Ensuring pipeline physical and cyber security

Production of oil and natural gas in the U.S. and Canada is increasing. The vast majority of these hydrocarbons will be shipped across the continent via a dense network of pipelines. The integrity of this network, however, is threatened, not only by mechanical failures, but also by targeted cyber attacks.

05/20/2015


Production of oil and natural gas in the U.S. and Canada is increasing. The vast majority of these hydrocarbons will be shipped across the continent via a dense network of pipelines. The integrity of this network, however, is threatened, not only by mechaWhile there have not been reports of pipeline attacks on U.S. soil, there have been attacks in other countries. In 2008, a section the Baku-Tbilisi-Ceylan (BTC) pipeline in Turkey was reportedly the victim of a targeted cyber attack. The pipeline ruptured, exploded, and released 30,000 barrels of oil near Refahiye after hackers allegedly infiltrated the pipeline's security camera network, disrupted the network's security communication links, gained access to control equipment of a valve station, and increased the pressure in the pipeline. If it can happen there, it can happen in the U.S. as well. 

Threats are ubiquitous

The U.S. has 182,000 miles of hazardous liquid pipelines, 325,000 miles of natural gas transmission pipelines, and 2.15 million miles of natural gas distribution pipelines, according to the U.S. Transportation Security Administration. A typical pipeline for the transport of natural gas or oil can extend hundreds of miles and be comprised of thousands of sensors, valves, pumps, and controllers. They are typically monitored by cameras, enclosed by fencing, and routinely inspected. However, every security system has its weaknesses.

Michael Assante, the SANS Institute's lead for training on industrial control systems who, in December 2014, co-authored an analysis of the then-known facts regarding the incident, said that while it is unlikely the BTC pipeline was actually cyber-attacked as originally reported, a similarly targeted attack against pipelines in general is plausible. What's worse, leaders of the oil and gas industry remain woefully ill prepared.

To understand what has happened in the realm of electronic security, and why today's industrial control systems (ICSs) are vulnerable, one must look back to 2010 and the creation of the Stuxnet worm. Developed to cripple Iranian nuclear equipment, Stuxnet helped pioneer a new and growing brand of cyber attack, Assante said.

"Before 2010, the greatest number of attacks were what we call, nontargeted malware, which inadvertently found their way into ICSs," Assante said. "But since 2014, we have evidence of a growing number of targeted ICS attacks and enhanced delivery and targeting of control systems. Some of these attacks have exploited ICSs by targeting vulnerabilities in control system software."

The speed at which attackers have been inspired directly by the Stuxnet worm or tried their own types of attacks has increased exponentially. In 2012, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the Dept. of Homeland Security, identified 197 cyber-attack incidents. By 2013, that number grew to 257. This demonstrates that attacks are on the rise. What's scary is that a third of them are aimed at the energy industry. The ICS-CERT reported the majority of the attacks targeted energy and critical manufacturing companies. Of 245 reported incidents in 2014, 32% targeted the energy industry.

"The majority of incidents were categorized as having an 'unknown' access vector," said the ICS-CERT report. "In these instances, the organization was confirmed to be compromised. However, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised networks." The lack of these detection capabilities reinforces the industry's lack of preparedness, which is definitely cause for concern.

Some of the identified methods of attack noticed by the ICS-CERT included spear phishing and network scanning. 

Cyber security definitions

  • Spear phishing: An e-mail spoofing fraud attempt that targets a specific organization with the intention of gaining access to confidential information.
  • Network scanning: A procedure to identify active hosts to attack, or to gain an assessment of network security. 

The good news is that these attacks are being noticed. The bad news is the time still required to detect an attack. Just two years ago, the average time for a company to detect that it had been hacked was 416 days. Today, that gap has narrowed to 200 days, which is still unacceptable. The very nature of a cyber attack is to gain access and/or do damage to IT and control infrastructure-without raising suspicions. It's a cat and mouse game.

Taking control of an ICS means gaining command of a system's functions. After it's infiltrated, that system's designed function could be altered to allow negative things to happen for which the system is specifically designed to prevent. For example, a cyber-perpetrator could cause pressure within a pipeline to increase enough to burst it. Alternatively, information from within the ICS could be extracted, manipulated, or even sent to a third party.

Electronic security designs of the past several years including VPNs, firewalls, and antiviruses have been somewhat effective layers of security, Assante said, but when it comes to a targeted cyber attack, additional measures must be taken.

In 2014, the SANS Institute created the Global Industrial Cyber Security Professional certification to train ICS operators to understand how best to recognize and react to an attack. The certification is a step, but it cannot be the only one. In many cases, there are inherent vulnerabilities within the ICS that must still be addressed.

"There are very few technologies deployed within control systems themselves to help with security challenges. There is a lack of network-based monitoring within the control network and there is a lack of endpoint security on many of the servers and workstations in those environments. A lot of industrial protocols are not authenticated, so after he or she is on the network, an attacker can simply inject commands," Assante said.

Updating an ICS and patching internal weaknesses can be expensive and often requires its complete shutdown, which can be dissuasive. This makes addressing these internal weaknesses difficult for companies to accomplish.

The attacks seen so far in the U.S. have not been as destructive as the alleged attack against the BTC pipeline in Turkey. They have instead been more subtle in nature.

"Most of the incidents I am aware of would suggest the attackers were interested in gaining and sustaining access to the control system—to get there and stay there," Assante said. "The second [thing they would suggest] is to steal information, the motivation for which we are not clear."

After an attack, it is imperative to understand how the attack occurred to fortify weak areas and ensure another does not happen. Companies must delve deeper and conduct engineering assessments to determine what cyber attackers could accomplish after successful infiltration.

The concern is while infiltrating an ICS, attackers learn about how it is structured, its settings, configurations, and process data. If sensitive economic or confidential information is discovered and removed by attackers, how could that information be used to launch an even more tailored attack?

"We need to be looking for this now," Assante said. "Having that knowledge can set you up for developing what we call 'specific capability,' to come back later with a stronger attack. So is that their motivation? We don't know." Not knowing why is scary.

Stealing information from a pipeline operator's ICS could, in some cases, have commercial market value for several entities. For example, learning the throughput value of a pipeline could have economic security implications. Having this information could also have industrial espionage implications. It could prove useful in understanding how best to position oneself to leverage competitively.

Unfortunately, it is unlikely that computer attacks will slow down in the future. Assante said he expects the number of attacks to increase as more successful attacks occur. With each attack, the perpetrators learn more about the methods to attack and improve their cyber-attack techniques.

"Over time, people will accumulate their knowledge, tools will become available, virus exploit codes will be out there to be captured and reused, and so the base of who could be conducting these attacks successfully typically grows over time." This makes protecting against future attacks increasingly more tricky. 


<< First < Previous Page 1 Page 2 Next > Last >>

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Doubling down on digital manufacturing; Data driving predictive maintenance; Electric motors and generators; Rewarding operational improvement
2017 Lubrication Guide; Software tools; Microgrids and energy strategies; Use robots effectively
Prescriptive maintenance; Hannover Messe 2017 recap; Reduce welding errors
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Research team developing Tesla coil designs; Implementing wireless process sensing
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me