The new TSA cyber security requirements developed based on the Colonial Pipeline event will require timely identification and notification of cyberattacks. Cyber forensics and training are available to identify cyberattacks against IT and OT networks. However, like all other industries, manufacturing, and transportation, it is not always evident what is a cyber attack when it comes to control systems and control system devices. As an example, Stuxnet was a sophisticated cyberattack that appeared to be systemic design deficiencies causing equipment malfunctions. In June 2017, the safety systems in a petrochemical plant in Saudi Arabia in 2017 were cyberattacked. The safety systems attacked are used extensively throughout the US in oil/gas, chemicals, water, nuclear, and other industries including in federal facilities. The petrochemical plant shutdown because of malware in the engineer’s safety system workstation. The shutdown was not identified as being caused by a cyberattack and consequently the plant was restarted with the malware still installed!
The May 2021 GAO report “CYBER INSURANCE Insurers and Policyholders Face Challenges in an Evolving Market” (https://www.gao.gov/assets/gao-21-477.pdf) also make it clear that you have to identify cyber incidents whether they are malicious or unintentional. Specifically, the report defined a cyber incident as an event that jeopardizes the cybersecurity of an information system or the information the system processes, stores, or transmits; or an event that violates security policies, procedures, or acceptable use policies, whether resulting from malicious activity or not. Cyber incidents, including cyberattacks, can damage information technology assets, create losses related to business disruption and theft, release sensitive information, and expose entities to liability from customers, suppliers, employees, and shareholders.”
What this means to the pipeline industry
There have been more than 50 control system cyber incidents (malicious and unintentional) in natural gas and liquid pipeline systems. To date, only the recent Colonial Pipeline incident has been publicly identified as being a cyber incident (cyberattack). Ironically, from a control system cyber perspective, the Colonial Pipeline incident was not that important as it never touched the OT network or the control systems. Yet the focus of many of the post-Colonial Pipeline recommendations focused on the potential connections between the IT and OT networks which is a known vulnerability. The NSA document “Stop Malicious Cyber Activity Against Connected Operational Technology” (CSA_stop-mca-against-ot_uoo13672321.pdf ) states “there has been a significant shift in how operational technologies (OT) are viewed, evaluated, and secured within the U.S. is needed to prevent malicious cyber actors (MCA) from executing successful, and potentially damaging, cyber effects. As OT components continue being connected to information technology (IT), IT exploitation increasingly can serve as a pivot to OT destructive effects.” However, the lack of control system inventory, device cyber security, authentication, and cyber logging prevent pipeline operators from meeting the new cyber security guidelines. There is also a lack of control system cyber security training based on actual incidents for the control system engineers, technicians, and pipeline operators to be able to recognize equipment malfunctions as possibly being cyber-related.
Previous cyber-related pipeline ruptures
There have been two pipeline cyber-related incidents that were very impactful yet were not identified as being cyber-related and not addressed by the NSA document. The 1999 Bellingham, WA Olympic Pipeline Co. pipeline rupture was a result of a broadcast storm (unknown whether malicious or unintentional) and the 2010 PG&E San Bruno natural gas pipeline rupture from control system logic that hadn’t considered the presence of a weak pipe. Both cases could have been done maliciously.
The PG&E natural gas pipeline failure that killed eight people in San Bruno, CA had many similarities to the Olympic Pipeline Company gasoline pipeline failure in Bellingham, WA that killed three people. With input from the National Transportation Safety Board (NTSB), Marshall Abrams from MITRE and myself performed a comprehensive analysis of the incident. The details on Bellingham can be found in Protecting Industrial Controls from Electronic Threats.
Bellingham:
- SCADA A (primary), SCADA B (backup), and leak detection were on the same Ethernet LAN
- SCADA had previous problems prior to the accident
- No SCADA cyber security training
- The SCADA system became inoperable and was unable to remotely monitor or control valves
- Operator displays didn’t indicate loss of SCADA functionality
- Process sensors were set to average values impacting safety and process status
- Leak detection system did not function in a timely manner
San Bruno:
- SCADA was on an Ethernet LAN
- SCADA system with previous reliability issues
- No SCADA cyber security training
- On the day of the accident, PG&E was performing work on the power supply system designed to ensure that electricity remains constant. Power failed immediately prior to the accident. The power failure affected PG&E’s ability to monitor and regulate pressure in the 46-mile pipeline that ran through San Bruno. The pressure increase from opening the control valves following the loss of SCADA created an overpressure that burst a weak pipe in San Bruno.
- SCADA did not detect the pipe failure
Other control system vulnerabilities
Liquid and natural gas pipelines have remotely operated safety isolation valves that are used to isolate sections of pipeline from catastrophic events like pipeline ruptures. SCADA systems are used to monitor the isolation valves. In some states, if the remote control and monitoring of the valves is lost then a human has to be dispatched to the remote sites 24/7 for manual operation needs. Often the valves are located in very remote areas and voice communication can be limited over cellular. Many of these sites use cellular and satellite uplink systems for SCADA monitoring and control (potentially additional cyber vulnerabilities). Many of these critical pipeline applications utilize low cost, cyber insecure controllers with no cyber forensic capabilities. Additionally, in the case of the San Bruno accident, it took more than 40 minutes to locate the manual shutoff/isolation valves following the pipe break. As a result, an unintended consequence of the San Bruno event was requiring natural gas shutoff valves to be remotely automated which has now made the natural gas industry cyber vulnerable. The concern is inappropriately closing isolation valves can cause pipe failures.
The Aurora vulnerability is a physics-based attack that uses no malware. The Aurora vulnerability can affect pipeline integrity. In July 2015, DHS declassified more than 800 pages of the previous classified Idaho National Laboratory Aurora test information. Two of the slides that were declassified identified that an Aurora event could damage the rotating equipment in a refinery and the other identified how Aurora could damage natural gas compressor stations. There are no cyber forensics to identify Aurora events.
There is no cyber security, authentication, or cyber logging in process sensors, actuators, drives, and other engineering equipment. Many of these devices have built-in hardware backdoors for maintenance that cannot be bypassed. Training and culture have not caught up to these gaps.
Conclusions/Recommendations
The TSA response is effectively a reaction to the Colonial Pipeline cyberattack. Consequently, it hasn’t addressed other potentially more damaging events that have already killed people. Detecting cyberattacks against IT and OT networks can be done today. However, the same cannot be said for detecting control system cyber incidents (attacks and unintentional incidents) that occur with the cyber insecure field devices. There is a need to continue existing cyber security training for IT and OT network operators but to extend the training to include real cases. Cyber security training is needed to be developed based on real cases for engineering and operations personnel to recognize network cyber incidents and system/equipment malfunctions that could be cyber-related. There is also a need for government and industry to coordinate the myriad standards and governmental activities on critical infrastructure cyber security to assure there are no inconsistencies.
Joe Weiss
