The United States has an extensive network of hazardous liquid and natural gas transmission and distribution pipelines. While there have been no reports of pipeline attacks on domestic soil, they have occurred in other nations. In 2008, a section of Turkey’s Baku-Tbilisi-Ceylan (BTC) pipeline was the victim of a targeted cyberattack on a valve station. The pipeline ruptured, exploded and released 30,000 barrels of oil.
Many pipeline operators now recognize cybersecurity’s important role in the reliability of their networks and systems. It has become crucial as systems shift to open standards and protocols, and as accessibility and sharing of information – whether with governmental bodies or corporate systems – continues to increase.
For many firms, the focus of existing security programs is on protecting against outsider threats by hackers or terrorists. However, pipeline security has greater implications than preventing targeted and motivated cyberattacks. Pipeline operators need to consider the risks associated with a far more probable threat vector: the inadvertent and non-malicious cyber-breach. This includes insiders in trusted situations and locations who circumvent security policies without understanding the repercussions and risks of doing so.
Concerns for Operators
In recent years, cybersecurity concerns in oil and gas environments have significantly increased. Critical network segments for pipeline operations were once kept isolated, but the trend toward remote operations and maintenance, and centralized data and information systems, have made this approach impractical. New integrated and networked solutions provide an ever-larger target for cyber-threats.
Malware has also become more sophisticated, harder to eliminate and better at evading detection. Newly engineered strains of malware continue to surface, and new variations of existing malware surface at an amazing rate – as many as 6 per second, or over a half million per day, according to the 2015 McAfee Labs Threats Report.
The effect of a cybersecurity breach within the pipeline environment is far-reaching, including, but not limited to:
- Unauthorized access, theft or misuse of SCADA information
- Communications failure
- Line down, resulting in loss of transportation capacity
- Equipment damage
- Environmental damage
- Public health and safety threat
- Personal injury
- Violation of legal and regulatory requirements
Aside from potentially catastrophic physical disruptions to pipeline operations, stealing information through a cyber-breach could, in some cases, have a significant effect on a company’s competitive performance. For example, learning the throughput value of a pipeline could have economic security or industrial espionage implications.
The TSA Pipeline Security Guidelines, administered by the Surface Division Pipeline Security branch of the TSA Office of Security Policy and Industry Engagement (OSPIE), are intended to enhance the security preparedness of hazardous liquid and natural gas pipeline systems.
Following the guidelines, pipeline owners can assess the criticality of their pipeline systems, conduct uniform security vulnerability assessments and develop compliant, risk-based security programs, including awareness training for their personnel. TSA inspectors may also conduct corporate security program reviews with company officials at their headquarters.
TSA defines the recommended key elements that all pipeline operators should incorporate into security programs as:
- Systems description
- Security administration and management structure
- Risk analysis and assessments
- Physical security and access control measures
- Equipment maintenance and testing
- Personnel screening
- Personnel training
- Drills and exercises
- Security incident procedures
- NTAS response procedures
- Plan reviews
- Cyber/SCADA system security measures
- Essential security contact listings
- Security testing and audits
The TSA Pipeline Security Guidelines are only recommendations. As a result, they are not mandatory, nor are the guidelines enforced. However, with the escalating spotlight on the cybersecurity threats in the industrial sector and public awareness of cyber-incidents, regulation may become a possibility for the pipeline industry (similar to the NERC CIP regulations in the power industry).
Regardless of the scope of pipeline operation, it’s essential to be prepared. Companies should shift from a reactive to proactive mode and begin the process of adopting a long-term cybersecurity strategy before regulations are mandated and the pipeline industry is forced to comply.
The TSA has outlined a three-step process for pipeline operators to follow during the design and development of their security program. The first two steps involve performing an assessment to properly identify critical and non-critical facilities in order to help ensure the most vital assets have the highest security protection. Next comes identifying the necessary facility security measures to be implemented.
The TSA recommends pipeline owners adopt baseline security measures to protect non-critical facilities. For critical facilities, they should perform a security vulnerability assessment to identify, evaluate and prioritize risks. The outcome of this assessment will determine the appropriate security measures required to properly mitigate or reduce risks. The security vulnerability assessment may include asset characterization, threat assessment, vulnerability assessment, risk determination and possible countermeasures to reduce the risk.
The final step is critical asset identification, which includes identifying and classifying all cyber-assets to determine the appropriate cyber-asset security measures to implement.
Cyber-assets that are not essential to the safety or reliability objectives of the facility are classified as non-critical. Baseline cybersecurity measures such as strict access control, system and restoration recovery plans, secure system and network architecture, and defining cybersecurity roles and responsibilities are to be applied.
Alternatively, cyber-assets that are essential to the safety or reliability objectives of the facility are classified as critical and subject to both baseline and enhanced cybersecurity measures, requiring stricter access control and periodic vulnerability assessments.
It is important to note that the TSA guidelines strongly recommend both critical facilities and non-critical facilities implement the U.S. Department of Homeland Security’s National Terrorism Advisory System (NTAS) threat level protection measures. If there is a heightened threat of terrorism, the NTAS measures supply strict security measures to help protect pipeline facilities.
Every pipeline operator can be a target for hacking and only so much can be done to thwart this. Regardless, firms must make an utmost effort to minimize the likelihood and effect of such a threat. One plan is to take a holistic view of the entire operation and consider a comprehensive and integrated approach to security and safety. But where should this start?
First, pipeline operators should examine their security posture. Where could a cyberattack come from? What could be compromised? What would happen if an attack succeeded? Are personnel equipped to manage cybersecurity and system requirements?
Before drafting a proactive, long-term cybersecurity strategy, it is imperative to involve all communities of interest, including operations, engineering and IT, to ensure appropriate input and buy-in. The steps in this process include:
- Identify all assets in the facility, such as operator stations, servers and network equipment. Record information, including the type of operating system, IP address and subnet mask, and the vendor software each asset uses.
- Identify all the risks within the environment. This involves pinpointing possible threats and associated security vulnerabilities.
- Create an action plan that prioritizes all the vulnerabilities identified during the risk assessment. The action plan must outline the necessary remediation steps to minimize or eliminate the risk. Timelines should be included.
Within an industrial operation, there are three main components of security: people, process and technology. For a security program to be successful, all three of these elements must be accounted for within the security strategy. For example, a facility could conduct employee security awareness training (the people component), create an incident response plan (the process component) and maintain up-to-date, anti-virus software (the technology component).
Owners of oil and gas pipelines need to recognize that the most important parts of a security program are identifying business risks, being proactive, embracing a security philosophy and developing a long-term strategy that eliminates or reduces potential threats.
In order to protect systems and networks, pipeline operators need to require a comprehensive approach to cybersecurity that involves ongoing risk assessment, well-defined security policies and an aggressive overall security posture. Operators must remain vigilant, as the consequences of cyberattacks on critical pipeline infrastructure are too great to ignore.
Author: Mike Baldi is a cybersecurity solutions architect who has worked at Honeywell for over 36 years, having led a team providing technical support for industrial process control systems and advanced applications and serving as the lead systems engineer for HPS system test. He recently moved to the Honeywell Industrial Cyber Security organization. Baldi holds a bachelor’s degree in computer science and an MBA in technology management.