Written By Sarah Smith, Energy Reporter at S&P Global Market Intelligence
While a recent series of explosions and fires in the Boston area was not caused by malicious forces, cybersecurity experts warn that the technology involved in the gas utility accident is a vulnerability hackers could target when trying to disrupt U.S. energy systems.
In the case of the Sept. 13 gas distribution system disaster in Massachusetts, federal investigators with the National Transportation Safety Board, or NTSB, have focused on utility equipment that manages pipe flows. The ruptures on the system of Bay State Gas Co., which does business as Columbia Gas of Massachusetts, were caused by an overpressurization of the pipeline grid, possibly linked to pressure and flow sensors sending incorrect information to pressure regulation equipment. The utility is a unit of NiSource Inc.
Asked if hackers compromising sensors or regulators that determine flows on a utility’s supervisory control and data acquisition, or SCADA, system could create a situation resembling the Massachusetts explosions, David Blanco, business development manager at cybersecurity firm Automation Solutions LP, said Sept. 18 that it could. “Of course, my answer is completely based on my opinion and experience, but yes.”
Blanco pointed to a Turkish oil pipeline system that was compromised in 2008. In that instance, the hackers’ way into the SCADA system was through its surveillance system, using it as an entry point to manipulate information in the system that dictated what safe pressures looked like, ultimately resulting in an overpressured line, Blanco said.
“This attack demonstrated the skills of the hackers in controlling equipment, jamming communications, deleting the right records and suppressing alarms,” Blanco said. “Not only does this prove that hackers have the technical skills to be successful, but also that their goals include destroying [industrial control system, or ICS] equipment in the field.”
The NTSB said Sept. 15 that investigations into the Columbia Gas of Massachusetts explosions had found no evidence of “anything nefarious, anything suspicious, anything intentional associated with this disaster.”
‘Small destruction but big disruption’
Cyberattacks can compromise data availability, data integrity and data confidentiality, and any of these losses can have disastrous consequences for an ICS, Blanco said. This sort of breach would likely be more able to disrupt lives and lines of business than to completely destroy infrastructure, he added.
If cyber intruders were able to get into a SCADA system that monitors and controls pressures and valves and override the controls, the breaches would likely be “be small destruction but big disruption,” Blanco said. Blanco’s previous work has focused on cybersecurity issues for SCADA systems, including development and integration of SCADA technologies and systems.
“If a pipeline or refinery is destroyed after an attack, then the attackers will consider themselves very lucky. The goal of attacks … is disruption first, destruction second,” Blanco said. “[A] whole pipeline [doesn’t] need to be destroyed for the entire process to be disrupted.”
In the energy sector, infrastructure spanning hundreds of miles is often operated from remote locations, meaning hackers can compromise one site and then pivot to reach other parts of the system if the right protections and controls are not in place, Blanco said.
Barriers to breaches
A utility or other pipeline operator would likely have multiple layers of defense to prevent a breach of a single barrier from causing physical damage to the system, said Richard Kuprewicz, a pipeline safety expert and the president of consulting firm Accufacts Inc.
“A properly designed gas distribution system will not rely on SCADA to be the last line of defense against overpressure,” Kuprewicz said. “There are probably some pipeline operators cutting corners and over-relying on SCADA, but my experience would suggest darn few.”
Joseph Dancy, an energy-focused law professor at the University of Oklahoma, expressed concern that the dispersed nature of the energy system can leave certain critical infrastructure components, including pressure sensors and regulators, open to cyberattacks. Dancy co-authored a 2017 paper on the cybersecurity risks to oil and gas pipelines.
“A lot of the valves are computer controlled in the distribution system, and I’ve been in the control room of a gas system for a major city and seen them turn the valves up and down to adjust pressure,” Dancy said Sept. 18. “Even with the best controls and cybersecurity, I have been advised that almost any barrier can be breached with enough time and resources.”
This article first appeared on Thursday, 20 September 2018 12:50 PM ET. The original article can be found at https://platform.mi.spglobal.com/web/client?auth=inherit#news/article?id=46579155&cdid=A-46579155-10285.
To learn how to protect your endpoint devices from a cyberattack, visit our CryptoMod page to learn more.