Cybersecurity in the Energy Sector, Gas Subsector

The difficulty to protect the Gas Subsector

It is very difficult to protect from sabotage and cyberattacks the entities involved in the Gas Subsector, in each one of the steps, from production to consumtpion. Natural gas is produced, removed of liquids and other impurities, and then transported to gas processing facilities that separate heavier gas components, leaving a product composed almost entirely of methane. The methane is then transported as clean natural gas to bulk storage, industrial consumers, and individual homes. Liquefaction (the process of making a gas liquid) of natural gas makes for a more dense concentration of natural gas and enables Liquefied Natural Gas (LNG) to be transported via tankers instead of pipelines.

According to the National Institute of Standards and Technology (NIST), liquefied natural gas (LNG) is natural gas that is supercooled to liquid form and shipped in specialized tankers to terminals and ports throughout the world. From the liquefaction facilities to the marine transportation systems, vessels, and LNG terminals, the production and transport of LNG relies on complex, interconnected, and interdependent IT, OT, and communications networks. A cybersecurity incident involving any aspect of the LNG lifecycle has the potential to affect the safety of the crews, vessels, cargo, and ports.

According to the NIST, LNG systems are vulnerable to cyber-attacks due to intrinsic system risks, which include remotely managed third-party systems and vulnerable onboard technologies (e.g., Programmable Logic Controllers (PLCs), Global Positioning System (GPS), and Automatic Identification System (AIS)). This could lead to overflowing fuel tanks, accidental release of LNG, and other risks that make LNG inaccessible, or cause serious impacts when returned to its gaseous state.

The US The Department of Energy (DOE) has developed the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model, explaining the importance of Situational Awareness:

"Purpose: Establish and maintain activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information, including status and summary information from the other model domains, to form a common operating picture (COP)commensurate with the risk to critical infrastructure and organizational objectives."

"Situational awareness involves developing near-real-time knowledge of a dynamic operating environment. In part, this is accomplished through the logging and monitoring of IT, OT, and communication infrastructure assets essential for the delivery of the function. It is equally important to maintain knowledge of relevant, current cybersecurity events external to the enterprise. Once an organization develops a COP, it can align predefined states of operation to changes in the operating environment. Rapid shifts among predetermined emergency operations can enable faster and more effective response to cybersecurity events."

The insider threat is a major area of concern. According to the Natural Gas Subsector Cybersecurity Capability Maturity Model, "increasing the cybersecurity awareness of the workforce is as important as technological approaches for improving the cybersecurity of the organization. The threat of a cyber attack to an organization often starts with gaining some foothold into a company’s IT or OT systems — for example by gaining the trust of an unwary employee or contractor who then introduces media or devices into the organization’s networks."

"The organization should share information with its workforce on methods and techniques to identify suspicious behavior, avoid spam or spear phishing, and recognize social engineering attacks to avoid providing information about the organization to potential adversaries. For example, an internal web site could provide information about new threats and vulnerabilities in the industry. If information on threats, vulnerabilities, and best practices is not shared with the workforce, personnel may become more lax about security processes and procedures."

The European Union Agency for the Cooperation of Energy Regulators (ACER) was established in March 2011 by the Third Energy Package legislation as an independent body, to foster the integration and completion of the European Internal Energy Market for electricity and natural gas. According to the ACER (February 2023), gas represents 21.5% of EU’s primary energy consumption. It is the dominant source of energy for households (32.1%). Around 40% of households are connected to the gas network. On average, they spend EUR 700 on gas, 2.5% of their average income.

The European Union relies on gas. The protection of the entities involved in the Gas Subsector from sabotage and cyberattacks is of paramount importance for the EU.

Cyber Risk GmbH, a private company incorporated in Horgen, Switzerland, is not affiliated or connected to the entities referred above in any way. Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the Energy sector, Gas subsector, and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.

The Board of Directors and the CEO of entities in the Energy sector, Gas subsector must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.

Our training programs

Energy Sector, Gas Subsector, Cybersecurity Training.

The NIS 2 Directive as it applies in the Energy Sector, Gas Subsector.

Cybersecurity Training for the Board of Directors, in the Energy Sector, Gas Subsector.

Cyber Risk GmbH, some of our clients