Ensuring pipeline physical and cyber security

Production of oil and natural gas in the U.S. and Canada is increasing. The vast majority of these hydrocarbons will be shipped across the continent via a dense network of pipelines. The integrity of this network, however, is threatened, not only by mechanical failures, but also by targeted cyber attacks.

05/20/2015


Production of oil and natural gas in the U.S. and Canada is increasing. The vast majority of these hydrocarbons will be shipped across the continent via a dense network of pipelines. The integrity of this network, however, is threatened, not only by mechaWhile there have not been reports of pipeline attacks on U.S. soil, there have been attacks in other countries. In 2008, a section the Baku-Tbilisi-Ceylan (BTC) pipeline in Turkey was reportedly the victim of a targeted cyber attack. The pipeline ruptured, exploded, and released 30,000 barrels of oil near Refahiye after hackers allegedly infiltrated the pipeline's security camera network, disrupted the network's security communication links, gained access to control equipment of a valve station, and increased the pressure in the pipeline. If it can happen there, it can happen in the U.S. as well. 

Threats are ubiquitous

The U.S. has 182,000 miles of hazardous liquid pipelines, 325,000 miles of natural gas transmission pipelines, and 2.15 million miles of natural gas distribution pipelines, according to the U.S. Transportation Security Administration. A typical pipeline for the transport of natural gas or oil can extend hundreds of miles and be comprised of thousands of sensors, valves, pumps, and controllers. They are typically monitored by cameras, enclosed by fencing, and routinely inspected. However, every security system has its weaknesses.

Michael Assante, the SANS Institute's lead for training on industrial control systems who, in December 2014, co-authored an analysis of the then-known facts regarding the incident, said that while it is unlikely the BTC pipeline was actually cyber-attacked as originally reported, a similarly targeted attack against pipelines in general is plausible. What's worse, leaders of the oil and gas industry remain woefully ill prepared.

To understand what has happened in the realm of electronic security, and why today's industrial control systems (ICSs) are vulnerable, one must look back to 2010 and the creation of the Stuxnet worm. Developed to cripple Iranian nuclear equipment, Stuxnet helped pioneer a new and growing brand of cyber attack, Assante said.

"Before 2010, the greatest number of attacks were what we call, nontargeted malware, which inadvertently found their way into ICSs," Assante said. "But since 2014, we have evidence of a growing number of targeted ICS attacks and enhanced delivery and targeting of control systems. Some of these attacks have exploited ICSs by targeting vulnerabilities in control system software."

The speed at which attackers have been inspired directly by the Stuxnet worm or tried their own types of attacks has increased exponentially. In 2012, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the Dept. of Homeland Security, identified 197 cyber-attack incidents. By 2013, that number grew to 257. This demonstrates that attacks are on the rise. What's scary is that a third of them are aimed at the energy industry. The ICS-CERT reported the majority of the attacks targeted energy and critical manufacturing companies. Of 245 reported incidents in 2014, 32% targeted the energy industry.

"The majority of incidents were categorized as having an 'unknown' access vector," said the ICS-CERT report. "In these instances, the organization was confirmed to be compromised. However, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised networks." The lack of these detection capabilities reinforces the industry's lack of preparedness, which is definitely cause for concern.

Some of the identified methods of attack noticed by the ICS-CERT included spear phishing and network scanning. 

Cyber security definitions

  • Spear phishing: An e-mail spoofing fraud attempt that targets a specific organization with the intention of gaining access to confidential information.
  • Network scanning: A procedure to identify active hosts to attack, or to gain an assessment of network security. 

The good news is that these attacks are being noticed. The bad news is the time still required to detect an attack. Just two years ago, the average time for a company to detect that it had been hacked was 416 days. Today, that gap has narrowed to 200 days, which is still unacceptable. The very nature of a cyber attack is to gain access and/or do damage to IT and control infrastructure-without raising suspicions. It's a cat and mouse game.

Taking control of an ICS means gaining command of a system's functions. After it's infiltrated, that system's designed function could be altered to allow negative things to happen for which the system is specifically designed to prevent. For example, a cyber-perpetrator could cause pressure within a pipeline to increase enough to burst it. Alternatively, information from within the ICS could be extracted, manipulated, or even sent to a third party.

Electronic security designs of the past several years including VPNs, firewalls, and antiviruses have been somewhat effective layers of security, Assante said, but when it comes to a targeted cyber attack, additional measures must be taken.

In 2014, the SANS Institute created the Global Industrial Cyber Security Professional certification to train ICS operators to understand how best to recognize and react to an attack. The certification is a step, but it cannot be the only one. In many cases, there are inherent vulnerabilities within the ICS that must still be addressed.

"There are very few technologies deployed within control systems themselves to help with security challenges. There is a lack of network-based monitoring within the control network and there is a lack of endpoint security on many of the servers and workstations in those environments. A lot of industrial protocols are not authenticated, so after he or she is on the network, an attacker can simply inject commands," Assante said.

Updating an ICS and patching internal weaknesses can be expensive and often requires its complete shutdown, which can be dissuasive. This makes addressing these internal weaknesses difficult for companies to accomplish.

The attacks seen so far in the U.S. have not been as destructive as the alleged attack against the BTC pipeline in Turkey. They have instead been more subtle in nature.

"Most of the incidents I am aware of would suggest the attackers were interested in gaining and sustaining access to the control system—to get there and stay there," Assante said. "The second [thing they would suggest] is to steal information, the motivation for which we are not clear."

After an attack, it is imperative to understand how the attack occurred to fortify weak areas and ensure another does not happen. Companies must delve deeper and conduct engineering assessments to determine what cyber attackers could accomplish after successful infiltration.

The concern is while infiltrating an ICS, attackers learn about how it is structured, its settings, configurations, and process data. If sensitive economic or confidential information is discovered and removed by attackers, how could that information be used to launch an even more tailored attack?

"We need to be looking for this now," Assante said. "Having that knowledge can set you up for developing what we call 'specific capability,' to come back later with a stronger attack. So is that their motivation? We don't know." Not knowing why is scary.

Stealing information from a pipeline operator's ICS could, in some cases, have commercial market value for several entities. For example, learning the throughput value of a pipeline could have economic security implications. Having this information could also have industrial espionage implications. It could prove useful in understanding how best to position oneself to leverage competitively.

Unfortunately, it is unlikely that computer attacks will slow down in the future. Assante said he expects the number of attacks to increase as more successful attacks occur. With each attack, the perpetrators learn more about the methods to attack and improve their cyber-attack techniques.

"Over time, people will accumulate their knowledge, tools will become available, virus exploit codes will be out there to be captured and reused, and so the base of who could be conducting these attacks successfully typically grows over time." This makes protecting against future attacks increasingly more tricky. 


<< First < Previous Page 1 Page 2 Next > Last >>

The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me