European Energy Infrastructure Protection: Addressing the Cyber-warfare
Threat
Tuesday, 27 October 2009 00:00
Uwe Nerlich and Frank Umbach
In both Western governments and industries, security concerns about
increasing cyber warfare attacks by individuals, crime organizations and
governments regarding espionage or malicious software programs that damage
and disrupt processes of critical infrastructure assets and processes have
grown considerably in the last several last years. These cyber attacks have
risen to an unprecedented level of sophistication. As a result, the
vulnerabilities of digital systems and networks have grown exponentially.
However, public awareness has not kept up with these new threats, and
vulnerabilities in cyberspace, which have the potential to affect all
sectors of private and public life, national and international businesses,
and even the defense policies of states, multinational organizations like
the EU, and collective security organizations like NATO.
In the age-old struggle between attacker and defender, the attacker more
than ever appears to have the advantage by being better armed and freely
choosing the intensity of the attack, as well as the target. Attackers are
no longer constrained by geographical distance and frontiers. In particular,
the emergence of botnets – a dormant virus, unnoticed by Internet users,
which the attacker can activate at any time (trojans) and at any place in
the world - allows criminal or terrorist attackers to launch massive hostile
operations for data espionage, falsifying, destroying or altering
confidential data with extraordinarily harmful effects in industry
infrastructures as well as critical national infrastructures. The newest
botnet threat, Conficker, for instance, is estimated to have infected 1.5
million computers. Without yet having any counter-strategy, the new worm
might be able to function autonomously by recruiting and commanding five
million computers in 122 countries for coordinated simultaneous attacks on
an economic system, critical national infrastructures, and national defense
networks of a country – all of them interdependent of one another. Almost
all industries and companies and even defense ministries are increasingly
dependent on the use of the open Internet and other nets, in addition to
protected intranets, which are themselves not immune to cyber-attack.
By blurring the borders between cyber crime, cyber terrorism, and private or
state-sponsored cyber war as a new form of “asymmetric warfare” in the 21st
century, the threat of a “digital Pearl Harbor” has become real. Even
hostile governments can hide behind “unholy alliances” with crime
syndicates, terrorists or nationalist movements and individuals without
risking detection and identification. Massive denial-of-service attacks by
viruses, worms and other forms of malware on servers of government
ministries, newspapers, banks, and other corporations as well as on private
web sites and on a country’s cell phones have already occurred. Examples of
such attacks have been recorded in Estonia in May 2007, Lithuania in
June-July 2008, Georgia in August 2008 and in South Korea last July in an
attack of 12,000 computers in that country and 8,000 in other countries.
With regard to critical energy infrastructure, the EU has recognized two
major challenges that it needs to confront:
• The spread of information and communication technologies (ICT) highlights
numerous new security implications for our dependencies on them in all areas
of our daily life. Market liberalization and privatization of state-owned
infrastructure operators, as well as new regulations, have made private
industry and government agencies increasingly dependent on external
providers of goods and services, including commercial off-the-shelf
(COTS)-products. At the same time, almost every single service depends
directly or indirectly on the secure supply of electricity. The physical,
virtual or logic networks have grown in size and complexity. As the result
of those growing interdependencies between various critical infrastructures
(see Figure 1), those dependencies and impacts of supply shortages and
disruptions are often not apparent until a crisis occurs and connection
breaks down. Even smaller outages, failures and disruptions can have
dramatic consequences in ever more complex systems (“the vulnerability
paradox”), something which has not been anticipated.
*Figure 1. Source: Federal Ministry of the Interior (BMI), Protecting
Critical Infrastructures – Risk and Crisis Management, Berlin, January 2008*
• Previously energy supply systems were decentralized with a power plant for
each region and a local distribution network which connected the producer
with the consumers. If the power plant failed, the whole region was without
energy. When regional networks were interconnected by transmission networks,
security of supply was enhanced by the possibility to exchange energy
between these networks. It also saved financial resources, particularly on
the side of producers. Today these regional networks have been expanded
across national boundaries, connecting individual EU member states with the
perspective of creating a common, liberalized energy market in the entire
EU. Whereas this is true for both electricity and gas supplies, the European
pipeline-based gas supply system, perceived as the "Achilles heel" of the
European energy supply security, covers a much wider geographical area by
long distance gas pipelines. They start in external producer states (such as
Russia or in difficult environments such as in the North Sea, in the Maghreb
and in the future also in the Arctic region, in the Caspian Basin, in the
Persian Gulf/Middle East and in Central Africa) and transport natural gas
across state borders via other transit states to the final consumer
countries and their distribution grids, often distances of more than 1,000
km.
