US fights cyber-attacks on gas pipelines
The organisations managing US gas pipelines are now on a state of high alert following news that the network’s computerised control systems have been targeted by cyber-attacks over recent months
On 4 May, the US Department of Homeland Security confirmed a series of “intrusions targeting natural gas pipeline sector companies” that have been taking place since December 2011. The department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) took the unusual step of issuing an alert to warn of so-called “spear-phishing” attacks by unknown assailants targeting employees with “convincingly crafted” emails.
Spear-phishing is the practice of gathering information about employees at an organisation and then sending bogus emails to them intended to get them to reveal passwords or other security information.
It is not known how far the attacks have spread, although ICS-CERT said that analysis of the malware [malicious software] and artefacts associated with these cyber attacks has identified this activity as related to a “single campaign”. The red alert was followed with an advisory on specific software products “an attacker with a low skill level would be able to exploit”.
Security analysts have speculated that the attacks could be intended either to reveal information about oil and gas movements or to gain enough information to sabotage the pipeline network.
One programme under scrutiny, the “supervisory control and data acquisition” or SCADA system, is software used to remotely control valves and other operations of pipelines and compressors. In the past 20 years they’ve become standard equipment in oilfields and well sites around the globe. The specific product, made by China-based WellinTech, contained an insecure password vulnerability, which the company says has been rectified, according to ICS-CERT.
However serious the vulnerability or the intention, the holes expose a chink in the soft-underbelly of the North American infrastructure grid and reinforce a perception of vulnerability. There’s a worry that a misplaced keystroke might allow a terrorist to wreak havoc on power and nuclear facilities.
But it remains difficult to judge how realistic those fears are, or who would want to wage a cyber-war. Any number of online attackers could be to blame, from groups such as the Anonymous hacking collective, seeking to illustrate a vulnerability, to a nation state seeking to exploit it.
The governments of China and Russia have been accused of cyber-espionage against the West. In turn, the US has been accused of planting the Stuxnet virus to cripple Iran’s nuclear programme. In 2011 former CIA director Leon Panetta warned that a cyber attack could be America’s next “Pearl Harbor”.
If a foreign power were trying to subvert control of pipelines, it’s difficult to know whether the intent is to cause physical damage, steal corporate secrets or merely spy.
Homeland Security said it could not publicly disclose the extent of the latest pipeline cyber-attack or even what specific threat it posed – even as it briefed Senators ahead of proposed cyber-security legislation. After the virus is contained, it further vowed to co-ordinate efforts to “harden” industrial networks against future attacks.
That will be a big job – some 210 US gas pipelines comprise 300,000 miles of intra- and inter-state pipe.
Washington watchers note that ignorance of exactly what is going on is not stopping lobbyists and some politicians from talking up fears on Capitol Hill, possibly in an effort to avoid funding cuts to security programmes.
It is little surprise that the security apparatus has been the big beneficiary of tightening up vigilance, although this seems to remain woefully inadequate by the government’s own admission.
After the 9-11 attacks of 2001, Homeland Security has been one of the fastest growing departments of the US government, with budget increases outstripping even those at the Pentagon. Spending has increased 637% in the last decade, from $9 billion in 2002 to $57 billion now.
Some think that is a small price to pay, given the importance of public safety and the threat to infrastructure. But providing a sense of security is getting harder – and more expensive – in the information age.