Ensuring pipeline physical and cyber security
Production of oil and natural gas in the U.S. and Canada is increasing. The vast majority of these hydrocarbons will be shipped across the continent via a dense network of pipelines. The integrity of this network, however, is threatened, not only by mechanical failures, but also by targeted cyber attacks.
While there have not been reports of pipeline attacks on U.S. soil, there have been attacks in other countries. In 2008, a section the Baku-Tbilisi-Ceylan (BTC) pipeline in Turkey was reportedly the victim of a targeted cyber attack. The pipeline ruptured, exploded, and released 30,000 barrels of oil near Refahiye after hackers allegedly infiltrated the pipeline’s security camera network, disrupted the network’s security communication links, gained access to control equipment of a valve station, and increased the pressure in the pipeline. If it can happen there, it can happen in the U.S. as well.
Threats are ubiquitous
The U.S. has 182,000 miles of hazardous liquid pipelines, 325,000 miles of natural gas transmission pipelines, and 2.15 million miles of natural gas distribution pipelines, according to the U.S. Transportation Security Administration. A typical pipeline for the transport of natural gas or oil can extend hundreds of miles and be comprised of thousands of sensors, valves, pumps, and controllers. They are typically monitored by cameras, enclosed by fencing, and routinely inspected. However, every security system has its weaknesses.
Michael Assante, the SANS Institute’s lead for training on industrial control systems who, in December 2014, co-authored an analysis of the then-known facts regarding the incident, said that while it is unlikely the BTC pipeline was actually cyber-attacked as originally reported, a similarly targeted attack against pipelines in general is plausible. What’s worse, leaders of the oil and gas industry remain woefully ill prepared.
To understand what has happened in the realm of electronic security, and why today’s industrial control systems (ICSs) are vulnerable, one must look back to 2010 and the creation of the Stuxnet worm. Developed to cripple Iranian nuclear equipment, Stuxnet helped pioneer a new and growing brand of cyber attack, Assante said.
"Before 2010, the greatest number of attacks were what we call, nontargeted malware, which inadvertently found their way into ICSs," Assante said. "But since 2014, we have evidence of a growing number of targeted ICS attacks and enhanced delivery and targeting of control systems. Some of these attacks have exploited ICSs by targeting vulnerabilities in control system software."
The speed at which attackers have been inspired directly by the Stuxnet worm or tried their own types of attacks has increased exponentially. In 2012, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the Dept. of Homeland Security, identified 197 cyber-attack incidents. By 2013, that number grew to 257. This demonstrates that attacks are on the rise. What’s scary is that a third of them are aimed at the energy industry. The ICS-CERT reported the majority of the attacks targeted energy and critical manufacturing companies. Of 245 reported incidents in 2014, 32% targeted the energy industry.
"The majority of incidents were categorized as having an ‘unknown’ access vector," said the ICS-CERT report. "In these instances, the organization was confirmed to be compromised. However, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised networks." The lack of these detection capabilities reinforces the industry’s lack of preparedness, which is definitely cause for concern.
Some of the identified methods of attack noticed by the ICS-CERT included spear phishing and network scanning.
Cyber security definitions
- Spear phishing: An e-mail spoofing fraud attempt that targets a specific organization with the intention of gaining access to confidential information.
- Network scanning: A procedure to identify active hosts to attack, or to gain an assessment of network security.
The good news is that these attacks are being noticed. The bad news is the time still required to detect an attack. Just two years ago, the average time for a company to detect that it had been hacked was 416 days. Today, that gap has narrowed to 200 days, which is still unacceptable. The very nature of a cyber attack is to gain access and/or do damage to IT and control infrastructure-without raising suspicions. It’s a cat and mouse game.
Taking control of an ICS means gaining command of a system’s functions. After it’s infiltrated, that system’s designed function could be altered to allow negative things to happen for which the system is specifically designed to prevent. For example, a cyber-perpetrator could cause pressure within a pipeline to increase enough to burst it. Alternatively, information from within the ICS could be extracted, manipulated, or even sent to a third party.
Electronic security designs of the past several years including VPNs, firewalls, and antiviruses have been somewhat effective layers of security, Assante said, but when it comes to a targeted cyber attack, additional measures must be taken.
In 2014, the SANS Institute created the Global Industrial Cyber Security Professional certification to train ICS operators to understand how best to recognize and react to an attack. The certification is a step, but it cannot be the only one. In many cases, there are inherent vulnerabilities within the ICS that must still be addressed.
"There are very few technologies deployed within control systems themselves to help with security challenges. There is a lack of network-based monitoring within the control network and there is a lack of endpoint security on many of the servers and workstations in those environments. A lot of industrial protocols are not authenticated, so after he or she is on the network, an attacker can simply inject commands," Assante said.
Updating an ICS and patching internal weaknesses can be expensive and often requires its complete shutdown, which can be dissuasive. This makes addressing these internal weaknesses difficult for companies to accomplish.
The attacks seen so far in the U.S. have not been as destructive as the alleged attack against the BTC pipeline in Turkey. They have instead been more subtle in nature.
"Most of the incidents I am aware of would suggest the attackers were interested in gaining and sustaining access to the control system—to get there and stay there," Assante said. "The second [thing they would suggest] is to steal information, the motivation for which we are not clear."
