Natural Gas fuels a third of the nation’s electricity generation, and the strong economics of natural gas are likely to cause its use to widen its use in years to come. Yet the growing reliance on natural gas may increase the risk of electricity supply disruption should pipelines fail due to severe weather, or physical and cyber attacks.
States, federal government and electricity market operators are well aware of this vulnerability, but differ in how immediate they view threats to gas networks to be, and whether they believe regulators should dictate preventive action.
Kleinman Center Senior Fellow and grid cybersecurity expert Bill Hederman talks about the growing dependence of the electric grid on natural gas, and the implications of gas pipeline vulnerability to the reliability and resilience of the electric grid.
Listen to the companion podcast episode on state and federal action to address cyber risk, Grid Resilience in the Cyber Age.
Andy Stone: Hi and welcome to this special episode of Energy Policy Now. Last Tuesday, October 2 we published an episode on electric grid cybersecurity, with the chairman of Pennsylvania’s Public Utilities Commission Gladys Brown. During the podcast we briefly touched on the topic of the grids increasing dependence on natural gas as a generation fuel, and how gas pipeline security has become a concern for electricity sector reliability and resilience.
Following that episode, I had the opportunity to sit down with the Kleinman Center’s own in-house expert on grid security, Senior Fellow Bill Hederman, to talk more at length about pipeline security. That conversation follows here. And I hope you’ll find it an insightful addition to last week’s grid security episode. Enjoy.
Good day and welcome to the Energy Policy Now podcast from the Kleinman Center for Energy Policy at the University of Pennsylvania, I’m Andy Stone. Natural Gas fuels about a third of the nation’s electricity generation. Should the supply of fuel be disrupted, possibly due to severe weather or due to physical or cyber-attack, gas generators could be starved the fuel and electricity supply disrupted.
As we discussed in the companion episodes of this podcast, featuring Pennsylvania PUC Chairman Gladys Brown, the state’s federal government and electricity market operators are all aware of this vulnerability. Where the parties differ is in how imminent they view threats to be, and whether they believe government regulators should dictate preventive action.
Here to talk about the connection between gas pipeline security and the reliability and resiliency of the electric grid, is the Kleinman Center’s Bill Hederman. Bill’s a cybersecurity expert and founder of the Office of Market Oversight and Investigations at the Federal Energy Regulatory Commission, more commonly known as the FERC. Bill. Thanks for stopping by.
Bill Hederman: Thanks, Andy. And, as always, it’s pleasure to be here with you.
Stone: So earlier today, you spoke at an event in Washington D.C., hosted by Real Clear Politics, that focused on the gas industry and potential cybersecurity threats to it. Tell us why gas pipeline risk is gaining attention.
Hederman: Okay, it’s an important issue now that’s growing in importance, because as the entire energy complex becomes aware of the extent of the hostile activity that they’re being subjected to, they realize they need to deal with the issue more. And from the electricity side, there are concerns being raised about the reliability of the gas supply. And the gas industry wanted to respond to that. And so, they helped organize this meeting, it was in a very lovely setting. We were looking out from the Newseum on the U.S. Capitol dome. And it was just like here.
Stone: What were you talking about specifically, this morning,
Hederman: We were talking about the cyber threats to the gas distribution companies and the gas pipelines and what they are doing about it, the presidents of both the American Gas Association, and the interstate pipeline association called INGAA were both there to describe and summarize what their members were doing.
And basically, they pointed out that they take the threats very seriously, that they have been getting more engaged with the federal partners of the Department of Homeland Security, the Department of Energy, and they have their own parallel organizations. So there’s an electricity sector information sharing council, there’s also an oil gas information sharing council. One of the things I noticed was doesn’t sound like there’s still one that brings oil, gas and electricity together to share. That needs to be happening more. I mean, it does happen some but it probably needs some more organized attention.
Stone: So how vulnerable are the pipelines to physical and cyber-attack?
Hederman: Well, since there’s never been a successful cyber-attack on a pipeline, we think it’s pretty difficult. On where we draw a lot of the information on attacks on the electric system, we go to the two incidents in Ukraine. There’s no analogous incident on pipelines, even whether oil or natural gas, but the concern on the electric side is that the gas industry seems more confident than they were as a became initially engaged in an earnest way.
