This week’s Pipeliners Podcast episode features first-time guest Jim Linn of AGA and DNG-ISAC discussing pipeline cybersecurity, analysis, and information sharing.

In this episode, you will learn about the importance of cybersecurity for the pipeline industry, how information is gathered to support ISAC, and how the DNG-ISAC determines potential cybersecurity threats. You will also learn about cybersecurity progress made in the industry from several years ago until today.

Pipeline Security: Show Notes, Links, and Insider Terms

• Jim Linn is the CIO for the American Gas Association (AGA) and Executive Director of DNG-ISAC. Connect with Jim on LinkedIn.
  • AGA (American Gas Association) represents companies delivering natural gas safely, reliably, and in an environmentally responsible way to help improve the quality of life for their customers every day. AGA’s mission is to provide clear value to its membership and serve as the indispensable, leading voice and facilitator on its behalf in promoting the safe, reliable, and efficient delivery of natural gas to homes and businesses across the nation.
  • DNG-ISAC (Downstream Natural Gas Information Sharing and Analysis Center) serves natural gas companies by facilitating communications between participants, the federal government, and other critical infrastructures. DNG-ISAC promptly disseminates threat information and indicators from government and other sources and provides analysis, coordination, and summarization of related industry-affecting information.
    • Find out how to get involved with DNG-ISAC, become a member, or contact Jim Linn directly.
• Cybersecurity is the protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
• Certified Informations Systems Security Professional (CISSP) is an independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC). 
• SCADA (Supervisory Control and Data Acquisition) is a system of software and technology that allows pipeliners to control processes locally or at remote locations.
• Department of Homeland Security is the U.S. federal executive department responsible for public security.
• Department of Energy is a cabinet-level department of the United States Government concerned with U.S. policies regarding energy and safety in handling nuclear material.
• Department of Defense is an executive branch department of the federal government charged with coordinating and supervising all agencies and functions of the government directly related to national security and the United States Armed Forces.
• Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency.
• Interstate Natural Gas Association of American (INGAA) works to facilitate the efficient construction and safe, reliable operation of the North American natural gas pipeline system.
• Canadian Gas Association (CGA) is the voice of Canada’s natural gas delivery industry. Its members are distribution and transmission companies, equipment manufacturers and suppliers, and other service providers.
• IT/OT convergence is the integration of IT (Information Technology) systems with OT (Operational Technology) systems used to monitor events, processes, and devices and make adjustments in enterprise and industrial operations.

Pipeline Security: Full Episode Transcript

Russel Treat:  Welcome to the Pipeliners Podcast, episode 145, sponsored by Burns & McDonnell, delivering pipeline projects with an integrated construction and design mindset, connecting all the project elements, design, procurement, sequencing at the site. Burns & McDonnell uses its vast knowledge and the latest technology with an ownership commitment to safely deliver innovative, quality projects. Learn how Burns & McDonnell is on-site through it all at burnsmcd.com.

[background music]

Announcer:  The Pipeliners Podcast, where professionals, Bubba geeks, and industry insiders share their knowledge and experience about technology, projects, and pipeline operations. And now, your host, Russel Treat.

Russel:  Thanks for listening to the Pipeliners Podcast. I appreciate you taking the time, and to show that appreciation, we give away a customized YETI tumbler to one listener each episode. This week our winner is Regina Davis with Frontier Natural Gas. Congratulations, your YETI is on its way. To learn how you can win this signature prize pack, stick around until the end of the episode.

This week Jim Linn, the CIO with the American Gas Association and Executive Director of DNG-ISAC joins us to talk about cybersecurity, analysis, and information sharing.

Jim, welcome to The Pipeliners Podcast.

Jim Linn:  Thank you, Russel.

Russel:  You’re a guy who has a lot of initials after your name or in your title. Probably a good place to start here is tell us a little bit about yourself, and your background, and maybe what all those initials mean.

Jim:  Thank you, Russel. My name is Jim Linn. I work for the American Gas Association. I serve as the Chief Information Officer. I’ve been with AGA for 22 years next week.

