In a recent annual review, a team at the Department of Homeland Security that works to counter the threat of cyber attack on critical infrastructure counted 198 “incidents” in FY 2012, according to a report from the New York Times.
The “incidents” reported range from the use of malware to sabotage systems to phishing attacks for retrieving sensitive information. In about 40 percent of those cases, the target was the energy sector – a cause for some alarm.
A November White House draft executive order calls for concerted agency action on cyber security, calling the attacks on critical infrastructure “one of the most serious national security challenges we must confront,” the article reports. Last year, for example, the natural gas industry fought off a lengthy and ultimately unsuccessful series of attacks on its pipeline infrastructure, as the DHS issued three amber alerts – the second-most serious level of warning, the NYTimes reports.
While the Transportation Security Administration holds authority over pipeline security, it has yet to promulgate industry-wide standards for cyber security, relying on the voluntary adoption of best practices, the article notes.
Pipeline vulnerability is a particular concern because of the “ubiquity of supervisory control and data acquisition, or Scada, software systems, which as used to monitor variables like pressure and flow rates. Pipeline operators can respond to any unexpected changes through remote management of valves, pumps and compressor stations,” the article says.
However, like any computer software, Scada systems are susceptible to hacking and virus attacks, including the Stuxnet computer worm. Attacks through Stuxnet or a similar virus could come in the form of unauthorized commands or false reports to operators, resulting in spills, fires or explosions, the New York Times reports.
While no historical pipeline problems have been linked to malicious cyber activity, software malfunctions illustrate the potential threat. In the summer of 2010, the article says, problems in a Scada control center contributed to the spill of more than one million gallons of crude oil outside the small town of Marshall, Mich. The oil made its way into the Kalamazoo River and now ranks as one of the largest inland spills in U.S. history.
And regardless of prospects for federal cyber security regulation, pipeline managers in the U.S. are facing severe resource restraints: the equivalent of only 13 full-time employees in the TSA are responsible for overseeing nearly 1.5 million miles of pipeline.