Energy Infrastructure’s Cybersecurity Is a Big-Picture Issue

In the wake of several high-profile cyberattacks in recent years, heightened attention has been paid to the security of U.S. infrastructure, including its energy grid.

A report out recently adds to a body of evidence that has grown significantly thanks to the vigilance of both private industry and public regulators. And while the study is a useful exercise in identifying potential challenges, the public should exercise caution before calling for rigid top-down fixes.

The report, issued by the Government Accountability Office, comes down hard on the Transportation Security Administration and its oversight of pipeline security. Among its findings, the GAO analysis recommends tightening protocol standards, beefing up oversight personnel and raising documentation standards. All are laudable goals but also the kind of bureaucratic speak for measures that, without industry input, could ultimately slow down the private sector’s deployment of technologies and best practices necessary for strong energy systems.      

In its emphasis on government supervision, the GAO report missed an opportunity to recognize the steps industry has taken, and continues to take, to bolster the U.S. energy grid. That involvement should not be minimized.

The private sector has been a partner in efforts to defend against cyberattacks, and understandably so. Pipeline operators and builders have a vested interest — both financially and from a public relations standpoint — to ensure the reliability of their networks. And, unlike the wheels of government, private businesses have proven adept at bringing online new technologies that, to date, remain one step ahead of would-be saboteurs.

Top-down solutions, which are implicit in the GAO report, risk turning pipeline developers and operators from allies into targets. The effect would be to discourage private investment — the chief driver of new development, enhanced technologies and best practices — and to push industry away from the table, which would be a big disservice to the shared goal of improving cybersecurity.

Over just the past few months, the energy industry has made significant contributions to pipeline security. In October, the American Petroleum Institute released a joint report that documents the resilience and preparedness of the country’s oil and natural gas assets against cyberthreats. API is currently in the process of updating and expanding industry cybersecurity standards.

Additionally, TSA introduced an initiative with the Department of Homeland Security and the Department of Energy to work with companies to assess pipeline vulnerabilities to cyberattacks. The program provides a valuable opportunity to alert operators to risks and helps them develop solutions.

This month, the president’s National Infrastructure Advisory Council released a study on the country’s ability to respond to and recover from catastrophic power outages. The report invited industry to provide input on corrective measures.

This kind of collaboration is one of many ongoing undertakings and mostly represents only public-facing efforts. But it underscores the value of strong partnerships between business and regulators.

Removed from the public eye, pipeline developers are doing even more to stay ahead of cyberthreats. Regulators should be doing all they can to encourage such work, not risk slowing it down with cumbersome rules and procedures that lack industry input.

It bears mentioning, too, that the GAO report draws its conclusions from a sampling of just 10 pipeline operators. There are hundreds of pipeline operators across the country and many more stakeholders at each stage of the production process.

Sweeping rule changes based on such a small data set will inevitably yield inefficient solutions or reach incorrect conclusions. At the very least, policymakers would be smart to take a deeper dive into the issues and welcome industry partners to be part of the process.

Cyberattacks pose a risk to the United States’ energy grid. Regulators and industry leaders have done a good job of proactively getting in front of the issue by developing and implementing new technologies and best practices to safeguard our networks.

As threats evolve, so too do our defenses, and studies that contribute to our understanding of risks help inform the process. Nonetheless, policymakers and the public should consistently seek the broadest range of inputs and partner with private industry to design solutions.

Col. Tom Magness (U.S. Army, retired) served as a commander in the U.S. Army Corps of Engineers, and he is the founder of the Eagle Leadership Group and currently acts as a strategic adviser to the Grow America’s Infrastructure Now Coalition.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.