I have spent all that time in that capacity. In the last 10 years, much of my time has been devoted to not only internal AGA information technology, but also serving the natural gas distribution industry as a cybersecurity lead person.

My primary cybersecurity focus would be on information technology cybersecurity. I have some colleagues who also work with me. As a team, we serve security for the industry.

In terms of all those initials, I’ve been blessed with AGA supporting me, pursing a variety of education and certification. Probably the capstone one would be CISSP. There’s a variety of others.

I enjoy security and cybersecurity. I like learning new things. I’ve been able to put as many letters back there as you can fit on a straight line across an email.

Russel:  There you go. That’s one of the things about the cybersecurity discipline in particular is there’s a need to get those certifications and keep them current just because it moves so dadgum fast.

Jim:  That’s right. It doesn’t stop.

Russel:  In particular, I wanted you to talk a little bit about the DNG-ISAC.

Jim:  Yes, sir. The DNG-ISAC, that’s our affectionate name for it. It’s the Downstream Natural Gas Information Sharing and Analysis Center. All of the critical infrastructure sectors in the United States have one or more ISACs. It’s an information-sharing arm that provides threat information to that sector.

Within energy, we’re one of three ISACs. There’s also an ISAC for the electric industry, one for the oil industry. We serve the natural gas industry thoroughly from distribution and transmission, both in the United States and Canada. Our goal is to provide both cyber and physical threat information to our participants.

Russel:  What is the nature of the threat in the midst of our current reality? As we’re recording this, we’re in the third month of the response to the COVID pandemic. We’ve got a lot of things going on with demonstrations and such.

What do you think the current nature of the threat is from a security standpoint?

Jim:  As usual, there are threats coming from multiple areas. I think, at the current time, I would dial that in to specifically there are threats related from COVID. Mainly would be geared towards either ransomware or other types of threats that are trying to skim money from people. There are also more concerning threats with the social justice unrest that we have experienced.

I think there’s collateral damage there, at times, when groups of people are upset and gathered. There are objects in certain places that it becomes worth damaging. That has effects to it that could affect our industry.

More broadly, we’re always out looking for foreign threat actor threats. That’s been something that’s of greatest concern to us. There have been cases where foreign threat actors have, in other countries, completely damaged internal computer systems to make them nearly irreparable and requiring rebuild from scratch.

There have been other issues that have occurred, like threat activity that would be physical protest in nature regarding pipelines that has prevented work from pipelines to be developed. Really some dangerous things where people are firing high-caliber weapons against pipelines.

It varies. We try to stay in front of all of that reporting.

Russel:  I think there’s a couple of things about this that I want to say. My background’s in controls, automation, SCADA, that sort of thing. Certainly, when it comes to the critical information or the critical operating systems around pipelines and the cybersecurity issues there, I’m fairly knowledgeable.

One of the things that always amazes me is the nature of the threat and how amorphous it is. The threat is constantly evolving in real-time. For those that work in that world, they know that, but for those that aren’t working in that world, we are protected from having visibility to that, to a large extent.

If somebody has a good program in, we, as users, don’t really ever see any of that stuff. Is that a fair commentary, you think?

Jim:  It is. I think what you might be getting at is the general public has little visibility into what’s going on behind the scenes.

Russel:  Exactly.

Jim:  That’s probably good. We turn on the stove and the gas is there. Everything is working the way it should. What it takes to get it there and protect it to get it there, nobody really knows.

This sounds kind of crass. Nobody really cares. They just want it to be there. It’s our job, behind the scenes, to make sure that is there and they don’t have to worry about that.

Russel:  I think that was partly what I’m getting at. I think there’s a second thing I’m trying get at, as well, along that same vein is that it’s easy for those that work in pipelining, and particularly around gas utilities, to understand the customer and their sense of it ought to just work.

We, as people who are working in the business and are using computers, and control systems, and SCADA, and all that kind of stuff to operate these systems, we do the same thing without really understanding what all goes on in the background to make those systems work. That’s the point I was driving at.

Jim:  That’s true, too. I’m not sure if this is specifically where you’re dialing, but in working through meeting with many of our members in the last 10 years, the folks who run SCADA and control systems to keep the gas flowing, there are often a different group of people who are assigned to protect those systems, and learning to work together so that an information technology professional that is skilled in protecting that hardware, to understand the nature of making sure that it’s running all the time.

