Well over a month since my last post of any substance – shocking! I haven’t lost interest in this blog, just had a very busy period followed by a holiday to visit family.
A year or two ago there was some media coverage of the Stuxnet computer malware that specifically targeted uranium enrichment facilities in Iran.
Since then whenever I’m running an SMS for a complete pipeline system I have suggested considering cyber attack as a genuine threat (not applicable to SMSs for localised changes or encroachments). I am only a layman in this area, but it seems plausible that malcontents wishing to disrupt a society could do so by targeting infrastructure such as pipelines (or water plants, or electric power systems, or …), and a cyber attack is cleaner and safer for the perpetrators than explosives.
The US Department of Homeland Security has a cyber-security team which in turn has an industrial control systems division (ICS-CERT). Recently they have highlighted “an active series of cyber intrusions targeting natural gas pipeline sector companies” (download ICS-CERT PDF newsletter here, and there is a little more information in this magazine article). Hence it seems that such attacks on pipeline infrastructure are not a fantasy.
A cyber attack is unlikely to be threat to pipeline integrity but could be a threat to continuity of supply, and for many pipelines that is just as important in terms of impact on the community. So it is a topic worthy of mention in an SMS even if only to raise an action to ensure it is considered by the appropriate experts outside the SMS team. It can be an interesting exercise to evaluate the risk and see where it lands in the risk matrix – not as low as might initially be expected.
To date I have found the response of pipeline companies appears to be a little patchy – some claim to be already right on top of the issue, others seem a bit bemused and initially dismissive – “we have a firewall, isn’t that enough?”. Despite not being an IT person I’m well aware that a firewall is nowhere near enough, particularly given the nature of the attacks reported by ICS-CERT which involve “spear phishing” – a form of social engineering that tries to trick identified individuals in the target organisation into revealing details that would allow access to hackers.
Australian pipelines are probably at less risk than those in the US, but that is no justification for complacency.