February 2013, Vol. 240 No. 2
Features
Cyber Trickery Is Not Exactly New
Thinking about cyber and energy goes back to a great myth, which may or may not be true. It has long been rumored that agents of the Soviet government illegally obtained an industrial control computer by clandestine means from a Canadian manufacturer in the 1980s.
Unfortunately, as the tale goes, the Soviets had been duped, as the U.S. intelligence apparatus was aware of what the Russians wanted and before the computer was sent to Russia a Trojan horse was implanted in its memory. The Americans planned to have the computer fail after its point of installation.
Eventually, the computer was installed in a pipeline somewhere in Siberia and after functioning normally for some time it failed, rather catastrophically. As the story goes, a massive explosion was triggered, of magnitude not seen in east of the Urals since the Tunguska event of 1908.
New York Times columnist William Safire claimed the Siberia pipeline explosion was the brainchild of a fellow Nixon White House staffer who saw sabotage of the Soviet oil and gas industry as a valid form of covert action. Since Safire’s claim was published, a number of people have mentioned the Siberia pipeline incident, some arguing it to be ground truth while others dismiss it as rumor. But the larger economics of energy and Soviet decline are hard to dismiss.
During the 1980s, Saudi and other Middle Eastern oil production surged, and as a result oil prices fell to just above $10 per barrel. This decline in price, which produced shocks of its own in the Texas economy, was devastating to the USSR. But was the Soviet Union doubly hurt by this nascent cyber attack, cutting the amount of oil and gas it could get to market to trade for foreign currency? Did the U.S. sabotage the Soviet energy economy by blowing up a major pipeline? The answer depends on whom you choose to ask.
Networks And Pipelines
While a computer-mishap pipeline blast probably seemed somewhat far-fetched in the 1980s, today we are forced to reappraise what concern should be applied to the protection of computer systems engaged in the transmission of oil and gas.
Several years ago, my colleagues Ken Medlock, Dan Wallach and I stated that we were not deeply concerned about the risk of a major cyber attack against the electrical grid or the infrastructure upon which the oil and gas industry runs. That was due to a pair of assumptions we held. First, that much of the physical operations of infrastructure – turning on and off pumps, opening or closing valves, and so on – largely required human intervention. Second, we believed that any supervisory control and data acquisition (SCADA) process control computers were run separately from the Internet. Five years ago, we viewed the likelihood of a major cyber attack against the energy infrastructure as quite low.
Concerns now are greater. In electricity, we have seen a massive national investment in computerized metering technology undertaken by the federal government through its massive Smart Grid initiative. In oil and gas, companies have embraced smart field computerized production capabilities and other forms of automation to foster efficiency and better monitor operations. It is this latter category, of emplacing remote sensors and other systems to better manage flow of fuels, where a great deal of effort has been undertaken in the last decade.
This is not all bad. A colleague recently mentioned an incident regarding a pipeline in North America where a moose damaged a pumping station after blundering into it in a blizzard. While there was no spill, operations were disrupted, and such disruptions hold a cost. When the operator assessed lessons learned, the obvious one was that segments of the pipeline were shutdown needlessly because of a scarcity of data about the condition of the entire pipeline.
If additional sensors were emplaced and networked, such disruptions could be minimized, and more importantly, maintenance and repair technicians could be gotten to the point of failure more quickly. If a spill were occurring, for instance, networked sensors would stave off environmental damage and hasten the response.
The problem is that to get any value from the sensors, those sensors must be networked. And this is where the computer security concerns arise. The value in sensors is in the capacity to access them remotely so that the information they collect can be analyzed and interpreted in aggregate. From that picture, trends may be detected, actions taken, and problems averted. But in interconnecting computers an opportunity is opened for unauthorized access. As we’ve seen again and again, information systems are breached and compromised because they are designed to open to some degree, but that degree of openness may be undermined.
Cyber (In)security
For more than a decade, officials and experts have prognosticated about significant cyber attacks against transport, health care, and critical infrastructure. These have often been accompanied by threatening images such as “electronic Pearl Harbor” or “cyber Katrina.” In addition, there is a large industry of computer security and anti-virus companies that has developed around the evolving set of threats to computing systems. So, while there is much talk about the risks, there is also a sizeable industry that profits from dealing with them. A common refrain on computer security is the question, “How much is enough?”
