Elevating Our Security and Cybersecurity Protocols
Equitrans recognizes the critical importance of safeguarding our physical infrastructure assets and securing our informational resources and intellectual property. Today, more than ever, there are growing concerns related to the ability of an organization to protect its critical technology assets, requiring companies to display incredible resilience in an ever-changing world.
Our Approach to Physical Security
From both a safety and business continuity perspective, it is crucial that we utilize stringent security measures for our pipeline assets, compressor facilities, and project sites. Trespassing and vandalism by those opposed to the fossil fuel industry can damage or destroy assets; create safety risks and hazards for our employees, contractors, and communities; and impact our ability to deliver natural gas to our customers. The disruption of natural gas delivery for our customers can impact consumers, businesses, and manufacturing facilities.
Equitrans works closely with the U.S. Transportation Security Administration (TSA) to ensure our enterprise abides by all federal security regulations, and we continually optimize our security strategies and plans. Our Security Team implements a wide range of security measures including:
- Site Support: In the event of an emergency or physical security threat, our Security Team supports site work by providing employees field encampment equipment, such as shelter, food, water, and portable bathroom facilities.
- Mobile Surveillance: Our Security Team oversees potential security threats by monitoring mobile surveillance, including security cameras and drones. When our Security Team detects a threat, team members evaluate potential risks, or the extent of the incident, and deploys proper mitigation strategies.
- Physical Security: We use barriers and other physical security measures, such as locks, fencing, and barbed wire, to prevent facility tampering and trespassing.
- Security Personnel: The Security Team deploys static and roving security guards to provide physical security at our critical sites and in areas where they detect security threats. The Security Team also works with local law enforcement to protect sites and respond to threats.
- Drone Support: Our Security Team trains and licenses drone pilots. In addition to aerial security surveillance, our drone teams support operational needs, such as land surveys and data gathering.
Security guards are stationed 24 hours/day, seven days a week at our headquarters office in Canonsburg, PA, and are also routinely scheduled at various compressor station facilities and project sites, including along the Mountain Valley Pipeline (MVP) project route. Our operations team determines the criticality of a site by analyzing the level of risk for disruption and the potential impacts on our local communities, on-site employees, contractors, equipment, and capacity throughput. Equitrans contracts all security guards from a third-party security vendor. We provide all of our security team members and third-party security personnel with formal security training and information on our security standards. Our training program includes the following concepts:
- Pipeline Security: How to protect our pipelines from trespassing, physical threats, and disruptions.
- Law Enforcement: How and when to involve law enforcement agencies.
- Crisis Events: How to respond to a crisis or emergency on or near a project site.
- Field Sabotage: How to detect sabotage efforts that could affect pipeline integrity.
Prior to starting work at any site, security guards are required to attend a comprehensive security training session to identify and be familiar with any site-specific hazards or risks.
100% of our security personnel receive formal training on Equitrans’ safety and security practices.
We also train guards on the legal requirements and technical use of body cameras, as well as techniques for effective and safe protest management. At our operational facilities, our security guards increase overall safety and minimize the risk of serious incidents by providing direct oversight and immediate response to potential incidents involving opponents. In the event of a dangerous incident, Equitrans’ security team works to safely evacuate work crews and initiates assistance from law enforcement, if needed.
Pipeline and Operations Security
The security of our pipelines and facilities is integral to national and economic security and the success of our operations. Ensuring we are safeguarding our assets also reduces risks of environmental incidents and potential safety hazards. For pipelines and compressor stations that are in operation, Equitrans continuously gathers information regarding their security. We protect our assets with fences, building locks, electronic monitoring, and 24/7 surveillance at many of our sites.
At construction sites, we deploy various levels of security, depending on their criticality and vulnerability. For critical sites, we secure pipe storage yards and worksites with 24/7 security guards or advanced analytic camera systems. At sites where an increased threat may exist, we employ both security guards and camera systems simultaneously.
