Facing up to the cyber threat
The end of March and beginning of April saw several pipeline companies in the US targeted by cyberattacks. Third party communications system provider Latitude Technologies was attacked. Pipeline companies Oneok, Boardwalk Pipeline Partners, Energy Transfer Partners and Chesapeake Utilities’ Eastern Shore Natural Gas were also hacked. All of the breaches passed by without severe consequence, without any pipeline shutdowns and with no data compromised, according to spokespeople from the companies involved. Oneok disabled its system as a precaution, Energy Transfer Partners reported a system shutdown (with no effect on gas flow) and Latitude is investigating the seriousness of the compromise.
Register for a free trial »
Get started absolutely FREE in 2 minutes, no credit card required.
The systems that were attacked were electronic data interchange (EDI) platforms, designed to facilitate computer-to-computer exchanges of documents with customers. Companies such as Latitude facilitate communication between pipeline companies, their gas producers and utility users, handling information about storage, contracts, shipment, invoices and scheduling, etc. EDI systems may prove to be the relatively easy entry point for hackers looking to further infiltrate pipeline networks and disrupt oil and gas supply.
While the INGAA has downplayed the attacks (spokesperson Cathy Landry said “while an attack on a network certainly is inconvenient and can be costly […] there is no threat to public safety or natural gas deliveries”), I suspect that the US government, and others around the world, will be taking notice.
The latest attacks on pipeline systems are significant in a few ways. Pipeline infrastructure is increasingly reliant on computer networks for everyday operations, notifications and alerts, and customer communication.
The US is ultra-sensitive to any potential malevolence coming from Russia these days. Homeland Security has recently acknowledged Russia’s role in targeting US network attacks – in March it warned that Russian hackers were actively seeking to attack the US electricity grid and other key national infrastructure. The state of Atlanta was hit by a ransomware attack this year and it crippled the city government for more than a week.
US pipelines have been targeted before, back in 2012, when a number of ‘cyber-intrusions’ in the form of active phishing campaigns towards natural gas pipeline companies were detected.
At present, US pipeline companies are not obliged to report cyber events to the Transportation Security Administration (TSA). Last month the TSA issued a 27-page report on pipeline security, with a section on cybersecurity: it recommended that pipeline companies establish a cybersecurity plan, limit network access and change default passwords: pretty elementary stuff. Looking to the future, it’s clear that the oil and gas sector is at least underprepared – or at worst extremely vulnerable – to cyberattacks. Siemens published a study last year that found that one in five US oil and gas companies surveyed had already experienced cyberattacks and over two-thirds were worried about the risks associated with using third parties in the operation of their pipelines. It’s probable that pipeline companies neglected to invest in and update cybersecurity after the collapse of oil prices.
This February, Department of Energy (DOE) Secretary Rick Perry announced that he would be spending US$96 million to create an office to address cyber threats within the US energy industry. Four new bipartisan bills could help tackle the problem: one creates a new assistant secretary position dedicated to cybersecurity; two of them will set up voluntary programmes to encourage the private sector to share research and data with the DOE; and a fourth would aid in establishing pipeline and LNG export cybersecurity plans.
The DOE is also offering a total pot of US$25 million in grants for new projects that pursue cybersecurity; the deadline for application is 18 June.
In this issue of World Pipelines we feature several articles on safety and the digitalisation of the pipeline industry. Starting on page 18, Honeywell describes the challenges in integrating automation technology for your pipeline operations; Metegrity writes about software for real-time processing of pipeline construction information; InEight discusses the use of modern technology for project communication in the field; API details how safety management systems help support improvements in long-term safety performance; and Siemens considers the ways in which a cloud-based lifecycle management model can keep complex pump station assets ready for fast deployment.
These cutting-edge technologies should be matched by cybersecurity that can handle the changing face of operational advances. As Siemens says in its cybersecurity ‘Charter of Trust’: “As much as these advancements are improving our lives and economies, the risk of exposure to malicious cyberattacks is also growing dramatically.”1