lacks the expertise and resources to oversee a “robust mandatory pipeline security compliance regime.”  

Compared to pipeline cybersecurity, the transmission of electricity is regulated through a comprehensive framework of mandatory and enforceable reliability standards, including cybersecurity standards. The administration has over the years fine-tuned its approach for the purpose of developing mandatory and enforceable reliability standards. 

The U.S. electric utility industry formed NERC (North American Electric Reliability Corporation) in 1968 following extensive blackouts in 1965, and the agency has evolved over the years to account for changes in the electricity industry, including addressing rising cybersecurity threats.

The TSA had released in December ​ two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates