For years, the U.S. intelligence community has questioned how vulnerable oil and gas pipelines are to a destructive cyberattack.
They got an answer when hackers targeted an oil pipeline in Turkey. Majority-owned by BP, the Baku-Tbilisi-Ceyhan pipeline was built to be one of the most secure in the world. But it was no match for the digital intruders who injected malicious software into the control network, allowing them to tamper with the system and cause an explosion that sent flames 150 feet into the air. Investigators couldn't determine whether a bomb was also used, as the explosion incinerated any evidence.
The incident in 2008 -- but only coming to light now -- becomes one of the earliest known examples of a cyberattack used to destroy critical infrastructure. And it has security experts and officials worried about the implications for the U.S. There are 182,000 miles of pipelines that carry oil, chemicals and other hazardous liquids, 325,000 miles of pipelines that transmit natural gas in bulk between states, and 2.2 million miles of pipelines that distribute natural gas to homes and businesses, according to the Transportation Security Administration.
Monitoring all those miles of pipelines is a daunting task, as you can see in the map below (one of many available on the Web). The attackers in Turkey were able to walk up to the pipeline to perform reconnaissance and begin their incursion through the wireless network.
Once a hacker can get physically close to a pipeline or other piece of infrastructure, simply by walking or driving up to it, "all bets are off," said Marco Ayala, a senior industrial cybersecurity and SCADA manager with aeSolutions, an engineering and automation company that works with oil and gas companies on process safety.
The pipeline explosion is an "early indicator of things to come," said JD McCreary, who spent his career in the Department of Defense in electronic warfare, including his last position as director of strategic and international initiatives at the Joint Electronic Warfare Center.
One big concern is that most of the pipelines are operated by private companies, which could limit the government's visibility into their operations. McCreary, who is now chief of disruptive technology programs at Georgia Tech Research Institute, said "there's a lot of value to being able to execute remote operations on digital systems, and there are tough choices to balancing private business costs and efficiencies versus national security dependencies on privately owned infrastructure."
Pipeline operators take cybersecurity "very seriously" and keep operations communications separated from business and outside communications, said John Stoody, vice president of government and public relations for the Association of Oil Pipe Lines. He said the owners and operators of America’s liquid pipelines, which his group represents, participates in the Department of Homeland Security and the Transportation Security Administration's security efforts.
"While we are unaware of any successful cyberattacks on U.S. liquids pipelines, we will remain vigilant against any such threats," Stoody said in an e-mail.
Continued vigilance is warranted, given the view that what happened in Turkey will happen in the U.S. Last month, Michael Rogers, director of the National Security Agency and commander of the U.S. Cyber Command, told the House Intelligence Committee that “it is only a matter of the ‘when,’ not the ‘if,’ that we are going to see something dramatic" in a cyberattack on the country's critical infrastructure.
- For more on security, see our special report on the Bloomberg Enterprise Technology Summit