What does the federal government need to do, to better help the oil and gas industry secure the vital national infrastructure it owns and operates?
That was the question weighed by panelists at a discussion this week on the sidelines of the annual RSA cybersecurity conference. The panel was put together by the the American Petroleum Institute and the University of Chicago Cyber Policy Initiative.
Recent reports, like the Director of National Intelligence’s Worldwide Threat Assessment, have painted a dire picture of the threats facing American critical infrastructure. And a recent House Committee on Homeland Security hearing aired criticism of how the Transportation Security Agency has handled its responsibilities to help ensure the cybersecurity of the nation’s pipeline system.
The panel brought together former and current officials, such as retired Brig. Gen. Francis X. Taylor, the former undersecretary for intelligence and analysis at the U.S. Department of Homeland Security, and Bob Kolasky, the director of the new National Risk Management Center at DHS. The panelists concluded that there needs to be more, and better, information sharing regarding cybersecurity vulnerabilities and intelligence between government and industry, and within government itself.
With more than 50 years in security of one form or another, Taylor brought a unique perspective to panel. He suggested addressing cybersecurity vulnerabilities through a similar lens to the one used in counterterrorism. Unlike with terrorism, there hasn’t yet been a major event to catalyze government and industry to join forces to address cybersecurity vulnerabilities. As with many issues across the federal government, the current approach has been fragmented.
Taylor suggested that there needs to be a mechanism within DHS to allow for more efficient information sharing, not just from the government to industry, but also from those who directly manage the IT and OT components of critical infrastructure operators. He compared this to the counterterrorism efforts where cops in the community are empowered to share intel, but also have access to the intel the federal government collects.
As the conversation shifted to discuss the current information sharing environment, Suzanne Lemieux of API pointed out that the oil and natural gas companies operating a sizeable portion of the energy critical infrastructure are private companies facing threats from foreign nation states and threat actors with the support of national militaries and governments. Lemieux highlighted that today, those same companies in the U.S. receive limited details regarding threats and that current information sharing practices are insufficient. “Without improved information sharing and increased collaboration between industry and the government, we’re leaving private companies to fend off foreign militaries by themselves,” said Lemieux.
“The industry has improved its culture to foster greater information sharing and has had success through the [Information Sharing and Analysis Centers, or] ISACs,” she added. “Now we need to work with our government partners to continue the process.”
Kolasky, asked if information sharing has improved across the federal government, concurred with Lemieux and Taylor that more work needed to be done. But he also pointed out that to date, DHS has made some improvements, especially through establishing the national network of fusion centers. Phyllis Lee, senior director of controls at the Center for Internet Security, added that even the NSA, where she worked for more than 20 years before joining CIS, has improved its information sharing practices, at least within the federal government.
But while there has been some progress, everyone on the panel agreed that there could be more.
One of the areas most vulnerable to cyber attacks, say experts, is the supply chain that feeds into critical infrastructure operations. Dr. Allan Friedman, the fifth panelist and director of cybersecurity initiatives at the National Telecommunications and Information Administration —part of the U.S. Department of Commerce — discussed how his current initiative at NTIA to increase transparency in software components could help improve supply chain security.
He is coordinating a multi-stakeholder process regarding a “software bill of materials,” which would essentially list all the components of various software products so that companies can be more aware of what is a part of their systems. Kolasky was quick to point out that this would not be an end-all solution, but agreed that it would be a positive step to increasing the security of the supply chain.
Across the panel, the experts maintained a positive outlook on improving partnerships between the private industry operating our critical infrastructure and the federal government. Through ISACs, Sector Coordinating Councils, and other similar mechanisms, there is some information sharing already occurring. Now with the National Risk Management Center, there is a dedicated organization within DHS’s newly minted Cybersecurity and Infrastructure Security Agency that is actively conducting risk assessments on the cyber risks facing not just oil and natural gas companies, but other vital industries like financial services, telecommunications companies, and ports.
For API, the panel was a much needed open conversation, and showed one facet of improving the industry’s cybersecurity posture, as the oil and natural gas companies continue evolving to meet the changing cyber threat environment.
This report was prepared by Global Cyber Policy Watch, who attended the panel on March 4, 2019.