By increasing and diversifying its gas supplies from outside Europe,
European gas supply security will be enhanced, but at the same time numerous
vulnerabilities will increase by expanding network interconnections. This
increased vulnerability is true not just in terms of gas networks (pipeline
and LNG-based – see Figure 2), but also in regards to the interconnectedness
of ICT to the networks of other critical infrastructure systems.
*Figure 2. Source: Octavio-Project *
*The Natural Gas Supply Chain, the Functionalities of Gas Control Centers
and its Vulnerabilities*
The European gas supply system is overwhelmingly based on pipelines and
supported by compressor stations and storage sites. The operational
processes of the natural gas supply chain as well as its security and
control are highly dependent on the ICT infrastructure. In contrast to the
EU’s oil supply security (based on flexible shipping imports), a much more
inflexible pipeline gas supply system creates many more dependencies, risks
and vulnerabilities – particularly obvious during crisis situations as
Europe experienced with the Russian-Ukrainian gas conflicts in 2006 and 2009
when gas flow was cut.
Natural gas systems involve a series of processes and components at
different physical facilities. Once the gas has been explored and exploited
at a gas field, in mixtures with other hydrocarbons, a pipeline gathering
system directs the flow of gas to a processing plant where is it purified.
From these plants it can be transported directly to the mainline
transmission grid and through its often long-distance “trunk lines” (with a
pressure typically up to 100-120 bars), and finally distributed by smaller
pipelines to final customers (see Figures 3 and 4). Unlike the electricity
system, natural gas can be stored for an indefinite period of time using
storage facilities in order to meet balanced demand requirements during
different seasons and to insure against unforeseen supply disruptions such
as accidents, natural disasters or disruptions which are politically
motivated. The main components of the complex transmission grid include
pipelines, compressor stations, storage sites, metering stations and city
gate stations.
Energy control centers control the operation of power plants as well as of
networks. The operation of huge border crossing gas networks require a
network management and a control center hierarchy to ensure security of gas
supplies:
• Main Control Centers (i.e. system and network control centers) responsible
for generation coordination, load dispatching, as well as monitoring and
controlling the storage sites and transmission network to provide reliable
communication, to keep the integrity and security of the complete network,
and to guarantee the supply of the services;
• Regional Control Centers responsible for monitoring and controlling the
distribution network within a specific area;
• District Control Centers responsible for monitoring and controlling the
distribution network within a specific district.
*Figure 3. Source: Octavio-Project*
*Figure 4. Source: Octavio-Project*
The efficiency of control centers by applying methods of data handling and
processing is closely linked with the development and application of ICT.
Their task is:
• Measurement and information gathering: By sensors including
satellite-based surveillance and control of pipeline systems, power plants,
pump stations, storage sites and networks;
• Acquisition: Transmission of necessary information from the network to the
Control Center, and transmission of commands from Command Centers to
“operational” components like substations;
• Processing, display and archiving of information: Generating control
information from network data.
In contrast to the former auxiliary function for the control of operations
of plants and networks, the control function is transferred to a centralized
complex instrument with the central function in energy supply. Without this
central function, any operation within the energy and gas supply chains
ranging from production to distribution and supply would be impossible. The
efficiency and reliability of those Control Centers, in particular the
System or Central Command and Network Control Centers, is essential and is
the biggest vulnerability in case of physical or electronic attacks. This
could have extensive follow-up consequences on other critical
infrastructures and lead to heavy losses at the stock exchange.
Acquisition and processing tasks are elements of a SCADA (Supervisory
Control and Data Acquisition) System. With SCADA, control centers are able
to identify and repair interferences, to take necessary measures of repairs
centrally, and to acquire data relevant for planning and further actions.
Originally, each power plant had its own control center linked with others
as part of a hierarchy of networks. The development of ICT enhances the
capability to combine different tasks of the command structure for the
hierarchy of networks into a central command center for different media such
as electricity, gas, water or district heating. The latter have extended
their capabilities by using Geographical Information Systems (GIS) to
provide geo-referencing information of facilities, networks, vehicles and
geographical or political details. Modern SCADA systems use standard
interfaces and standard components (of computers operating under UNIX or
Windows). SCADA systems have improved system interconnections and
efficiencies, but they have also significantly increased system
vulnerabilities to outside electronic attacks.