Some of those disciplines are fighting against each other. Protection and running all the time can be two different things. That’s challenging to stay on top of and to make sure it is delicately balanced so that both of those things happen.

Russel:  Yeah, exactly. Again, I think that’s something that every time I do a podcast in this general domain I try to emphasize because I really want to try and sensitize people that are working with the control systems why this issue of cybersecurity is such a dadgum big deal.

Really, the people who are most likely to see something that’s going sideways first are the ones that are users. It’s not the protection professionals, because what they’re looking at is different I guess is what I’m trying to say.

Jim:  Yes. For someone whose responsibility is to make sure that the gas flows all the time, when another professional comes to them and says, “We need to take your system down over the weekend to do maintenance,” that can be very troublesome.

There’s a real give and take between, “How do we plan to take this offline so you can do the work that you need to do and I can make sure that the gas continues to flow?” and understand the importance of why we need to do that.

That system that we need to maintain is currently such that if we don’t, it’s vulnerable. It could be taken offline.

Russel:  The tricky bit of that is your threat actually increases when you have more demands on your system.

Jim:  Absolutely.

Russel:  Because the nefarious actors know that.

Jim:  They know far more than they ought to know.

Russel:  Exactly. Let’s unpack the ISAC part of this, so the information sharing and analysis. I think the first question I’d want to ask is, what information are you gathering to support that ISAC function?

Jim:  We are gathering, I’d say, of what we report on it is predominately information that is shared from the federal government. There are many sources of federal government information from the Department of Homeland Security, the Department of Energy, the Department of Defense, and FBI. There’s other sources, also.

I struggle with naming three-letter acronyms because someone’s going to be upset that I didn’t mention theirs.

We have tremendous government partners. We are very grateful that they do all of the intelligence and analysis work that they do to be able to present to us information that we can then take, and analyze, and share with our participants.

We also get information from other sectors. We’ve worked closely with water sector, national health sector, with the financial services sector, and others. Again, I’m careful calling out particular names because we’ve worked with many other sectors as well, have great relationships with them.

We cull all of this information together and then we listen to our participants. Our participants also share what they’re seeing on their local systems and help us to understand whether they may believe they’re being targeted or attacked from some outside source and correlate that with the other reporting that we’re getting.

As a whole, we’re pulling all of this information together and coming up with a picture that we can then provide to the industry participants so that they know how best to protect their systems.

Russel:  I think a couple of comments I’d want to make about what you just said there, Jim, is the first thing about the U.S. government and its programs. I have some knowledge and I participate in some of those. This is actually one of the things our government does actually quite well is pull this information together and keep it current.

That’s an important thing, but one of the challenges, there’s just so dadgum much. I think that leads to the question of, how do you do the analysis? Pulling all this stuff together and getting down to, what matters to gas utilities? What matters to downstream natural gas out of all this information coming from all these various sources?

Jim:  We’d like to think that we’re superhuman, but that’s really not true. The thing that happens is over a period of time an analyst becomes familiar with what the industry really needs and what is just nice to know.

We’re trying to focus on specific threats to the natural gas industry. When we get reporting from outside sources, we’re distilling it down to, this is geared specifically to some other industry. We’re going to bypass this for now. Maybe stick it in the back of our mind because you never know what could be targeted to a different sector today could be targeted to our sector tomorrow.

We’re culling all this information and pulling it together into a picture. It is difficult. We’ve been fortunate that a threat analyst…We are a very small organization. Myself, I serve as the executive director for the ISAC. We have one threat analyst. It doesn’t sound like a lot, but he works very diligently.

He works all hours and evaluates what he’s getting in terms of reporting. After having done it for five to six years, he has a good feel for what he’s looking at and what’s going to be important to the industry. It’s a feel thing after having done it for a while.

Russel:  Right. One of the things about analysis, if you know anything about intelligence, is working a desk and watching a certain information feed, you get kind of natively sensitized to, “Hey, something’s different about this data set.”

Jim:  Yes.

