Remarks of Deputy Administrator Tristan Brown Before the American Petroleum Institute Control Room and Cybernetics Confernce
Tuesday, May 3, 2022
Good afternoon. Thank you for that introduction and for the opportunity to speak to you today regarding PHMSA and the important actions we are taking to advance our mission to protect people and the environment. For those of you unfamiliar with PHMSA, the mission of the Pipeline and Hazardous Materials Safety Administration—PHMSA—is to protect people and the environment by advancing the safe transportation of energy and other hazardous materials that are essential to our daily lives.
In that vein, we oversee the safe design, operations, and maintenance of our nation’s nearly 3 million miles of oil, gas, and other hazardous materials pipelines. This includes the oversight of pipeline control rooms and the operational (or “OT”) side of pipeline operations. For context, as many of you know, the Transportation Security Administration has oversight of the “IT”, cybersecurity, and physical security side of pipeline operations.
Since the beginning of last year, under Secretary Buttigieg’s leadership, PHMSA has been focused on infrastructure investments, maintaining and strengthening our safety mission, and ensuring the U.S. maintains the most efficient and competitive transportation system in the world. To this end, we’ve been integral to the whole-of-government approach to mitigating unnecessary greenhouse gas emissions, and costly environmental impacts.
In the United States, nearly 2/3 of the energy we consume is transported via pipeline, and, I am proud of PHMSA’s role in contributing to the trend of pipeline safety, which has been improving in recent years.
This is particularly impressive because over the past few decades, growth in energy production in the United States has increased to record levels. Concurrently, U.S. exports of energy have grown—which the Energy Information Administration just noted a few weeks ago that record export levels for natural gas were reached last year. This has placed new demands on our nation’s almost 3 million miles of pipeline transportation and storage infrastructure. To move these resources safely and efficiently to market, it is important that the integrity of the pipeline infrastructure and facilities like LNG terminals, that I will be visiting tomorrow, be maintained, and the public have confidence in safety.
Achieving a sufficient level of safety, environmental protection, and efficiency, requires adequate investments to identify risks to pipeline operations and to mitigate such risks. And it’s important to note that an increase in safety nationally, while impressive, is meaningless to anyone who is directly affected by a pipeline failure in their own backyard.
This is one reason why the adoption of SMS is so important—which I know PHMSA has worked with API and others to advance. The adoption of a Safety Management System approach to operations allows pipeline operators to harness the nearly constant advances in hardware, software, and computational capabilities, which present significant safety, environmental, and efficiency benefits. However, these technologies almost exclusively, an inevitably, come with increased IT-related risks.
Nearly a year ago to the day, we experienced first hand how serious the consequences of these new IT-related risks can be to our economy and our communities—when Russian hackers launched a ransomware attack on Colonial Pipeline.
Since then, there have been many lessons to learn—both for government entities as well as private sector entities. One overarching and encompassing lesson is the need for increased coordination between government entities and the private sector. Under that umbrella lesson is a need for improved communication between the government and private sector entities, improved communication and coordination between private sector operators, and improved communication on a common path forward from both the government and private sector—particularly when it comes to government regulation. To put it simply, a go-it-alone approach or a reliance on one’s own ability to “self-regulate” is not a recipe for the sector’s, or for our nation’s, success.
From PHMSA’s perspective, as I alluded to earlier, we have broad statutory authority to prescribe standards governing the safe operation of pipeline facilities. While we don’t have direct authorities to regulate in the cybersecurity space, there is clearly a nexus between cybersecurity and the safe operations that we oversee.
To this end, we inspect and enforce three components of pipeline operations with a cybersecurity overlap:
- Pipeline control room regulations;
- Integrity management plan requirements; and
- Emergency Response plan regulations.
We coordinate with TSA and other Federal agencies to ensure there is a collaborative and efficient approach to monitoring, inspecting, and promulgating regulations or directives related to cyber security in the pipeline industry. PHMSA provides TSA with incident reports, incident details, and operator contact information for security- and cyber security-related incidents received from the National Response Center or directly from operators.
More broadly, many offices across the Department of Transportation (DOT) work together to manage cyber security risks. DOT’s Office of Intelligence, Security, and Emergency Response engages with the National Security Council and interagency partners on a Natural Gas Pipelines Industrial Control Systems Cybersecurity Initiative and other work to tackle cyber threats.
