While industry leaders develop proactive methods to reduce the threat and consequences of extreme, “act of God” weather events to protect their interests, they must also address the threats of vandalism and cyberattack conceived by mere mortals.
According to Eduardo Munoz, principal consultant with Dynamic Risk Assessment Systems Inc., pipeline risk assessment must evolve to address new threats prompted by “increased computational capabilities and data availability, changes in behavioral patterns, enhanced mobility, the complexity of cyber-physical networks and malevolent intent to disrupt the operation of critical infrastructure.”
Munoz pointed out during his presentation at Houston’s 2023 Pipeline Pigging and Integrity Management Conference that pipeline integrity management systems (PIMS) are now far more commonplace than in previous years. Following the Colonial Pipeline cyberattack in 2021, the Pipeline and Hazardous Materials Safety Administration (PHMSA) is actively inspecting for and enforcing components of cybersecurity, including control room regulations, integrity management plan requirements and emergency plan regulations.
An effective corporate security plan, he said, should provide guidance to nine specific areas: roles and responsibilities; inventory and hierarchy of assets to be assessed for security risk; data sources and data providers; criticality assessment method; security vulnerability assessment (SVA) method; corporate risk matrix; scheduling rules (monitoring and SVA); and baseline and enhanced security measures implementation criteria.
While most pipeline risk models assign a financial factor representing material losses, service interruption, loss of personnel and/or human life, loss of reputation and impact on the environment, financial factors due to vandalism “should also consider the impact on system redundancies, asset interdependencies and interruption of contracts in place,” Munoz said.
Further, “asset attractiveness” is a factor that assesses the perceived value of the asset, he said. “It is an indication of the correct selection of the target, the likelihood of the attack and effect of any deterrence measures,” Munoz said, adding that a basic assessment method of the target attractiveness would consider “land use as an indicator of remoteness, service/utility as a classifier for perceived consequence and lack of signage and fencing as a measure of lack of deterrence.”
Unfortunately, Munoz said he believes that “internal actors” optimize the target selection for vandalism and/or cyberattack, as they render any deterrence measures ineffective and “can elucidate walks around most physical measures.”
“An insider can jump directly to the attack execution, skipping the target recognition, surveillance, planning and rehearsal steps,” Munoz said. “Developing indicators for the presence of inside actors is controversial since it implies having some type of intelligence of the operators’ own employees and contractors.”
Asset vulnerability, Munoz said, is a measure of the effectiveness of the security measures in place and is generally assessed through a long questionnaire concerning the implementation of physical and technical measures, and security programs and procedures.
“Cursory vehicle identification and search help prevent theft and terrorism but are not necessarily effective against political demonstrations or arson,” Munoz said. He urged operators to reassess criticality and vulnerability when a major modification to the asset process occurs, like during upgrades or downgrades; when increased security measures are implemented, “or at a pre-established re-assessment interval.”
Oil and gas cyber-physical systems are deemed more complex, thus more vulnerable to cyberattacks in the upstream and downstream sectors than in the midstream sector.
“E&P systems currently operate with relatively low cyber risks, but their operations will soon require real time, big data acquisition and processing in computing clusters, which in turn will multiply the cyberattack effects,” Munoz warned.