Now that said, gas pipelines do not have the dangers of electric systems in terms of cascading failure. If a section of a pipe goes, you turned some valves and you’ve isolated the problem. When I was on watch at FERC, 15 million people lost their power for days because of a tree hitting a line in Central Ohio. It cascaded through the Northeast. So that is not a serious problem.
The problem that I’m not sure the gas industry is worried about, in the way that the electric industry is. The electric industry is saying, okay, we think we’ve done a pretty good job on our defense perimeter, we have issues, but we’re not sure about the defense perimeter around the gas industry, and their critical input through our defenses. And so we worry about what could happen there.
Stone: Just as a background question, I mean, we have tens and hundreds of thousands of pipelines crisscrossing this country, it seems like it would be so easy to, you know, disrupt that network. Is there any reason why that network has generally stayed pretty secure up until this point?
Hederman: For the most part, there’s great safety taken about the system. It’s pretty easy to detect any anomalies and because of the pressure monitoring, etc, they’re buried. So there are a lot of reasons. But that said, there have been accidents where somebody doing some construction work who forgot to check in with his utility, hit and big line with the backhoe and there could be a big explosion and anyone near the explosion is in grave danger. But it’s again, not something that cascades is an explosion at the site and burns up the gas that was exposed.
Stone: So as gas has become more important as a generation fuel for the electricity industry, concern over the integrity of the gas pipeline network has grown accordingly. How big is this threat to the electricity industry?
Hederman: So you know, we had the bomb cyclone, deep winter storms within the last year. EIA did an assessment of that and concluded that the gas availability did not fail. And in general, everything worked pretty well. PJM, I think, found that their system was in good shape.
Up in New England, where New England has prevented the construction of additional gas pipeline capacity. They ran into some days where there was not adequate, in their minds, gas. The reason there wasn’t was there had been no purchase of firm winter capacity on the pipeline. So it wasn’t a reliability issue is a contract issue.
Stone: That they weren’t, the gas supply had not been contracted?
Hederman: Exactly. But they were able to get through it by carefully preplacing fuel oil in those places. And you most of the dual fired plants can use up to 30 days of fuel oil. Some came close to hitting that. But frankly, if you had matters of health and safety, I’m sure the environmental agencies would grant an exception for that. So it was not, if you will, a physical problem of running into blackouts because they had prepared before the winter.
Stone: As this issue has become bigger, have there been new initiatives to actually specifically address the cyber risk to the gas pipelines?
Hederman: Yes. So INGAA’s board for…
Stone: INGAA being…?
Hederman: INGAA is the Interstate Natural Gas Association, the pipeline trade group. Their board within the last month or so passed a resolution about upping all of their cyber practices and including more board level briefings on cybersecurity and so forth. And the AGA has been far ahead on that, really the entire energy complex largely because their president was a congressman on the intelligence community’s and he was more aware of all of this than others in the beginning.
Stone: It’s interesting the FERC governs interstate pipelines, it governs the interstate electricity grid, but doesn’t actually go during the security aspect of the pipelines, if I understand correctly.
Hederman: Yeah, you could argue about that. The FEMSA group, the pipeline hazards and materials administration worries about problems like dangers on pipelines. And the accidents up in Massachusetts because it involved fatalities included both FEMSA. And the NTSB, National Transportation Safety Board, which deals with any transportation issue that leads to fatal accidents.
FERC does have some authority over the reliability aspects of pipes. And sometimes it’s hard to draw a line between what reliability what safety? And so I mean, they definitely have a role there in terms of guidance, if nothing else.
Stone: Should FERC be more directly involved or have and overarching view of this?
Hederman: Well, I don’t see any reason to amend the Natural Gas Act at this point, I think things are on the right path.
Stone: So this whole issue of pipeline security isn’t free from politics. The Trump administration has singled out gas generators as a possible weak link in our electricity system, due to their reliance on the real time delivery, again, of natural gas via the pipelines.
The administration has used this as a justification for possible rules that would implement that would require electricity market operators such as PJM, and ISO New England to pay coal and nuclear generators above market rates, since they view these resources as fuel secure to maintain these resources in operation. Talk about the reliability and resiliency implications of this.
Hederman: Okay, a lot of the debate here is about semantics, if you will. If you go and do the risk assessment, you’ll see that the vulnerabilities are not materially different. But if you look at the chance for a fuel interruption, if you’ve got two years of nuclear rods on site, or you have 90 days of coal on site, you really don’t have a big risk. But frankly, it wasn’t that long ago that the coal piles for getting very low because unit trains of crude oil from the Bakken crude fields were bumping the coal unit trains off the tracks.