DOT’s Policy office coordinates cyber security policy implementation across different modal operating administrations. DOT’s Research and Technology office and Volpe National Transportation Systems Center support DOT’s operating administrations to conduct and invest in cutting edge research, and pursue initiatives to address cyber security threats.
Finally, DOT’s Office of the Chief Information Officer (OCIO) manages internal cyber security initiatives and has led DOT’s response to the President’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028). OCIO is recruiting new cyber security talent, has begun deploying new cyber-capabilities, and has developed new proposals to protect confidential data.
Given this breadth of efforts—encompassing just one of many federal government departments—collaboration and communication among Federal agencies is clearly vital to pipeline safety and security. To this end, PHMSA continues to work closely with TSA and the Cybersecurity and Infrastructure Security Agency (“CISA”) on cyber security incident information sharing to ensure they have information that may be relevant to their regulatory activities. CISA has the overarching lead on cyber security risk across our transportation system. CISA provides alerts, warnings, advisories, guidance, and resources to help critical infrastructure owners and operators bolster their cyber defenses.
DOT and DHS amplify CISA’s outreach to sector stakeholders and encourage them to adopt the voluntary National Institute of Standards and Technology Cybersecurity Framework, which was created through collaboration between industry and government.
Protecting against malicious cyber actors requires the Federal Government to partner with the private sector, which owns, operates, and manufactures most of America’s pipeline systems. The private sector has the responsibility to build and operate systems securely, and protect critical infrastructure in partnership with the Federal Government.
When the Colonial Pipeline cybersecurity hack occurred on May 7th of last year, President Biden directed a whole of government response. Under the leadership of Secretary Buttigieg, DOT-agencies acted quickly to facilitate the transport of fuel to affected regions.
PHMSA engaged around the clock, monitored the safety of the pipeline, and worked with the pipeline company to ensure a safe restart. As a result of the close collaboration with PHMSA, within days, the pipeline was able to move nearly a million barrels of fuel on a manual basis.
This was a quintessential example of how IT issues can directly affect OT issues. As many of you know, a manual restart of a pipeline system is no easy task—and requires careful planning and execution. To this end, it is the responsibility of operators to ensure their integrity management and emergency response planning accounts for cyber attack contingencies—including where applicable, manual restarts. This bears repeating. And we know, if you are failing to plan, you are indeed planning to fail.
Whether it is a cyberattack, a pipeline failure, or an act of God, these incidents spotlight the importance of trusted and timely information-sharing between pipeline operators and government entities like PHMSA.
Years before the Colonial Pipeline cyberattack, PHMSA inspectors began incorporating elements of security awareness in concert with control room inspections, introducing a series of voluntary discussion points with operators to raise their awareness of internal or external threats. When we started these discussions in 2019, 50 percent of operators declined to engage in the cyber discussions with us. After the 2021 cyberattack, no operator has declined our invitations to discuss cyber-related issues. So it’s fair to say that communication has improved in the last year. But it shouldn’t take an incident like this to have constructive dialogue. Rather, we need to continue to build on this improved communication and constantly be thinking about ways to improve cooperation and collaboration.
On our end, as I noted earlier, PHMSA and the DOT have worked to improve communications across agencies. PHMSA provided feedback during development of- and participated in-a TSA Surface Cybersecurity Tabletop Exercise earlier this year. The exercise assessed the ability and readiness of industry and government to communicate and coordinate with each other in response to an escalating cyber threat environment involving Nation-State threats. The exercise identified key strengths, key areas for improvement, and updates in procedures, and assessed the coordination between industry and Federal agencies.
Beginning in 2022, and with respect to lessons learned during the Colonial Pipeline cyber attack, PHMSA is also exercising its authorities to inspect and enforce components of pipeline operations that have a direct nexus to cyber security and that build on TSA’s directives and ensure pipeline operations are as insulated as possible from cybersecurity threats.
From meetings with leaders across the industry, it is apparent that many entities understand the risk that cyber threats pose to pipelines. But for many, translating that understanding into robust internal measures is an ongoing challenge; particularly, when threats are evolving by the day, week, or month.
