Cyber attack

Well over a month since my last post of any substance – shocking!  I haven’t lost interest in this blog, just had a very busy period followed by a holiday to visit family.

A year or two ago there was some media coverage of the Stuxnet computer malware that specifically targeted uranium enrichment facilities in Iran.

Since then whenever I’m running an SMS for a complete pipeline system I have suggested considering cyber attack as a genuine threat (not applicable to SMSs for localised changes or encroachments).  I am only a layman in this area, but it seems plausible that malcontents wishing to disrupt a society could do so by targeting infrastructure such as pipelines (or water plants, or electric power systems, or …), and a cyber attack is cleaner and safer for the perpetrators than explosives.

The US Department of Homeland Security has a cyber-security team which in turn has an industrial control systems division (ICS-CERT).  Recently they have highlighted “an active series of cyber intrusions targeting natural gas pipeline sector companies” (download ICS-CERT PDF newsletter here, and there is a little more information in this magazine article).  Hence it seems that such attacks on pipeline infrastructure are not a fantasy.

A cyber attack is unlikely to be threat to pipeline integrity but could be a threat to continuity of supply, and for many pipelines that is just as important in terms of impact on the community.  So it is a topic worthy of mention in an SMS even if only to raise an action to ensure it is considered by the appropriate experts outside the SMS team.  It can be an interesting exercise to evaluate the risk and see where it lands in the risk matrix – not as low as might initially be expected.

To date I have found the response of pipeline companies appears to be a little patchy – some claim to be already right on top of the issue, others seem a bit bemused and initially dismissive – “we have a firewall, isn’t that enough?”.  Despite not being an IT person I’m well aware that a firewall is nowhere near enough, particularly given the nature of the attacks reported by ICS-CERT which involve “spear phishing” – a form of social engineering that tries to trick identified individuals in the target organisation into revealing details that would allow access to hackers.

Australian pipelines are probably at less risk than those in the US, but that is no justification for complacency.

Advertisements
This entry was posted in Operations, Risk assessment. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s