And so it’s not like there’s some biblically guaranteed 90 days of coal at a coal plant. Pipelines when it comes with a firm supply contract, really de minimis examples of interruptions, but it isn’t there. So yes, if everything went into chaos, you might be able to keep the coal and nuclear plants running. And the concept of keeping some diversity makes a certain amount of sense. But we’re actually the most diverse in the mix of different fuels for generation today than we’ve ever been.
Stone: So where do you think regulation is going?
Hederman: You know, I think, if you don’t mind, I go a little broad and say, where is cyber-security going? Because some of that’s regulation. I think the state regulators need to build their capabilities, because they’re the ones that have to watch the individual utilities, whether gas distribution or electric distribution.
You talked about the NERC standards. NERC standards do not apply in the low voltage distribution world. So like all of the smart meters and the internet of things and demand side systems are not really under NERC control and they’re not controlled or overseen. And there are so many potential entry points for malware, etc. And so the state regulators have to pick up the ball on a lot of that. And that will require a building capability.
I’ve proposed, and this is based on work that was partially funded by the Edison Electric Institute, I wanna mention that as I suggest it, but I think that there are these maturity standard that are built on standard frameworks built by NIST, the National Institute of Standards and Technology, by the DOE, the maturity model for cyber security, by NERC, if one of these standards can be grabbed, and I think at key stages it has to be audited by objective and capable third party and not by the mom and pop management consultants that do a lot of auditing for the PUCs, have this objective expert go in to say this utility is that level two, and say you’ve got zero through five. Two may be acceptable and relatively secure, small utility, but utility and Chicago, New York, LA, Washington, you might want a four or five level maturity.
Now that said, you can find the weakest link in this system and get in. We all remember that 9/11 included small town in Maine as an entry point. And so the exact same idea applies here. But we have to build up that capability. In a talk I gave up at MIT recently at the Sloan School, we were trying to explore how do we get a framework in place to move forward and my assertion was, the Cold War found its way to an end because of mutually assured destruction. And after the Cuban Missile Crisis, and people faced that danger, they backed off and found a way to dial things down.
Today, we’re already in a hidden war. But the danger of mutually assured chaos doesn’t seem to be rattling the cages of the leaders the same way yet. So what we’re seeing right now, is everybody engaging in risky behavior. A lot of it is, if you will, normal spy craft, but the victim can’t tell whether it’s spycraft or planting bombs. And that’s the big danger here. But it involves a lot of nation states, it involves a lot of organized crime at this point when you get the ransomware.
So we’ve got to find a way to move forward, I think industry and government have been doing a great job of working together and making progress, we’ve successfully stopped thousands of attacks. Of course, the point is always with bad guys only have to succeed once, but we’re doing a good job. But it’s not going to be something where there, he can stop until there’s some greater agreement that this is a journey where there’s always room for improvement and is always need for improvement.
Stone: Some electricity market operators again, such as PJM, want the FERC to require pipelines to work more closely with the electric power industry and share information that relates to reliability. Where’s that going?
Hederman: Well, the utilities, the oil, the gas pipelines, and the electric utilities have been talking about this for maybe a decade now. It’s largely in my mind an issue of customer relations. And I think that the generators who need the gas at their power plants, and the pipeline should be able to work it out.
Pipelines generally are quite customer responsive. I worked in a pipeline I headed business development at one time, we were very attuned to customers, especially big ones, like power plants. But the power plants want this to be one sided, it seem. And the pipelines are saying that we don’t see any problem with our current business practices. So I don’t think it’s a place for the regulator’s to jump in, if it’s just a matter of customer dispute. If there’s some market power issue then there’s a place where regulators.
Stone: Bill, thanks for talking.
Hederman: You’re welcome, Andy. It was fun. Thank you.
Stone: For more discussion on cybersecurity risks to the utilities industry, listen to my recent interview with Pennsylvania PUC Chairman Gladys Brown, who’s also head of the critical infrastructure committee at the National Association of Regulatory Utility Commissioners, or NARUC. The link to that episode is in our show notes. And for more energy policy research and insights, check out the Kleinman Center website or our Twitter feed @kleinmanenergy. Thanks for listening. Have a great day.