The Rover Pipeline’s corporate parent came under cyber-attack this week, according to Bloomberg News, as did three other natural gas transmission companies. No pipeline operations or safety systems were affected.
Robert Eckman is director of the Center for Cyber Security and Protection at the Cleveland Marshall College of Law. He's also chief information security officer with Cleveland-based MCPC, a technology management consulting company. He says cyber-security in energy companies has often been divided among departments, and poor internal communication can create vulnerabilities. But he also says there are now organized efforts to fix that, including new government guidelines.
“The Department of Energy actually has stepped up to the table with oil and natural gas cyber security to bring together information technologies, security and operational technologies into a common framework. That then allows them to prioritize their cyber security capability. So we are seeing movement in that space for certain.”
Ekman, who helped develop cyber security for nuclear power plants including Davis Besse and Perry in northern Ohio, says the whole energy industry must recognize the growing risk of cyber-attack, and take steps to reduce it.
For example, the communications systems of Energy Transfer Partners that were hacked actually belong to somebody else; an outside vendor that handles computer-to-computer interchanges for customer ordering and billing information. Eckman says such arrangements are increasingly problematic and regulators and the energy industry itself are requiring changes.
“Third party entities that support these critical infrastructure companies are now being held to the same standards, especially in the nuclear space. But we’re also seeing it in the fossil power generation and other critical infrastructure areas. I suspect the same thing will begin to happen in the oil and gas spaces as well."
Energy Transfer Partners is one of the nation’s largest pipeline and energy infrastructure companies.
Note: This article has been updated to change "your" to "their" in referring to cyber security capability in the first quote from Robert Eckman.