After an attack, it is imperative to understand how the attack occurred to fortify weak areas and ensure another does not happen. Companies must delve deeper and conduct engineering assessments to determine what cyber attackers could accomplish after successful infiltration.
The concern is while infiltrating an ICS, attackers learn about how it is structured, its settings, configurations, and process data. If sensitive economic or confidential information is discovered and removed by attackers, how could that information be used to launch an even more tailored attack?
"We need to be looking for this now," Assante said. "Having that knowledge can set you up for developing what we call ‘specific capability,’ to come back later with a stronger attack. So is that their motivation? We don’t know." Not knowing why is scary.
Stealing information from a pipeline operator’s ICS could, in some cases, have commercial market value for several entities. For example, learning the throughput value of a pipeline could have economic security implications. Having this information could also have industrial espionage implications. It could prove useful in understanding how best to position oneself to leverage competitively.
Unfortunately, it is unlikely that computer attacks will slow down in the future. Assante said he expects the number of attacks to increase as more successful attacks occur. With each attack, the perpetrators learn more about the methods to attack and improve their cyber-attack techniques.
"Over time, people will accumulate their knowledge, tools will become available, virus exploit codes will be out there to be captured and reused, and so the base of who could be conducting these attacks successfully typically grows over time." This makes protecting against future attacks increasingly more tricky.
Mitigate attacks, secure assets
To protect pipelines and save money, many companies are reducing the number of armed ground patrol units and replacing them with drones, CCTV systems, and distributed acoustic sensing (DAS) systems, which are becoming more popular due to their low cost and sensing advantages. However, depending on local geopolitics, some countries are putting more boots on the ground through special pipeline protection departments to ensure safety of major international pipelines, such as those in the republics of Azerbaijan and Georgia, with the Special State Security Service and Strategic Pipeline Protection Department, respectively. The U.S. doesn’t have a dedicated security force exclusively committed to pipeline protection. While the country isn’t in an unstable area of the world, it raises the question of whether transnational pipelines in Canada—and especially Mexico—should have increased security. What happens to international pipelines directly affects U.S. and industry stakeholders.
Pipeline operators should understand the geopolitical environment in which they are working. Based on the local and/or national security situations, increased measures, such as drones, CCTV, or boots on the ground, should be taken to protect against physical attacks. Security shifts should be made toward passive monitoring by using sensors, inline inspection tools, and DAS systems to prevent leaks and monitor pressurization, by many producers in relatively stable geopolitical environments.
In many respects, the pipeline industry has done a good job of ensuring its safety. In the American Petroleum Institute and the American Pipeline Association’s joint 2015 report on pipeline safety performances, 14.9 billion barrels of oil and natural gas products were transported via pipeline as of 2013, more than a billion barrels more than in 2009. This is a massive amount of hydrocarbons and petrodollars that could be subverted by attacks, costing millions in lost revenues and environmental damage and clean up.
Since 1999, the number of incidents and mechanical failures of liquids pipelines has dropped by 50%, corrosion-causing incidents have dropped by 76%, and third-party damage to pipelines via excavation of ground has dropped by 78%.
New tools, such as inline inspection equipment help operators identify cracks in pipelines and repair damage to regularly-used sections of piping.
The progress made to ensure the physical integrity of a pipeline is not negotiable. In 2013, there were 134 instances where onshore pipelines released volumes of oil, losing approximately 108,032 barrels of hydrocarbon products. Of that, 55% were caused by natural forces including lightning strikes or landslides.
But all of these safety provisions could be for naught if, on the back end, pipeline operators have less than adequate electronic security measures that could undermine the progress made in ensuring pipeline safety.
Aging gas distribution pipelines
The 2.15 million miles of gas distribution pipelines in the U.S. make up an aging network with potentially explosive consequences because a majority of the network was built before proper codes and standards were enforced to mitigate over pressurization or poorly welded seams. According to data from the U.S. Government Accountability Office, of 230,000 miles of gathering lines, only 24,000 miles are federally regulated. And to standardize and regulate, a one-size-fits-all approach would actually make pipelines less safe because operators and pipelines differ greatly. The consequences could be dramatic. On-shore pipelines are often located near population centers, potentially causing millions of dollars in property and environmental damage, and deaths.
Technology highlight: Distributed acoustic sensing systems
Placing DAS devices on fiber optic cable creates virtual microphones every 30 feet along the pipeline. Using sonar processing techniques, sounds received by the virtual microphones are converted into a graphical display. This output is read by an operator monitoring the pipeline. Using these data, the operator can interpret certain events in the vicinity of the pipeline. For example, the acoustic patterns of mechanical digging or a person walking can be deciphered and relayed to the monitoring system.
A DAS system includes an optical interrogator unit and an acoustical processing unit. The interrogator unit sends a pulse of light down the fiber optic line with most of the light reaching the other end. However, a small percentage of light returns to the source. This effect is called "backscatter," which is the core of DAS operation. Vibrations or sounds near the sensors change the patterns of the backscattered light, which are analyzed by the interrogator unit to recreate the sound or vibration that caused them. These recreated sounds are processed by the acoustical processing unit.
Pierre Bertrand is an energy markets journalist. He worked for two years in Kuwait and Oman in the Middle East as well as in the U.S.
Read more about the Republic of Georgia’s unique Strategic Pipeline Protection Department
Read the full API report here
Read the full report from the U.S. Government Accountability Office (GAO)
Original content can be found at Control Engineering.