Why This Matters to Williams
As an energy infrastructure provider that supplies natural gas to some of the largest population and economic centers in the U.S., it is critical for us to protect our operations against cyberattacks and loss of business-critical information. Cybersecurity threats pose physical, financial and reputational risks to our business and to national security.
Williams understands the importance of managing the integrity of our system. In collaboration with industry and government stakeholders, we are leading the industry in creating and implementing cybersecurity resilience measures across our footprint so that we may continue to transport the natural gas end users need to run their businesses and heat their homes.
Each member of our organization, from facility operators to board members, has a responsibility to safeguard Williams’ cybersecurity. We present a quarterly cybersecurity report to the entire board, which retains responsibility for overall cybersecurity policy and strategy oversight. Made official through the 2022 committee charter revisions, the audit committee has oversight responsibility for cybersecurity risk management protocol implementation, effectiveness evaluation and response to breaches or cyberattacks. Our Chief Information Security Officer is responsible for our cybersecurity strategy and execution, while our executive-level steering committee provides additional oversight for Williams’ cybersecurity initiatives, such as improving cybersecurity reporting metrics and driving implementation across the business.
At the management level, our cyber-risk and cyberoperations teams oversee cybersecurity issues. The cyber-risk team specializes in establishing strong governance practices, conducting risk assessments and facilitating regulatory compliance. The cyberoperations team puts our policies into practice, with responsibilities such as access fulfillment, technical security control management, security event monitoring, security standards development and incident response.
Our teams coordinate their actions in alignment with our three-year cybersecurity roadmap, refreshed in 2021, and track their effectiveness using our internal security operations reporting matrix. In 2022, we refreshed our cybersecurity roadmap to incorporate our approach to the updated Transportation Security Administration (TSA) Directive requirements. In 2023, we plan to conduct an in-depth roadmap review to account for ever evolving benchmarks. During this process, we will revisit our IT and cybersecurity maturity metrics to evaluate metric selection and communication.
Monitoring & Mitigation
Williams uses a strategic, risk-based approach including constant monitoring and threat detection to protect our facilities and technologies. In 2022, our cybersecurity teams focused on aligning with the TSA Security Directive reissuance for oil and natural gas pipeline cybersecurity. The directive requires companies to establish Cybersecurity Implementation Plans (CIPs) and focuses on evaluating companies using performance-based measures. Williams completed our CIP on time and received TSA approval. Additionally, throughout 2022, we implemented smaller enhancement and maintenance initiatives needed to uphold system-wide resilience. Many efforts concentrated on mitigating additional risks introduced through remote and hybrid working arrangements.
After implementing our industrial control systems cybersecurity program in 2021, we shifted into a phase of security monitoring and continuous improvement during 2022. This program, built from an innovative executive-level steering committee vision, secures our technology-based operational assets to prevent transmission disruptions due to cybersecurity threats. Implementing and enhancing this program is a company-wide effort that requires cross-functional coordination, upskilling to apply best practices and accountability through regular reports to leadership.
Our cybersecurity hardening team is responsible for identifying and remediating system vulnerabilities. In 2022, we implemented several measures to heighten overall security. For example, we enhanced our listing capabilities, deployed additional firewalls, enhanced our Identity and Access Management system, established an Insider Threat program and rolled out multi-factor authentication to all systems. Additionally, artificial intelligence (AI) is a rapidly growing area of opportunity for cybersecurity. Over the last few years, Williams incorporated AI threat hunting tools, which continue to improve as we learn about the environment and evolving cyber threats.
Keeping detailed cybersecurity metrics, setting performance targets and evaluating performance over time are vital to identifying areas for improvement and communicating progress to our stakeholders. In 2022, we enhanced our log management solution and improved the data collection and reporting processes used to maintain Sarbanes-Oxley Act certification. Our executive-level steering committee oversees our cybersecurity metrics, and we plan to reevaluate our use of metrics during our 2023 cybersecurity roadmap reevaluation.
We conduct regular internal audits and IT risk strategy sessions to assess cybersecurity threats and respond accordingly. To complement this effort, Williams contracts with a third party to evaluate risks within our corporate and operations networks. In 2022, we simulated an Operational Readiness Drill to evaluate Williams’ ability to continue transporting products in the event of a cybersecurity attack. The drill was executed successfully, and we are pleased with our employees’ ability to effectively activate site-specific operating procedures and facilitate open communication lines during the event.
In 2022, Williams engaged two independent assessors to validate our internal cybersecurity controls and incident response program. We received positive feedback on the integrity of our cybersecurity framework; however, we recognize there is always work to do to maintain resilience against the ever evolving landscape of online threats. Therefore, we implement enhancement measures identified during these assessments on an ongoing basis and incorporate learning into our cybersecurity roadmap.
All Williams employees, contractors and vendors complete baseline cybersecurity and data privacy training. Additionally, we deploy simulated phishing emails regularly for employees to practice identifying and responding to email attacks. We diligently train employees since attackers often use phishing attacks to target organizations, and employees who repeatedly fail phishing simulations receive supplementary training.
Williams supplements training programs with awareness initiatives such as posters, presentations, newsletters and events. In 2022, 97% of employees completed cybersecurity training. Each October, Williams hosts a company-wide cyber awareness event to recognize National Cybersecurity Awareness Month. Internally, we use this time for engaging in-person events that inform employees about the different types of cybersecurity risks, including an escape room that simulated a social attack. In 2022, we launched our Operation Secure campaign through a series of articles and informational posters, which focused on heightening awareness of TSA cybersecurity compliance and other cybersecurity related issues.
WILLIAMS WILL BE THERE
Leading the Way in Cybersecurity
Williams is at the forefront of public-private efforts to enhance the cybersecurity of our nation’s pipelines and other critical infrastructure. In 2022, our President and CEO, Alan Armstrong, met with President Biden to discuss energy cybersecurity and served as chair of a CEO task force for the National Security Council’s Industrial Control Systems 100-Day Action Plan for natural gas pipelines. Williams engages with government stakeholders on infrastructure and national security via the Oil and Natural Gas Subsector Coordinating Council, of which our Chief Information Security Officer is the current chair. Through this role, Williams facilitates conversations relating to intelligence sharing, national critical infrastructure cybersecurity goals and strategy, identifying future opportunities for collaboration and advising on potential regulations and policies. He also chairs INGAA’s Security subcommittee.