Domestic U.S. oil and gas production has increased dramatically with technological advances in drilling and completion techniques, and pipelines now transport roughly two-thirds of U.S. energy demand. Important as it is to the economy, however, this delivery system is at risk.
More than half the nation’s pipeline system is at least 40 years old, increasing the likelihood of a leak or rupture even in standard operating conditions. Many of these systems have become more automated over the years, which has improved operational control but also made them more vulnerable to cyberattack and data breach.
This article provides an overview of our recent analysis of U.S. pipeline infrastructure and potential threats to these systems. It addresses the issue of whether voluntary cybersecurity standards are sufficient to protect the public from harm, as well as potential tort liability and other legal issues for companies that are targeted by cyber-intrusions.
A growing number of data breaches in the retail and financial sectors has resulted in widespread media coverage and heightened public awareness and scrutiny of cybersecurity systems. Relatively few people realize that the energy sector, including pipelines, power plants, refineries and transmission grids, has been the major target of cyberattacks and intrusions.
A recent study by the U.S. Department of Homeland Security’s Transportation Security Administration (TSA), the agency in charge of pipeline security oversight, indicates the energy sector is subject to more cybersecurity incidents than any other area. These attacks on the energy sector continue to grow in both frequency and sophistication, the TSA reported.
Due to the toxic, explosive or flammable nature of the substances handled in many pipelines and energy facilities, such cyber intrusions may present a much more serious threats to human health and the environment as compared to system breaches in other sectors.
U.S. Pipeline System
The United States is estimated to have about 182,000 miles of hazardous liquid pipelines, 325,000 miles of natural gas transmission pipelines and 2.15 million miles of natural gas pipelines, along with the associated metering equipment, pumps, sensors and valves. This network of gathering and transportation pipelines continues to expand, particularly relative to increased exploration activity in such areas as the Permian, Eagle Ford and Bakken.
In many of the unconventional basins, the nature of the hydrocarbons being produced has changed. Wells are generally yielding more natural gas liquids, crude oil that is lighter and more flammable, as well as associated natural gas volumes that are required to be marketed as opposed to being flared.
Experts who study cybersecurity issues recognize that, due to the massive scale of the pipeline system and irregular nature of the threat, potential cyber-attacks on the energy space could cripple the U.S. economy.
SCADA Data Systems
As in many other industry sectors, pipeline operations have become more reliant on supervisory control and data acquisition (SCADA) systems, which can monitor and control multiple tasks with data being examined in a control room miles away. The Congressional Research Service recently examined status of pipeline security measures and noted with concern that SCADA systems are particularly vulnerable to cyberattacks.
Many of the SCADA systems now in use are older and were installed during periodic system upgrades, and cybersecurity was often a secondary concern in the process, although this is changing with the growing threat of attack. Many operators have now instituted periodic cybersecurity upgrades and testing for system vulnerabilities.
An informal survey by the author of numerous companies in the energy sector indicated they are subject to “constant probing” of their SCADA systems. None of the companies would acknowledge if their systems had been breached, but several indicated they had temporarily shut down the systems to analyze attempted intrusions and potential exposure. There has been no SCADA intrusion reported to cause substantial damage to a U.S. pipeline, but systems have been shut down or otherwise controlled by attacks elsewhere, and one intrusion was blamed for an explosion that resulted in a month-long shutdown for repairs.
Current U.S. rules and regulations do not require that companies disclose cyberattacks – successful or not – except in the case of a public company with a material event. Due to this lack of disclosure, it is difficult to judge the full extent of the threat.
The evolving nature of cybersecurity threats pose unique challenges to industry and regulators. Most regulatory issues are addressed through a slow and methodical process: A problem is identified, rules are proposed, comments are taken, hearings are conducted, and then a final rule is issued by the agency. If this procedure were utilized for cybersecurity threats, the final rules would address cyber-threats that were two or three generations old.