The majority of our pipeline construction projects require us to hire guards during non-work hours and Equitrans’ Security Team oversees the security at all construction sites. If theft, vandalism, or other threats are encountered, a combination of roving and static guards along with varying levels of camera coverage will be employed to secure the site. For projects that encounter hostile persons or opposition during construction, we assign security teams to protect workers during the day and static guards to protect equipment during non-work hours. As an example, the Mountain Valley Pipeline project contracted more than 85 roving and/or static guards to protect workers, equipment, materials, and construction sites. If we encounter a hostile person or group during construction, we contact the appropriate law enforcement groups and implement security and static guards to ensure our workers and equipment are safe.
Security guards also protect compressor stations and various other sites based upon criticality and vulnerability; and barbed wire fencing and access controls, along with high-resolution analytical camera systems, are used when and where deemed necessary. Other sites such as interconnections and metering stations incorporate fencing, cameras, or both, depending on the perceived threat to the specific location.
Our security guards receive safety and security training from their employers. The type of training depends on the location they are operating in and the conditions on the ground. In high-risk areas, some guards have received body camera instruction and executive protection training. In 2021, security guards received updated training on trespassing and specific instructions for protecting Company vehicles stored in Company parking lots. In early 2022, we implemented Standard Operating Procedures to deploy drone aircraft for safety overwatch in contentious areas. This new feature to our security program is expected to result in cost savings and enhance our ability to collect information rapidly.
Equitrans uses physical security measures in our offices to protect our employees, information technology infrastructure, and other assets. We use gates, trespassing signs, and motion-activated cameras to deter unauthorized persons from entering our offices. We implemented an anti-tailgating system at the entrances of our headquarters office in Canonsburg, PA that signals an alarm when two people walk into the office together when using only a single employee badge. The headquarters office security personnel are CPR and AED certified, and are trained to assist emergency medical service responders by quickly escorting them through building security. We continue to evaluate emerging risks and explore new ways to ensure the safety and security of all our offices.
Evaluating Our Physical Security
Equitrans’ security program is intended to reduce the risk of both major and minor incidents, and our security team works diligently to ensure all aspects of our enterprise are safe. For the safety and security of our employees, we recently implemented an overseas travel process that assesses U.S. State Department information and provides travel safety guidance for specific destinations. We track regional, national, and global protests utilizing the Welund database. The HSSE Committee of the Board oversees our approach to physical security.
In 2021, we partnered with the U.S. Transportation Safety Administration (TSA) and began to voluntarily standardize our security measures to better align with emerging federal security expectations and regulations. Equitrans is always looking for new ways to improve our security and protect our customers and communities, including consistent monitoring of our systems for vulnerabilities and efforts to mitigate any risks.
Our Approach to Cybersecurity
Cybersecurity is at the core of our information technology (IT) strategy, the activities of which are managed by our Chief Information Officer, with assistance from employees and contractors in our IT department. We understand the importance of cybersecurity as it relates to our role in providing critical infrastructure for our nation’s economy and national security. Our cybersecurity program is designed to:
- Establish situational awareness of evolving threats and vulnerabilities to our technology presence
- Proactively detect and respond to cyber-attacks, minimizing adverse impacts to business operations
- Leverage technology to achieve business objectives securely and efficiently
As a core design principle, Equitrans’ cybersecurity philosophy incorporates security requirements into our architecture, processes, and solutions. To validate the effectiveness of our approach, we measure our capabilities and practices against the National Institute of Standards and Technology (NIST) Cybersecurity Framework, relevant industry standards, and government regulations. In addition, we routinely engage independent third-party security firms to exercise and assess our cybersecurity capabilities.
As essential components of our technology strategy, we appreciate that cloud and internet services continue to transform the technology landscape. Embracing cloud and internet technologies has improved our resilience and demonstrated performance improvements, while also ensuring enhanced security controls and visibility. We have integrated our Software-as-a-Service (SaaS) and cloud computing (IaaS, PaaS) implementations into our security operations center (SOC) to provide consistent and holistic security visibility and readiness. To enable our cloud approach, Equitrans built a modern high-performance network to provide secure and resilient connectivity between Internet and cloud services and our field locations.
Informed by our Enterprise Risk Management Program, we utilize risk-based analysis in decision-making to determine actions and priorities for our cybersecurity program.