*Figure 5: Octavio-Project*
European infrastructure security by and large follows the guidelines applied
to US facilities. However, the extent of newly implemented technologies,
modernization, the limitations imposed by national postures, the divergent
risks inherent in divergent suppliers, systems and transit zones, the uneven
exposure to potential violence (be it by terrorists or in war-like
situations), the competitiveness governing European energy markets, and the
limitations on flexibility of adoptions to changing challenges inherent in
gas pipeline systems all pose additional challenges to energy industries as
well as to national, EU and international governmental authorities - be they
producers, transit providers or suppliers.
Given the growing extension and complexity of energy systems (i.e. of gas
supply systems), the requirements for the effectiveness and the security of
control centers get more demanding, and trade-offs between effective and
secure solutions become more challenging. The requirements for effective and
secure control centers are made even more critical by the increasing number
of interconnectors between gas systems, the cost of ever larger numbers of
sites and growing size of systems, the vast areas they cover, and the
inherent risks resulting from how administrative units and control centers
are often connected, typically needing control engineers, ICS operators and
IT security professionals to cooperate closely.
A broad and systematic analysis of control center vulnerabilities is thus an
important step. But the conditions for moving from highly decentralized to
increasingly centralized energy systems differ from the US and the EU with
regard to regional and state energy demands and decision-systems.
Security Conditions in Perspective for Asset Criticality in Gas Supply
Systems: The Octavio Project
The criticality of assets, in particular of control centers, for the
functioning of gas supply systems depends on both the degree to which
technical security requirements are met and on the conditions under which
they are expected to function. Technical security requirements are
indispensable, but their criticality depends also on a variety of additional
conditions such as (1) assumed general security conditions of gas pipeline
systems; (2) the size, length and expected growth of pipeline systems; (3)
design parameters; (4) the given security status; (5) geographical
conditions; (6) conditions of social-political stability; (7) economic
conditions;(8) strategic conditions; and (9) costs and investment choices.
Depending on the type of attack, all elements of a pipeline system can be
targeted. Attacks on control centers (in addition to compressor stations)
are, however, among the most attractive targets for sabotage, terrorists,
multiple attacks, etc. The Octavio Project has therefore concentrated
especially on attack options against and protection of control centers. Yet
the functioning of SCADA systems is itself a condition that deserves special
analysis.
In general, the size, length and expected growth of European and global
natural gas networks will impact on both the need for control assets and the
security requirements of control centers and other critical components:
• Except for LNG transport, there does not exist a global gas supply system.
But enabled through IT developments and driven by increasing demand and
supply, as well as increasing competitiveness within the gas market, gas
supply systems are growing steadily in terms of identified resources, length
of transport lines, transit zones, diversity of geophysical conditions, and
distribution of critical assets - with ever wider regional differences.
• Increasingly demanding security requirements for gas pipelines systems are
necessitated by the growing size of gas supply systems, the length of pipes,
the diversity of regional conditions, the increasing exposure to both
accidental and intentional hazards, the vast amount of critical information
from far away locations, the vulnerability of systems for controlling the
flow of gas, the security of the system requirements, the need to integrate
warning signals from a given system with higher-level crisis information,
and the fact that awareness is the single most important aspect of
preparedness.
• The increasing size, length and complexity of pipeline systems are of the
most critical factors in this vulnerability assessment. However, there is no
direct link between the overall size (i.e. kilometers) of gas pipeline
systems in the world and an increase in security requirements. Between 2002
and 2005 the totals in kilometers globally increased by more than 30%.
Rather than just concentrate on the overall global trend, it is particularly
important to recognize the regional trends in major gas markets like the EU,
the US, the Persian Gulf, as well as in South Asia.
Asset security in pipeline systems is an important requirement, in many
cases much more so than protection of the pipes themselves. It is a
prerequisite for effective mitigation against accidents and incidents caused
by criminals. Regarding localized hostile attacks, other means become very
important, like the speed of response and the means to cope with aggressors.
While protection against strategic terrorism requires a broader spectrum of
protective means and measures, effective control centers and other critical
assets remain an indispensable means of crisis management. In major
contingency-scenarios the continued functioning of gas pipeline supplies
will depend on a wide variety of circumstances. Agreed definitions regarding
the criticality of pipeline assets still need to be refined. Those
definitions need to reflect security requirements for assets in pipeline
systems in relation to conditions that apply to a given situation. The
Octavio Project has laid some useful foundations on which to base more
comprehensive sets of security requirements for control centers, gas
pipelines and their critical pipeline assets.