Because the cyber world evolves quickly and each threat is somewhat unique, energy sector cyber-regulations are generally more fluid and require that the operator use “reasonable” methods to protect their systems and third parties. The problem is that a regulator may have a much different view of what’s reasonable than a pipeline operator. To some extent this issue is left in the regulator’s discretion.
The potential consequences of a breach are elevated for companies that transport oil, natural gas, natural gas liquids or other flammable substances, so the regulators and courts generally find the operator is obligated to take more extensive precautions than might be expected in other sectors. Some energy industry associations have adopted a code of “best practices” to help operators ensure their cybersecurity efforts are reasonable, although best practices can change quite often as cyber-threats evolve.
As cyber threats continue to grow, the issue of how best to handle the regulatory oversight is one that will continue to be debated.
An operator is generally required to act in a prudent and reasonable manner to avoid negligence liability. When a cyber-incident occurs, the question of what is reasonable is a question of fact.
This generally means it will be decided on a case by case basis depending on the situation. And what is considered reasonable can change over time. For example, 60 years ago it was a common industry practice and considered reasonable to dump highly saline brine wastewater from oil wells into local creeks. Today, of course, this would not only be a violation of regulation but also would likely be considered an unreasonable negligent act.
The potential harm must also be “foreseeable” to create liability, and this can be challenging in an area that evolves as quickly as cybersecurity. Ten years ago, it might not have been foreseeable that a pipeline’s data or control system would be breached. This argument would be very difficult to make today.
“Negligence per se” is a method to establish negligence by showing that a party violated a rule or statute that set a standard of conduct intended to protect the public. The problem with this theory when applied to cybersecurity regulations is that there are usually no established regulations, just an obligation to act in a reasonable manner. Violation of voluntary industry standards generally does not constitute negligence per se.
While cybersecurity intrusions may be difficult to prevent, experts have identified certain actions that can be taken to reduce the vulnerability.
First, a company may want to separate the electronic and data systems that serve their public website from the office and operational systems. And the operational equipment might be on separate data systems and servers with separate cybersecurity protections. If, for example, the office system is attacked and infected, as occurred recently at Saudi Aramco, the operational equipment and facilities will not be directly impacted and can continue to operate.
Second, a firm should ensure that all at software is continually updated to ensure the latest cybersecurity patches have been uploaded and installed. Experts note that many cyber-events and intrusions were a result of the failure of the IT staff to timely upload and install the most recent software.
Third, employees, as well as third-party vendors, should be educated as to potential cybersecurity threats and ways to minimize exposure. Access to the computer and data systems, especially the SCADA and operational controls, should be limited to an “as-needed” basis. Third party vendors represent a unique hazard, and security should be reviewed when those vendors complete their assigned projects.
Fourth, an IT specialist, either internally or a consultant, should be designated as the responsible party for overseeing all training and security measures. And they should be given the responsibility to ensure all the software is kept up-to-date. While they need to be given adequate resources to accomplish this task, they should not be given a blank check.
Fifth, data should be backed up and archived as a precaution, in case a cyber-intrusion or lockout should occur. This data should enable a company to restore systems with minimal disruption.
Sixth, the company should have a contingency plan in place with regard to the actions they will take should a cyber-breach occur. If a corporation is involved, the question of when its board of directors will be notified should be addressed in advance. If it is a publicly traded company, the question will arise whether the breach is material from a legal reporting requirement. If so, the event will need to be disclosed publicly.
The amount of capital being invested in the energy sector is substantial and growing. The future of the pipeline and energy sector in the United States remains bright. Cyber-attacks and intrusions are a growing challenge that can be successfully managed by the pipeline industry if it remains vigilant in the future.
Author: Joseph R. Dancy is executive director of the University of Oklahoma College of Law’s Oil & Gas, Natural Resource, and Energy Center. He also serves as adjunct professor and faculty advisor to the Southern Methodist University School of Business student-managed Spindletop Fund.