Answering that question requires understanding what the organization holds, everything from its physical plant to its brand reputation. I see cyber attacks threatening three things held dear in the oil and gas industry. First, there is the computer-controlled or monitored infrastructure employed to deliver products across the supply chain and to customers. This is an area where there is considerable and growing fear, as disruption can be very costly. Cyber attacks on infrastructure invoke some scary pictures, for instance explosions and spills.
When a colleague asked what I worry about in this space, he prompted with the question, “What if someone blew up a refinery?” I reminded my questioner that the Chevron Richmond, California refinery had just had a major fire the prior week. The energy industry has accidents, but what it has done to mitigate that problem is emphasize safety at any and every opportunity. The energy industry’s safety culture feeds back from operations into design, engineering and development.
The smart money in cyber security for operations is to think about how cyber can become part of the overall safety culture. There are safety procedures for every major process in the transportation of oil and gas in the United States. The question is how to build up valid cyber safety that is as much a part of the daily routine as donning the proper safety gear to protect against physical risks.
Then there are the information security issues of the oil and gas industry. Experts in the cybersecurity field have said a lot recently about the theft of corporate intellectual property (IP) by foreign actors. These allegations appear to be true to some degree. In the oil and gas industry we can see IP theft concerns of information useful to foreign competitors including seismic data, new technologies, proprietary computer algorithms, and other outputs of research and development.
But what of the pipeline industry? Does it have the same sort of valuable core IP? Yes, there is some, but pipeline operations require intensive know-how, not just innovative technology. So, IP theft is likely not the same concern as it is for companies that derive their competitive advantage from innovation.
In 2011, the Department of Homeland Security sent a bulletin warning that it had detected attempts to compromise the computer network operators. But what could the would-be attackers have been looking for? These were attempts to see the computers of the managerial element of pipeline companies, not the ones actually managing the flow of oil and gas.
I offer this answer: to get inside the decision chain of the targeted companies. If an attacker can gain access to the e-mail of top corporate officials, he or she may understand an enormous amount about how that company operates and what its major concerns are. Hacking the e-mail server of the target of an acquisition or takeover may be illegal if a U.S. firm does it to another, but it may be completely acceptable behavior for a foreign firm. That is a new business reality.
Some Ways Forward
So we really see two major concerns for the pipeline industry in the cyber domain; the chance that a system can be subverted as well as the possibility that corporate operations may be rendered transparent to others. There are some very important steps that need to undertaken.
Cyber controls need to become a part of the development, acquisition and maintenance processes for oil and gas pipeline operators. Thought will need to be given to the problem of how security controls are a part of all new systems deployed and the one ones already in operation, especially if they will employ standard Internet protocols for communication.
Then there is the matter of protecting the information of the organization held in digital form. There is no silver bullet here, but by making cybersecurity a matter of concern for the executive team, as well as IT. From the board of directors on down, cybersecurity, at least for the time being, must be confronted as an issue, on par with safety, throughout the industry, at every level of management.
There is no need to panic, but good industry-wide coordination and prioritization may well stave off onerous federal regulation of cybersecurity practices throughout the oil and gas supply chain.
Author
Christopher Bronk, Ph.D., is the Baker Institute fellow in information technology policy. He previously served as a career diplomat with the U.S. Department of State on assignments both overseas and in Washington, DC. His last assignment was in the Office of eDiplomacy, the department’s internal think tank on information technology, knowledge management, computer security and interagency collaboration. He has experience in political affairs, software development, geopolitical issues.
Bronk’s most recent work is in the area of computing and energy with an emphasis on the oil and gas industry. In 2012, he convened an energy and cyber security conference at the Baker Institute and published the report Cybersecurity Issues and Policy Options for the U.S. Energy Industry. A case study on the Shamoon cyber event is forthcoming. Bronk works with the FBI and other government agencies on cyber security issues relevant to the U.S. oil and gas industry.
He teaches on the intersection of computing and politics holding an appointment in Rice’s George R. Brown School of Engineering. He has published widely on cybersecurity and the impact of Information technology upon foreign affairs. Holding a Ph.D. from The Maxwell School of Syracuse University, Bronk also studied international relations at Oxford University and received a bachelor’s degree from the University of Wisconsin–Madison.
Comments