by Naureen S. Malik and Alex Nussbaum
With hacking attacks mounting against U.S. energy companies, guarding the sector will be a top priority for a new cybersecurity effort, Homeland Security Secretary Kirstjen Nielsen said on Tuesday.
Five months after five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers, Nielsen said a new National Risk Management Center would help government and the private sector better coordinate efforts to protect critical infrastructure.
The center will focus initially on energy, finance and telecom, Nielsen told attendees at a New York conference. The action comes after the energy industry, in particular, has faced criticism from cybersecurity firms for not spending enough to fend off attacks. In April, Symantec Corp. said it's tracking at least 140 groups targeting energy, up from 87 in 2015.
"We are in crisis mode," Nielsen said on Tuesday. "A Cat 5 hurricane has been forecast.''
Russian government hackers compromised dozens of U.S energy companies in 2017, the U.S. Director of National Intelligence said last week in a report that also cited attacks from Iran and China.
The new center is designed to allow industry and the public sector to better coordinate on both reducing risks and responding to attacks, DHS said in a statement released at the conference. The government's response includes a "major" cybersecurity exercise to be held later this year, Nielsen said.
DHS will be critical in helping the private sector fend off assaults, Tom Fanning, chief executive officer at Atlanta-based utility owner Southern Co., told the crowd.
Homeland Security is "the convening arm that can bring together these important sectors of America to help organize and harmonize" the counter-response, he said. "We are interdependent on each other."
The industry's past response to cyberthreats has drawn criticism from some.
While the Transportation Security Administration requests voluntary notifications of "security incidents" involving hacking, there is no mandate and the industry has generally not been in support of mandating notification.
At the same time, two prominent security firms estimated in April that energy companies, from drillers to pipeline operators to utilities, invest less than 0.2 percent of their revenue in cybersecurity. That's at least a third less than the corresponding figure for banks and other financial institutions, according to the consultants, Precision Analytics LLC and the CAP Group.
The low levels of spending by the industry come as it's rushed to adapt new ways to generate more oil and gas at a lower cost following an historic, three-year rout in crude prices.
Over the last few years, the industry has been quickly adding electronic sensors and other monitoring capabilities to track data from 900,000 oil and gas wells, and 300,000 miles of pipelines. Complex computer algorithms at every level of the industry are constantly adjusting the flows of everything from oil and natural gas to electrical power, with automatic valves in place that can shut down flow at a moment's notice in the case of an accident with no human action needed.
Though the attack in March didn't disrupt supply, it served to underscore an ongoing vulnerability to electronic sabotage. It showed how even a minor attack can jump between systems with ripple effects, forcing utilities to warn of billing delays and making it more difficult for analysts and traders to predict a key government report on gas stockpiles.
U.S. intelligence officials have blamed Russia for hacks designed to impact the U.S. election in 2016. But an analysis released in March by the FBI and Homeland Security said that hackers are also conducting a broad assault on the country's electric grid, water processing plants, air transport facilities and other targets on sensitive infrastructure.
"The economy of the world is driven so much by energy," U.S. Energy Secretary Rick Perry said at the conference. "It's our national security interest to continue to protect these sources of energy. "