!['PIPELINES FROM A NATURAL GAS INSTALLATION (IN BACKGROUND) RUN THROUGH RATTLESNAKE BAYOU AT THE WESTERN END OF THE FREEPORT SULPHUR CO. PIPELINE CANAL' by Messina, John, 1940-, Photographer (NARA record: 8464458) [Public domain], via Wikimedia Commons](http://commons.wikimedia.org/wiki/File:PIPELINES_FROM_A_NATURAL_GAS_INSTALLATION_%28IN_BACKGROUND%29_RUN_THROUGH_RATTLESNAKE_BAYOU_AT_THE_WESTERN_END_OF_THE..._-_NARA_-_545997.jpg "'PIPELINES FROM A NATURAL GAS INSTALLATION (IN BACKGROUND) RUN THROUGH RATTLESNAKE BAYOU AT THE WESTERN END OF THE FREEPORT SULPHUR CO. PIPELINE CANAL' by Messina, John, 1940-, Photographer (NARA record: 8464458) [Public domain], via Wikimedia Commons")
The prospect of a cyberattack on public utilities and other vital infrastructure has loomed in America’s imagination for years, serving as the plot for countless films, thriller novels, and television shows. Recent news from the federal government and the private sector has brought attention back to the topic. American infrastructure may remain vulnerable to certain types of cyberattacks, and the possible damage from such an attack would impact public and private resources alike. The risks faced by public and private utilities may help businesses assess their own cybersecurity risks and serve as a model for their own risk management.
The U.S. Department of Homeland Security (DHS) recently issued an alert regarding attacks by an unknown group of hackers that, over the past six months, have targeted the nation’s natural gas pipelines. DHS reportedly does not know if the attacks are an attempt to gain intelligence about the U.S. gas pipeline system, or if the attacks intend to damage the system. The attacks involve a technique known as “spear-phishing,” which sends e-mails that appear to come from friends or family of a targeted individual. Malware attached to the e-mails infects the target’s computer and attempts to steal passwords that would allow access to utility control systems. DHS has reportedly been working with utility companies since March to fight the attacks. Hackers, some linked to China, have targeted the natural gas sector several times in the past few years.
The present threat has led to questions about what the natural gas industry, as well as other utility industries, have done to protect themselves from cyberattacks. A report in the Christian Science Monitor details one effort, known as AGA-12. The natural gas industry began work after the September 11, 2001 terror attacks on a cybersecurity system that could protect as much of the nation’s pipeline system as possible.
By 2006, they had developed AGA-12, a sophisticated encryption system that could shield key equipment from hacking and other forms of cyberattack. Each piece of equipment would have a device attached that would implement the encryption protocol, and the developers were hopeful that it would be able to repel many, perhaps most, attacks. The project’s funders, however, withdrew their support weeks before the project’s anticipated completion in 2006. This has left many parts of the pipeline system vulnerable, although advances in technology in the last six years have made piecemeal improvements to the system’s security. Additionally, the Institute of Electrical and Electronics Engineers (IEEE) has revived AGA-12 under the designation IEEE 1711-2010, and plans to present a final version soon.
As of today, no comprehensive cybersecurity protocols exist for the natural gas pipeline system and many other utilities. Security relies on efforts by individual organizations, government agencies, and occasional private citizens doing research on their own. The CS Monitor also recently reported on a cybersecurity researcher who discovered a vulnerability in a Canadian company’s industrial networking equipment used by utilities and defense contractors. The individual discovered a “backdoor” password capability when he tested equipment he had purchased on eBay. After notifying the company privately about the vulnerability, he went public to ensure that the company would take steps to correct the problem.
Prism Risk Management provides businesses and organizations with risk and loss prevention consulting and offers services in loss control planning. To learn how our team can help your organization, contact us today online or at (512) 901-0070.
More Blog Posts:
SEC Disclosure Guidelines Urge Businesses to Disclose Not Only Cyberattacks, but Also Risks, Prism Risk Management Blog, May 21, 2012
Proposed “Consumer Privacy Bill of Rights” Could Protect Businesses Using Cloud Computing, but Also Makes Them Accountable to Employees, Prism Risk Management Blog, May 14, 2012
U.S. National Security Laws May Be Driving Other Countries to Nationalize Cloud Computing, and It Could Put Your Data at Risk, Prism Risk Management Blog, May 7, 2012
Photo credit: ‘PIPELINES FROM A NATURAL GAS INSTALLATION (IN BACKGROUND) RUN THROUGH RATTLESNAKE BAYOU AT THE WESTERN END OF THE FREEPORT SULPHUR CO. PIPELINE CANAL’ by Messina, John, 1940-, Photographer (NARA record: 8464458) [Public domain], via Wikimedia Commons.
Prism Risk Management, LLC 