Equitrans practices proper cyber hygiene through rigorous identity access management, vulnerability management, and asset management programs. These programs reduce the attack surface for adversaries and ensure we are proactively managing our user accounts, systems, and devices. We also segment our informational and operational technologies, as appropriate, and leverage network micro-segmentation to further protect our critical systems and assets. This practice restricts lateral movement within our network to only necessary access, further challenging adversaries attempting to do harm.
To support our remote workforce, Equitrans utilizes a scalable, cloud-native architecture to provide secure access for mobile users from anywhere. Operationally, we continuously monitor for cyber intrusions, augmenting our internal resources and capabilities with that of third-party service providers. Multiple security technologies are employed to protect our systems, applications, and data, including next generation firewalls, strong multi-factor authentication and access controls, and endpoint detection and response solutions. These technologies combine to protect, secure, and segment Equitrans information while traversing home and public networks.
Informed by our Enterprise Risk Management Program, we utilize risk-based analysis in decision-making to determine actions and priorities for our cybersecurity program. We have strong governance through written policies and implement electronic enforcement as a monitoring tool to ensure compliance and assist in preventing undesired behaviors. Beyond our Data Privacy Policies, additional access restrictions and monitoring are in place for data related to our customers’ and landowners’ personally identifiable information (PII), and similar protections are in place for commercially sensitive data and systems. Additional protections are provided via active alerts and monitoring for data movements and with electronically enforced policies such as prohibiting USB storage devices.
Our fault tolerant, highly available architecture is an important part of our continuity plan; however, Equitrans does not solely rely on architecture to ensure continuity. To complement our architecture, we also adhere to a robust Enterprise Data Backup Policy, which includes, among other activities, routine restoration of critical data. In addition, cybersecurity is a critical element of our Crisis Management Plan, and we conduct routine cyber incident drills that include cross-functional participation by our executives, business stakeholders, and legal and security partners.
We prioritize training and cybersecurity awareness for our employees and extend this training to include our service providers and partners. The training and awareness content includes knowledge of cybersecurity policy, understanding of cyber threats, and incorporation of leading practices into their daily IT- and cyber-related activities. Equitrans employees and partners with access to our operational technology (OT) network are required to participate in additional training specific to OT interactions.
Evaluating Our Cybersecurity
Equitrans’ IT group is actively working to comply with relevant TSA security directives. In 2021, Equitrans’ CEO participated as a member of the CEO task force for the “100-Day Sprint” — an initiative assembled by the National Security Council (NSC), in partnership with the Department of Energy (DOE) and the Cybersecurity and Infrastructure Security Agency (CISA), to improve visibility, detection and response to cyber threats. Additionally, Equitrans’ CIO is a member of the corresponding CIO task force that is responsible for executing on the 100-Day Sprint.
In an effort to expand our Company’s knowledge and understanding of the cyber-threat landscape, our CIO is also a member of the TSA Pipeline Security Directives Technical Roundtable, whose insight will help inform renewed security directives and proposed regulations; and a member of the Joint Cyber Defense Collaborative (JCDC) Pipeline plan team, with a directive to establish information sharing standards. Equitrans also expects to participate in the DOE’s pilot Cybersecurity Risk Information Sharing Program (CRISP) for Oil and Gas, a similar program of which is already in place for the electricity sector. The Company is currently evaluating its participation in CISA’s CyberSentry Program for real-time monitoring and collaboration.
Equitrans’ cybersecurity program is reviewed and monitored by executive management, with oversight by our Board of Directors, and both groups routinely receive and review cybersecurity updates, assessment results, and audit findings. Our executive management and Board of Directors also receive updates on cyber-risk management throughout the year.
To ensure the effectiveness of our cybersecurity program, we routinely participate in third-party reviews to maintain and enhance the resiliency of our systems. In addition, Equitrans’ IT leadership routinely conducts risk quantification and assessment exercises to prioritize our efforts and minimize the risk of cybersecurity activity. By implementing a continuous improvement approach to cyber protection, our program remains flexible and more dynamic, allowing us to adapt to the ever-changing threats within the expanding cyber landscape.