Cyberattacks on US energy systems have become unavoidable, and enough have been successful that the sector and its regulators are increasingly focused on mitigation, response, and recovery.
Within the past 6 months, news has surfaced that hackers breached an industrial control system at a US power plant, infiltrated a third-party data system used for scheduling gas flows on pipelines, and broke into email accounts at the US Federal Energy Regulatory Commission. To date, no major effects have been reported, but the energy industry is confronting the risks.
Preparation is similar in ways to how utilities respond to a natural disaster: preparing for an event, communicating throughout the storm, deploying assets to recover, and relying on mutual assistance within the industry.
"Mutual assistance is something that's normal when you have weather-related outages but not necessarily the norm in cybersecurity," said Gladys Brown, who leads the National Association of Regulatory Utility Commissioners' committee on critical infrastructure. "Over the last 18 months, they've been doing more and more of that."
One key difference is that storm damage is more predictable than the effects of a cyberattack, so mutual assistance in the case of a cyber incident has to be up and running with far less notice.
The April attack on the third-party systems highlighted the vulnerability that energy companies also expose themselves to when they inevitably engage an outside entity to manage some part of their business.
Jim Linn, a cyber expert affiliated with the American Gas Association, compared the incident to a hack into retail chain Target's systems in 2013 that resulted in customer data being stolen.
Linn is the executive director at the Downstream Natural Gas-Information Sharing and Analysis Center (DNG-ISAC). It coordinates sharing of cyberthreat information. To limit cyberthreat entry points, DNG-ISAC members have been developing procurement guidelines for safely choosing third parties and incorporating government recommendations, according to Linn.
"We're still wrestling through that, having the right agreements in place, having the right protections in place," he said.