Few security topics have elicited as much mythology as pipeline security incidents. Perhaps it is the nature of the esoteric equipment involved, the stories of explosions in the tundra, international intrigue, or just the fact that the scale of what could happen, and its impact, is so broad. I happen to live along the path between the Permian Basin (the US’s largest petroleum reserves) and the Gulf Coast refinery belt and am sensitized to pipeline issues. When it comes to pipeline security, the bottom line is that hype often outstrips reality. While the risks may be great, overstating them is damaging as well.
Let us begin with a look back to some select incidents that have caught the public’s attention. There is the Cold War “logic bomb” story about purportedly the largest kinetic cyber attack ever on a Russian pipeline. Follow that with the Turkish pipeline incident, in which Russia was allegedly the perpetrator. The critical role of Russian natural gas in Europe has been a major point of conflict, including the current US – Germany disagreement regarding the Nord Stream 2 pipeline.
Coming back to the US – there have been some very public and very real incidents – including the current case involving Colonial, all of which are worth considering for the lessons they present.
Almost three years ago, four pipelines shut down and a barrage of often incorrect headlines announced the incidents. “Insecure SCADA Systems Blamed in Rash of Pipeline Data Network Attacks”; “Cyberattack Pings Data Systems of At Least Four Gas Networks” and more rather misleading headlines were published. Yet, there was no actual contact with any SCADA systems, and the queries I received around a “ping attack” on gas networks was all misplaced. The hype had outstripped the simple reality that a sub-contractor for a data exchange was hacked. Given the lack of pricing and delivery information, deliveries were stopped. No pipeline equipment was touched—full stop.
A few months later, homes in greater Boston started to explode resulting in at least 1 tragic death and again much confusion. Might this have been another cyber-attack? The answer was much more mundane, but no less deadly. The explosions resulted from a series of operational mistakes leading to over-pressurized lines leading to homes.
And now, we have some very familiar looking headlines driving some similarly misplaced inferences regarding pipeline networks. So, let’s be clear. At the time of this writing, there is no evidence of any malevolent subversion of a pipeline control system.
So, what lessons can we learn? The breadth of the systems critical to delivery via pipelines extends far beyond what the headlines and photographs evoke – and thus the target space extends beyond pigs, pumps, and PLCs. While our minds may be drawn to these big pipes coming out of the ground, it is likely that most of the action took place in a standard rack space, in a generic data center. Dull perhaps, yet highly effective.
So, what then can be done?
Everything called for in the US Cert Darkside Ransomware is well known and understood – and none of it is unique to any pipeline. Proper segmentation, multi-factor authentication, phishing protections, user education, patching, and all the other best practices are all there. Right now, more than anything – gather actual data, differentiate between what is known and unknown, avoid speculation, and move forward with best practices with purpose.
Also, if you are looking at pipeline security directly, some additional thoughts in this pipeline security document, jointly written by Cisco and Schneider Electric / AVEVA, may be a good point of reference.
Additional Resources
https://foreignpolicy.com/2012/02/27/think-again-cyberwar/
https://us-cert.cisa.gov/ncas/alerts/aa21-131a
Very informative!!