Russel:  What’s the biggest challenge with all of this in your experience, Jim?

Jim:  If I took your question one way, I would say I could always benefit from our industry sharing more information. We are fortunate that some of our larger members that have security operations centers do share pretty consistently with us. We’re grateful for that.

We also recognize that we serve a number of very small companies who don’t really have the resources to be sharing with us, but if they see something that’s anomalous, they will.

There’s always room for participants to share more. As I’ve had the opportunity to communicate with other ISAC leaders, that’s not uncommon through other sectors. You name the sector and they’re eager for their participants to share more information.

I think if I had one thing, that would be probably the top of my list.

Russel:  Right, absolutely.

When I think about his kind of process, you talk about the threat. It’s very varied. You talk about the amount of data that you’re culling through and the size of staff, what are you trying to boil all this down to? Who’s the target for the information and what are they doing with it?

Jim:  We’ll talk about a couple pieces to that, if that’s okay with you.

In terms of who’s the target person, the way that we have sought participation in the ISAC is through trade association memberships. Me working for AGA, that’s one group of participants and all of AGA’s 200 members have a participant in the ISAC.

As we rolled out the ISAC to the industry, to our membership, it was determined through the companies’ leadership who the right person was to participate. There’s been some adjustment in that over the years. We’ve been doing this for five or six years now.

At times, it may have been a person in the IT group. It could be a person in the operational technology group. It could be a person in the gas control group. Sometimes there’s multiple people that have a participant role that are receiving the information.

In addition to the American Gas Association, we also serve the Interstate Natural Gas Association of America, or INGAA, the pipeline association and its members, and the Canadian Gas Association and its members. The same process with both of those organizations. It was reaching out to the member companies. Who’s the right person to receive this?

Over a period of time, just wrestling it through. When we first offered this service, if you will, I don’t think people were entirely sure what to expect because they’ve never had it before.

After they were starting to receive it, then they get into a rhythm of, “Oh, this is what you’re providing to us. We need to take these reports and do certain blocking and tackling on our systems. Who’s the right person to receive these reports that can actually effectuate how we’re going to do that blocking and tackling?”

We’ve dialed it down to the right people getting the right information at the right time.

Russel:  How much of the information that you’re sharing is targeted to the IT and OT professionals versus how much of it is targeted to management, leadership?

Jim:  I would say this is high 90s percent is targeted towards the professional that’s actually going to change firewall rules. That’s how specific it is. It’s very technical. Very little of it is geared towards management.

The kind of, maybe ironic is the wrong word, thing about it is there have been times when there have been alerts that are significant enough that we’ve wanted to ensure that all organizations have real eyes on things. Believe me, this doesn’t happen more than a couple times a year, but we have, at times, sent to CEOs of the industry a reference to an alert.

They’re not doing anything themselves. They’re doing the right thing and passing it along to the folks in their security center to work it. The reason why we had engaged CEOs is to make sure that there’s clarity that they understand there’s a significant threat and that they’re asking their teams whether they’re protected or not.

Russel:  Right. I think one of the biggest challenges, in my experience — my experience is, again, more around the control room and the OT systems — is the lack of understanding of the threat. I also think you also see that in leadership.

I have knowledge of a couple of incidents where entire SCADA systems and entire plant systems were taken down and had to be rebuilt from backups to clean up the infection, if you will.

Jim:  Yes.

Russel:  That tends to sensitize the people that have the direct experience, but how do you share that significant emotional event with those that didn’t have the experience?

I don’t know that that’s part of the role, with what you’re doing with the ISAC, but I’m curious if that’s in your thinking.

Jim:  I have seen some of that flow in the years that I’ve been engaged with this. There’s two things that come to mind. The one is we have been very fortunate, at least in terms of the American Gas Association piece of this, that I know the most and best and can speak to the most and best.

Our senior leadership has been intentional about engaging industry senior leadership. That’s not to say that we have made CEOs in our industry cyber experts. However, we have sensitized them enough to know that if we reach out to them on a cyber-related issue, they realize what the importance is. They realize what the stakes are and why. They engage the right people at the right time.

I think that from a senior side, they get it. They are with us.

