American Gas Association Under Pressure

Standards that would have closed cybersecurity holes may have never been implemented by the American Gas Association (AGA) due to costs. Sen. John Rockefeller (D-W.Va.) responded to these allegations with an open letter detailing the threats and requesting a response from AGA president and CEO Dave McCurdy.

American’s network of gas supply and delivery systems is among the “critical infrastructures” often referred to in cybersecurity documents. Critical infrastructures are private industries that are crucial to economy and safety of the United States; industries where a well-placed cyber-attack could have potentially devastating consequences. The financial and energy sectors are other example of critical infrastructures.

In the letter, Rockefeller addressed the AGA and the suppliers it represents. “Many Americans likely take for granted the service your industry provides, given its dependability and ubiquity,” he states. “A prolonged disruption to this energy supply, whether through a cyber-attack or other catastrophe, would be disastrous.”

After the initial review in 2006, the AGA published a report stating, “there are credible [cyber] vulnerabilities that threat agents could exploit.”

The report states that “with little effort,” an attacker could scan AGA communications from different sites—including between control centers. It adds that a hacker could also access its systems and change software used by field device operations.

At the control centers, SCADA systems write data to a master database, which is in turn used by other systems. “This interface also may be compromised, giving the attacker access to either SCADA operations or to sensitive data used by business operations,” the report states.

Now, in English, that means quite a bit. SCADA systems are often used to control industrial systems, such as moving parts, opening and closing valves, and controlling other vital functions. SCADA systems can also be hacked to speed up and physically destroy these systems, or to open a valve and release more of a substance than intended.

The Stuxnet worm, for example, was used to physically destroy nuclear centrifuges at an Iranian nuclear plant. Similarly, in April 2000, a man by the name of Vitek Boden hacked SCADA systems at a sewage treatment plant in Queensland, Australia, and dumped millions of gallons of raw sewage into creeks, parks, and a hotel.

The AGA formed a working group to close the security holes found in its study, and created a set of standards, dubbed “AGA-12.” These were intended to guard data as it was sent by control systems. The AGA-12 went through testing, and won the support of both government agencies and private organizations, among them the Department of Energy and the Gas Technology Institute.

Yet, Dennis Holstein, an independent researcher who helped develop AGA-12, recently told the Christian Science Monitor that the standards were never used.

“What I think killed AGA-12 more than anything else was the cost of it. It was a success. But nobody was willing to pay $500 for a bump in the wire solution even if it radically improved security. I haven’t seen any deployment of it,” Holstein said.

This is what prompted Rockefeller to confront the AGA president and CEO in his letter.

Phone calls to the AGA were not returned by press deadline.

Sen. Rockefeller is the chairman of the Senate Committee on Commerce, Science, and Transportation, but he notes that as the former chairman of the Senate Intelligence Committee, “I am well aware of both the gravity and likelihood of cyber threats that could do great damage to the United States.”

“It has been widely known for years that our critical infrastructure is vulnerable and that the threats are real. Yet, while the threats have grown, the vulnerabilities remain,” he states.

Rockefeller is currently proposing the Cybersecurity Act of 2012, which would create a partnership between the private sector and the federal government, to guard critical infrastructure. He introduced the bill on Feb. 14, alongside Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (ID-Conn.) and Select Intelligence Committee Chairman Dianne Feinstein (D-Calif.).

“I fear that the business justification for securing critical infrastructure will not come until it is too late, after a cyber-attack does great damage to our economy, or worse, cause a mass casualty event. At that point, the private sector will have little choice but to make the necessary investments in cybersecurity,” Rockefeller states.

The Senate Committee on Commerce, Science, and Transportation stated in a press release that this letter “is part of ongoing efforts by Sen. Rockefeller ... to address our nation’s critical infrastructure cyber vulnerabilities.”

The Epoch Times publishes in 35 countries and in 19 languages. Subscribe to our e-newsletter.