*Summary and Perspectives*
In addition to the new threats coming from terrorist attacks, private or
state-sponsored hackers and (transnational) criminal organizations, the
vulnerability of the different sector infrastructures has also increased
because they are now much more linked with each other - due to the rapid
spread of information technologies. ICT infrastructures in the energy,
transport, banking and financing sectors have become the nervous system of
our modern information society. Disruptions of ICT can cascade to other
locations, branches or sectors, with impacts that extend far beyond the
original area of damage, as well as across the state-border of an EU-member
state, given that critical information infrastructure (CII) is global as
well as tightly interconnected and interdependent with other
infrastructures. Their security and resilience cannot be ensured and
enhanced by purely national and uncoordinated strategies. Furthermore,
market forces do not provide sufficient incentives to private operators for
investing to protect CII systems at the level that governments would
normally demand. In this light, the fundamental and still underestimated
problem is that the low level of protection in some member states can
increase vulnerabilities in others. Also, the insufficient systematic
interstate cooperation in Europe substantially reduces the effectiveness of
preventative and timely countermeasures.
The pipeline-based EU gas supply chain and networks need to recognize the
dependencies and interconnectedness of critical European infrastructures
between the EU as the consumer and non-member states such as Russia,
Ukraine, and others as the producer and transit states.
Whereas there is limited availability of financial and human resources for
operators to protect their infrastructure systems, it is essential for both
the energy industry and for governments to use all available resources
efficiently and effectively by assessing risks and setting priorities to
achieve adequate risk management. While it is impossible to protect a
utility 100% from a physical or a cyber attack on its facilities and
infrastructure, these threats need be minimized as much as possible without
compromising their productivity and day-to-day operations. A professional
security and risk assessment requires a systemic perspective to address
physical and cyber security, supervisory control and data acquisition
(SCADA) and distributed control systems (DCS), communications security, grid
security, distribution security, generation security, and
biological/chemical issues. Integrated security concepts such as the TAAS
Industrial Corporate Security Awareness Program (ICSAP) are a positive step
forward in this regard. With well protected infrastructure programs and well
trained-and equipped security forces (e.g. in Saudi Arabia), the oil and gas
industry and their governments can foil or mitigate terror attacks on
critical oil, gas and other energy infrastructure.
In order to overcome the historical legacies of insufficient physical
infrastructure and traditional policies, the EU agreed in March 2009 to
create numerous new interconnectors for both trans-border electricity and
gas delivery. This new infrastructure, of which control centers for gas and
electricity are an important part, will improve individual nations’ energy
supplies and promote a common crisis management system.
Any future risk assessment needs to include the wider political-strategic
policies and intentions of the EU and its member states for analyzing the
concrete risks, along with future vulnerabilities of existing and
to-be-built critical energy infrastructure. In this context, the March 2007,
November 2008 and March 2009 decisions of the EU’s energy policies and newly
built energy infrastructure are of utmost importance. Any analysis of a
comprehensive risk assessment of these gas and electricity control centers
would be of benefit by including these dimensions and new policies in a
strategic perspective for the EU’s future energy infrastructure security. If
the EU’s agreed energy policies and projects are implemented, they will
greatly enhance common energy security inside the EU and bolster a common
crisis management system, a common energy market, and a common foreign
energy policy.
In this regard, the future safety and security of gas control centers and
any discussions of critical gas infrastructure need to take into account:
• The new transnational dimensions of interconnecting gas supplies and
national gas markets within the EU’s internal market.
• The implications of terrorist and cyber attacks on these new or modernized
control centers with their high strategic value, which, if disrupted, could
have wide-ranging, cascading effects on transnational gas supplies.
• The overall dependence of European gas control centers on external gas
infrastructures outside the EU (i.e. Russian or other foreign gas pipelines,
gas control centers, etc.) – particularly in light of the EU’s further
growing dependence on gas and other energy imports from outside Europe –
including much more unstable regions.
Thus, safety and security issues of gas control centers and other gas and
energy infrastructure should become an integral part of the EU’s energy
foreign policy with other producer and transit states.
*Frank Umbach and Uwe Nerlich are Senior Associates for International Energy
Security, Centre for European Security Strategies (CESS), Munich-Berlin.
http://www.ensec.org/index.php?option=com_content&view=article&id=219...
*
