Keeping the US energy infrastructure safe from attack, whether it is a gas pipeline, oil refinery, or power grid, has become a key domestic issue for policymakers in Washington, DC.
Trade association executives representing the oil, gas, and electric industries said late last month that they are working in tandem with the White House and Congress on ways to ensure that critical infrastructures are safe.
Heads of the American Petroleum Institute, American Gas Association, and the Edison Electric Institute told reporters at a Sept. 21 US Energy Association meeting that they are coordinating with each other and with the government on ways to improve security.
AGA Pres. Dave Parker noted, for example, that the Department of Transportation has pulled from its web site detailed maps of the country’s pipeline infrastructure because of national security concerns. The maps, which were still being plotted in some cases, were designed to dovetail with the US Environmental Protection Agency’s Right to Know public information campaign. The idea was for local communities to track existing and proposed pipeline routes. Industry originally opposed the program in part because of security concerns, Parker said. Following the terrorist attack, DOT officials pulled the information. DOT could not be reached for comment.
Speaking for the oil industry, API Pres. Red Cavaney said his members remain “vigilant” but stressed that neither are they starting at ground zero.
He noted the oil industry is already used to dealing with heightened security. That’s because API members are already used to working in “hostile” business environments across the world and are prepared to meet new challenges on US soil.
Cavaney also noted that, as recently as June, executives from the oil and gas industry and the Department of Energy called on more industry-government cooperation based on the findings of a 2-year study by the National Petroleum Council that highlighted risks to cybernetic security, (OGJ, June 18, 2001, p. 20). NPC is a 175 member, federally chartered, and privately funded advisory committee that represents oil and gas industries to DOE.
Physical infrastructure issues were also discussed under the study and as part of “Y2K” exercise initiated under the administration of President Bill Clinton in 2000. Companies in many cases have already made sizable investments in boosting security and are in good shape to meet government’s expanded expectations, Cavaney suggested.
Nearly all aspects of the energy business are as dependent as any other sector on the internet and computers to carry out routine operations, that report concluded. Oil refineries, gas pipelines, power plants, and the electric transmission grid are all critical infrastructures vulnerable to cyber threats.
NPC’s call for more industry-government dialogue is in step with ongoing concerns by the General Accounting Office.
In an update of numerous reports on the issue, the agency told lawmakers Sept. 12 that federal computer systems are riddled with weaknesses that continue to put critical operations and assets at risk, including energy infrastructure, according to the agency.
GAO told the Senate Committee on Government Affairs last month that dramatic increases in computer interconnectivity, especially in the use of the internet, pose significant risks to computer systems and, more importantly, to the critical operations and infrastructures they support.
“Telecommunications, power distribution, public health, national defense, law enforcement, government, and emergency services all depend on the security of their computer operations,” GAO told the committee.
And in light of the terrorist attacks, there is no time to waste, policymakers said. GAO said the government should establish a stronger, agency-wide security management framework. The Federal Bureau of Investigation’s National Infrastructure Protection Center provides analysis, warning, and response to computer-based attacks. But NIPC is not as effective as it could be in coordinating cyber-security among various agencies, GAO said.
One bright spot is the relationship between federal monitors and the electric power industry, the agency said.
According to NIPC and industry officials, the “indications, analysis, and warning program,” established with the North American Electric Reliability Council (NERC) on behalf of the electric power industry, has provided “useful information” to both the NIPC and industry and may prove a model for future efforts in other industry sectors.
The FBI and the electric power industry have a history of working together, so there was an existing relationship to build on, GAO said. NERC encouraged industry to voluntarily supply NIPC with information on unscheduled outages, degraded operations, and serious threats to facilities, activities, and information systems (OGJ Online, Sept. 14, 2001).
The NPC study and GAO analysis are good first steps, say US officials, but they contend that more work needs to be done.
One week after the Sept. 11 terrorist attacks, President George W. Bush established a new cabinet-level Office of Homeland Security that is expected to be a traffic cop of sorts, directing and organizing information received from various law enforcement agencies across the federal government.
Congress also moved forward. Republican leaders in the US House of Representatives established a new subcommittee on terrorism that will study ways to beef up infrastructure security in the energy, water, and transportation sectors. Reps. Saxby Chambliss (R-Ga.) and Jane Harman (D-Calif) will chair the panel, called the House Subcommittee on Terrorism and Homeland Defense, and hearings are expected to start this month. The Senate Committee on Energy and Natural Resources last week also held a closed hearing on the vulnerability of the nation’s energy delivery systems, with industry representatives from NPC and various trade associations testifying.
Long, winding road
Clearly, there are still challenges ahead, and industry officials say they recognize it’s not the time to be complacent. But beyond the immediate “guns, guards, and gates” worries, a long-term strategy for keeping energy delivery systems efficient is still needed, they say.
Federal Reserve Board Chairman Alan Greenspan echoed those worries when he recently warned lawmakers that the nation’s energy infrastructure still must be updated to meet long– term demand.
“We have to focus on looking at the longer term, because these take years to do, and if we only address long-term energy infrastructure problems 3 weeks before we need an answer, we are never going to get there,” he told the Senate Committee on Banking.
Industry officials are also hoping that policymakers within the next 2 years enact legislation that streamlines the permitting process and helps keep fuel supplies diverse enough so that the US economy does not rely so heavily on one region of the world for its energy needs.
Some kind of energy legislation that encourages domestic production and reduces bureaucratic red tape may be addressed this fall, although the timetable is still very cloudy, congressional sources said.
Industry, meanwhile, is not waiting for Congress. A group of 11 oil company participants last week were about 45 days away from creation of a limited liability company to operate and manage an information-sharing and analysis center for oil and gas industry security, under the supervision of DOE.
Global Integrity, a division of Predictive Systems Inc., Reston, Va., was hired to operate that center, said Bobby R. Gillham, manager of global security for Conoco Inc., Houston, who will serve as coordinator between the industry and government agencies through that center. Gillham was also the point person for the June NPC study.
That security company already operates a similar information and analysis center for the banking industry, overseen by the US Treasury, in a program established by presidential directive a couple of years ago that assigned various government departments the responsibility for coordinating the infrastructure integrity of the industries they regulate, Gillham said.
“On the physical side, the industry is in good shape to handle an emergency response,” said Gillham. But like most other industries, it’s vulnerable to viruses and “denial-of-services attacks that may be unleashed against energy facilities by a computer hacker.”
Once the information center is functioning, it will serve as a clearinghouse for information gathered from various government security agencies to provide warnings of pending problems to the industry. Participants also can trade information and best practices through the center, said Gillham, who retired from the FBI prior to joining Conoco about 6 years ago.
“It’s too bad we didn’t have it up and running [the week of the terrorist attacks],” he said. “It would have provided members the opportunity to share information.”