Pipeline security is governed by the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA), both part of the Department of Homeland Security (DHS). DHS has issued two pipeline cybersecurity directives in 2021: one in May and one in July. The first directive was issued in response to the Colonial Pipeline hack and requires critical pipeline owners and operators to:
The July directive expands on this, requiring owners and operators of TSA-designated critical pipelines to:
Cyberattacks like this are costly, both to companies and consumers. The Colonial Pipeline system was shut down for six days after the cyberattack. The shutdown disrupted fuel supply across the Southeastern U.S., driving up gasoline prices and causing fuel shortages. Colonial Pipeline eventually paid a $4.4 million ransom to the group responsible for the attack.
In the oilfield services sector, proppant and logistics company Hi-Crush Inc., was the victim of a hack in April 2020. The ransomware hack impacted their servers, potentially exposing customers’ sensitive information. Hi-Crush also paid a ransom to the hackers and provided credit and fraud monitoring to any affected customers. Hacks are costly, even when physical assets are not affected.
While many attacks target IT and computer systems, physical assets are also at risk. Pipelines, valves and utility stations are all potential targets of physical sabotage. This includes destruction through terrorism, environmental activism and theft.
A recent act of ecoterrorism took place in Aspen, Colorado, in December 2020. At three Black Hills Energy utility sites in and around the city, locks and chains protecting gas valves were cut. The valves were turned, depressurizing the entire system. This cut off gas service for about 3,500 residences. To restore gas service, Black Hills Energy had to manually turn off each gas meter, repressurize and test the system, and manually turn on each meter. This cost Black Hills Energy $1.4 million and left Aspen residents without heat or hot water during frigid weather.
According to an FBI agent investigating the case, whoever turned the valves had to know how the utility system worked. This suggests that the attack was carefully planned and that the valves may have been observed beforehand.
Security services, like Panther’s remote surveillance and monitoring, could prevent or mitigate physical sabotage similar to what occurred in Aspen. Security personnel monitoring utility sites can detect trespassers checking out sites beforehand and potentially prevent sabotage or equipment theft.
Remote surveillance also keeps people safe by removing them from harm’s way. In the event of a physical attack involving an explosion or armed intruder, remote surveillance means that no personnel are onsite and at risk.
The new DHS security directives require companies to plan ahead for cyberattacks. Companies should take a similar approach with physical security by auditing their security systems, addressing any shortcomings, and creating a contingency and mitigation plan in the event of an attack. With Panther Security’s remote surveillance and monitoring services, it is easier than ever to keep remote locations safe. Contact a Panther sale representative to make an oil and gas location security plan today.