And everyone needs to be aware that the best preventative measures—when it comes to cybersecurity—involve close collaboration between the public and private sectors—as well as consistent upgrades to pipeline infrastructure, on both the IT and OT side. Unlike in years past, threats are coming too-quickly and are too-sophisticated to “go-it-alone.”
PHMSA is focused on the future when it comes to infrastructure upgrades and helping ensure America is prepared for the deployment of new energy-related commodities. This includes strengthening our pipeline systems to be prepared for the transport hydrogen, carbon dioxide, and other renewable fuels, which pose new challenges but also pose potential opportunities for America to help lead global efforts to mitigate climate change while also continuing to leverage the largest and most sophisticated pipeline system and most talented workforce in the world.
Of course, PHMSA does not choose which commodities will see an increase in demand, either nationally or globally—but we are charged with preparing and being ready for changes in market demands.
For example, PHMSA and its state partners currently provide safety oversight for more than 5,100 miles of CO2 pipelines. While much of that is used for tertiary recovery in traditional forms of energy commodities in the Southwest, there are many new projects under development focused on carbon capture, utilization, and sequestration efforts across the country.
We must learn from accidents like the one that occurred near Satartia, Mississippi, in 2020. This egregious incident provides lessons across the board—from anticipating geohazards, to emergency planning, to emergency response.
We know that some of you have also been impacted by similar accidents involving ground movement, even more recently. Based on these accidents, we will be issuing an updated national Advisory Bulletin, on the protection of pipelines from geohazards… in order to get the word out on the trends we’re seeing and the need to monitor and mitigate geohazard risks.
At PHMSA, we are also focused on leveraging research and technological innovation to advance pipeline safety and environmental mitigation.
We’ve awarded $2.3 million dollars for funding of 4 hydrogen research projects addressing welding and material issues. The knowledge transfer from these projects was documented in American Society of Mechanical Engineering (ASME) B31.12 standard on Hydrogen Piping and Pipelines.
Building on this success, we have several future research activities in the works. Through our Core Program and our Competitive Academic Agreement Program (“CAAP”), PHMSA is now soliciting 5 new research topics. These are to be awarded before the end of the fiscal year and will fund nearly four and a half million dollars in research. The topics will focus on gas storage safety, integrity inspection, and leak detection. Related to carbon dioxide transportation, the Core Program and CAAP are soliciting 2 new research topics, estimated at $2.5 million. These research topics address potential safety impact radius calculation, and investigating pipe design, welding, and materials.
We’re excited about this research and know that it is critical to improving safety and helping mitigate environmental impacts.
I’d like to conclude on the theme that I mentioned earlier—communication. Since joining the agency at the beginning of last year, I’ve attempted to make myself available to any and every stakeholder in the pipeline and hazardous materials spheres. I know the agency has a long history of having an open door to discuss issues—whether they are imminent or long term issues.
Recently, I joined the Transportation Security Administration in a dialogue between regulators and regulated entities in the pipeline space—a chance to hear directly from pipeline executives regarding new efforts to improve our cyber defenses in the pipeline sector. From some operators we heard feedback that is common in Washington DC—along the lines of “the government’s regulatory demands are burdensome and incompatible with the way we in private industry currently operate.” This sort of feedback was in stark contrast to other operators who offered that “while we share the goals of some of the new security directives, we think they can be improved from an implementation perspective by doing X, Y, or Z.” My feedback, on these two types of communication is that the latter is far more constructive and helpful in advancing our common goals. The former, comes from an era where operators might have been more confident in their ability to go-it-alone. But that era is over.
This sentiment was echoed last week when PHMSA’s office of chief counsel visited with members of AOPL’s Legal Committee. There, members of AOPL asked, “what are we doing well”? A great question and one that I think we should all consider as we work towards common goals of improving safety and security of our nation’s pipeline system and delivering improved results in the form of efficiency and environmental and safety impacts for the American people.
Two quick answers to that notion of what are you doing well: one, continuing to push for and widely adopt SMS; and secondly, continuing to engage with PHMSA in the cybersecurity dialogues that we initiate. There is more work to do on both fronts and
PHMSA will continue its part on both fronts going forward.
Thank you again for inviting me to speak today.