February 2020, Vol. 247, No. 2
Executive Profile
Meet INGAA’s New Security Director
Michael Isper is the new director of Security, Reliability and Resilience at INGAA. He began his energy career in the environmental and hazmat compliance field while at a mid-sized utility in Ohio, and later in Virginia at Dominion Energy.
His transition into the security world began in 2006 when the Chemical Facility Anti-Terrorism Standards (CFATS) program was proposed by the Department of Homeland Security. At the time, he coordinated the hazardous materials compliance efforts for Dominion and was asked to steer the company’s CFATS program development.
That led to a great security compliance opportunity within Dominion’s Corporate Security team. When TSA established its Pipeline Security Guidelines in 2010, he led Dominion’s pipeline security program for their Natural Gas Transmission and Distribution operations.
The director of security position at INGAA was “a fantastic opportunity not to be missed,” Isper said, because it enabled him both to move back to private industry and to continue his energy sector security career.
PG&J: What do INGAA members cite as their top priority in improving their companies’ cyber-security programs?
Isper: Improving any program is a continuous process. You’re always evaluating risk and balancing that against safety, operations, security, IT, business needs, modernization and other priorities.
While every company is unique, and that’s the case for INGAA’s members, I would say that the overarching priority for pipeline cybersecurity programs has two prongs. The first prong is a holistic strengthening of cyber-resilience through threat detection, incident response, and vulnerability assessments.
The second prong is embracing threat, vulnerability and intrusion information sharing as a collaborative industry-federal government necessity – understand information, act on that information, and share the information.
PG&J: What is the biggest obstacle for an operator to overcome in improving a cyber-security program?
Isper: Hand-in-hand with program improvement priorities, come the obstacles. It’s a double-edged sword.
Bridging the typical information technology-operational technology (IT-OT) business unit separation gap through each unit, understanding the others’ detection, response and remediation limitations is a challenge. An effective solution or response for one unite may not work for the other.
PG&J: Does INGAA take a position on whether federal cyber-security oversight should remain with the Transportation Security Administration (TSA), or possibly be shifted to the Department of Energy (DOE)? <
Isper: Because federal cyber-security efforts touch many agencies, such as TSA, DHS and DOE, strong coordination across the pipeline industry and our sector is needed to combat the nation-state threats targeting U.S. critical infrastructure.
The Aviation and Transportation Security Act vested TSA with authority over pipeline security and the 9-11 Recommendations Act further solidified TSA’s security mission. Consequently, INGAA and its members have been closely engaged with TSA’s security program over the last decade.
Industry encouraged TSA to build up its cyber capabilities by tapping expertise from other DHS offices, such as the Industrial Control System – Cyber Emergency Response Team (ICS-CERT) and Department of Energy laboratories such as Idaho National Laboratory. This outreach informed TSA’s March 2018 Pipeline Security Guidelines update, which included the Identify, Protect, Detect, Respond, and Recover pillars of the NIST Cybersecurity Framework. Industry is looking forward to TSA updating its guidelines to incorporate the “Cyber Supply Chain” found in the more recent NIST Framework.
The TSA Pipeline Cybersecurity Initiative – a joint program of TSA and the DHS National Risk Management Center – also was a product of the collaboration with other agencies encouraged by industry. This program leverages the staff and cyber expertise of ICS-CERT with the pipeline security and operations experience of TSA to conduct in-depth cyber-assessments of pipeline facilities.
TSA also conducts Corporate Security Reviews, which assess pipeline operators’ enterprise-wide security programs.
As the sector-specific agency for the energy sector, DOE brings a robust cyber skillset to the picture. Using its technology research and development capabilities, coupled with the National Labs, DOE is looked to for cyber-security innovation and solutions, as well as energy sector leadership with the Government Coordinating Council.
PG&J: How do INGAA and its members feel about a move toward mandatory requirements vs. voluntary oversight in protection pipelines from cyber-attacks?
Isper: INGAA supports federal initiatives and voluntary frameworks that promote industry and government coordination, collaboration, and information sharing. We believe that such approaches allow our industry and federal partners to be agile and responsive in the face of threats.
If Congress determines that mandatory standards are needed, we encourage TSA and others to consider the uniqueness of cybersecurity risk and mitigation as opposed to other areas of pipeline risks. The threats we face can change quickly making it important to avoid standards that are overly prescriptive and not allowing for flexibility.
INGAA believes that a well-managed voluntary program can be effective at mitigating risks to the pipeline industry by providing the flexibility needed to update practices rapidly; this allows operators to tailor specific practices to the unique environments of their systems, and incentivizes information sharing and collaboration between the government and private sector.
Comments