The recent attacks in Brussels–the deadliest acts of terrorism in Belgium’s history–revealed the increasing complexity of securing against global terrorist threats. In the United States, there are over 2.5 million miles of pipeline that are at an increasing risk of attack—both cyber and physical.
Although there have been no successful attacks against the nation’s pipeline system, there have been several attempts. The House Committee on Homeland Security’s Transportation Security Subcommittee held a hearing on April 19 to address possible safety vulnerabilities within the pipeline system.
Subcommittee Chairman John Katko (R-NY) said the nation needs to outline ways to protect the US pipeline system against both physical and cyberattacks. He cited cyberattacks as the biggest potential threat to the nation’s pipeline system.
“As hackers become more sophisticated, we cannot discount the possibility that they may one day seek to intrude on the industrial control systems, disrupting the flow of oil and natural gas,” Katko said.
The network of pipelines in the United States is used to carry oil, gas and other hazardous wastes. Pipelines have been deemed the safest ways to move these liquids and are critical to the nation’s infrastructure and economy.
Cyberattacks could infiltrate supervisory control and data acquisition systems and cause fires, spills, or explosions within the nation’s pipelines from remote locations over the Internet or from other mobile technologies.
The threat level for pipeline attacks in the US is relatively low. However, the frequency of attacks abroad and the rise of ISIS is cause for concern. “Our adversaries, including China, North Korea, Russia and Iran have shown a proclivity for launching sophisticated cyberattacks against US companies, banks and critical infrastructure,” Katko said.
The Transportation Security Administration (TSA) currently works with industry stakeholders and other government organizations, such as the Pipeline and Hazardous Materials Safety Administration, to ensure pipeline safety.
The most recent cyber regulations from the TSA were written in 2011. Furthermore, it has been several years since the subcommittee held a hearing on the status of the nation’s pipelines, according to Rep. Kathleen Rice (D-NY).
“We must remain cognizant of the fact that terrorists are always looking to exploit vulnerabilities and our pipelines are a major target, so we always have to stay two steps ahead,” Rice said.
TSA Surface Division Director Sonya Proctor said TSA conducts corporate and physical reviews with industry pipeline operators and works closely with government officials to ensure pipeline security from terrorist attacks. TSA measures the risk to pipelines based on several factors including the amount of energy transferred, number of miles in high-consequence or high-threat urban areas, the number of pipelines on military bases and pipelines that serve electric power plants.
To defend systems against cyberattacks, pipeline operators currently follow the American Petroleum Institute Standard 1164, which requires operators to keep systems for pipeline operations separate from business systems, said Andrew Black, CEO and president of Oil Pipe Lines.
The API Standard 1164, from the pipeline SCADA Security, requires pipeline operators to follow precautionary measures and understand preventative behavior for sound security practices regarding business and government requirements. API Standards regulate industry practices in order to preemptively protect companies from safety concerns, among other factors. These standards are updated annually.
In addition to these standards, there are currently recommendations provided by TSA to industry executives regarding safety concerns, though these guidelines are not required of industry leaders.
“I believe the environment in which we operate now allows a great deal of flexibility, and certainly within the current environment with the evolving threats, the ability to be flexible I think is very important,” Proctor said. “We have had great success with voluntary guidelines … We are pleased to have this kind of collaboration and partnership with the industry.”