The other thing that’s been interesting with this, Russel, is, again, from the AGA side of things, we have been doing reviews on a cybersecurity standpoint with our members. That has been conducted for the last seven or eight years.

When we used to conduct cybersecurity reviews, we would bring people into a room. It wouldn’t have been uncommon for the gas control team to be looking at the security team and these individuals had never met before.

When we do these reviews today, seven, eight years later, these people are talking to each other on a regular basis. I think that that shows tremendous movement forward. I’m not taking credit for that, but I think that out of necessity it’s been a need for these two very different disciplines to talk on a regular basis.

They’re doing that. I think we’re finally getting to a place where the right people are talking to the right folks at the right time to make sure that things are continuing to flow and be secure.

Russel:  Yeah, that certainly fits with my experience, too. I think even five years ago in the control room, a lot of control rooms just had a notional idea about cybersecurity. I think now everybody has an awareness of what it is and its importance. We’ve certainly come a long way.

Jim:  That’s what I was going to say. We’ve come a long way, baby.

Russel:  Yeah, exactly.

I think it’s interesting that the information you’re sharing is very in the details. Here’s what you need to be doing, looking at your firewalls and your ports, how they’re configured and all that kind of stuff. Versus just generally keeping people sensitive to the real threat and that type of thing.

Anyways, we could talk about that topic for a long time.

Here’s the other critical question I think I want to ask. Five years ago, this answer would be different than it is now, but my question now is, what is it you wish everybody knew and understood about security within utility infrastructure?

Jim:  I think that the main thing that I would add to this would be that everyone realized what their responsibility was. I think that as we have seen, the employee can often be the weakest link in security. One unfortunate action could have really significant negative repercussions.

I think people realizing that and making sure that when they’re doing whatever they’re doing as part of their job they’re thinking clearly through each step of it, that would be, probably, the most important thing in my perspective.

Russel:  In both the cases that I have direct knowledge of a major takedown, they were both ransomware attacks. It was both spear phishing.

Jim:  Yes, and in most cases, those could have been prevented from better awareness, better hygiene from the part of employees.

Russel:  That is the pointy end of the attack right now, because the bad actors are getting really creative about making things look like they’re valid.

Jim:  Yes. That’s the threat that we’re dealing with day in and day out.

Russel:  We’re getting to the end of the conversation here. I’d like to ask if you have any kind of final remarks that you’d like to make to the pipeline community about this topic in general and about how they might benefit from participation with your ISAC.

Jim:  Sure. A couple things that are on my mind. One is we work very hard to make sure that we find the right information at the right time and we get it to the right people to protect against the threat before it happens. We’re going to continue to do that.

Anyone in the listening audience who works within the natural gas distribution or transmission space in the U.S. or Canada, if you are unaware that we exist and you have need or interest in participating, we are certainly glad to engage with you. Anyone who reaches out to me, we would certainly be eager to talk with you and get you connected with the ISAC.

I think those are the two things that are primary on my mind.

Russel:  Just a shout-out to the listeners on a couple things. Jim will have a profile page as a guest on the Pipeliners Podcast website. If you go to this episode page and go through the show notes, we’ll make sure we link up some resources so that you can find out more. Jim, thanks so much for being on the podcast. I’d love to have you back.

Jim:  Thank you, Russel. It was my pleasure. I am at your disposal anytime. Just let me know.

Russel:  All right, great.

I hope you enjoyed this week’s episode of the Pipeliners Podcast and our conversation with Jim Linn. Just a reminder before you go. You should register to win our customized Pipeliners Podcast YETI tumbler.

Simply visit pipelinepodcastnetwork.com/win to enter yourself in the drawing. If you would like to support this podcast, please leave us a review on iTunes/Apple Podcasts, Google Play, or whatever smart device podcast app you happen to use. You can find instructions at pipelinepodcastnetwork.com.

[background music]

Russel:  If you have ideas, questions, or topics you’d be interested in, please let me know on the Contact Us page at pipelinepodcastnetwork.com or reach out to me directly on LinkedIn. Thanks for listening. I’ll talk to you next week.

Transcription by CastingWords