In both Western governments and industries, security concerns about increasing cyber warfare attacks by individuals, crime organizations and governments regarding espionage or malicious software programs that damage and disrupt processes of critical infrastructure assets and processes have grown considerably in the last several last years. These cyber attacks have risen to an unprecedented level of sophistication. As a result, the vulnerabilities of digital systems and networks have grown exponentially. However, public awareness has not kept up with these new threats, and vulnerabilities in cyberspace, which have the potential to affect all sectors of private and public life, national and international businesses, and even the defense policies of states, multinational organizations like the EU, and collective security organizations like NATO.
In the age-old struggle between attacker and defender, the attacker more than ever appears to have the advantage by being better armed and freely choosing the intensity of the attack, as well as the target. Attackers are no longer constrained by geographical distance and frontiers. In particular, the emergence of botnets – a dormant virus, unnoticed by Internet users, which the attacker can activate at any time (trojans) and at any place in the world - allows criminal or terrorist attackers to launch massive hostile operations for data espionage, falsifying, destroying or altering confidential data with extraordinarily harmful effects in industry infrastructures as well as critical national infrastructures. The newest botnet threat, Conficker, for instance, is estimated to have infected 1.5 million computers. Without yet having any counter-strategy, the new worm might be able to function autonomously by recruiting and commanding five million computers in 122 countries for coordinated simultaneous attacks on an economic system, critical national infrastructures, and national defense networks of a country – all of them interdependent of one another. Almost all industries and companies and even defense ministries are increasingly dependent on the use of the open Internet and other nets, in addition to protected intranets, which are themselves not immune to cyber-attack.
By blurring the borders between cyber crime, cyber terrorism, and private or state-sponsored cyber war as a new form of “asymmetric warfare” in the 21st century, the threat of a “digital Pearl Harbor” has become real. Even hostile governments can hide behind “unholy alliances” with crime syndicates, terrorists or nationalist movements and individuals without risking detection and identification. Massive denial-of-service attacks by viruses, worms and other forms of malware on servers of government ministries, newspapers, banks, and other corporations as well as on private web sites and on a country’s cell phones have already occurred. Examples of such attacks have been recorded in Estonia in May 2007, Lithuania in June-July 2008, Georgia in August 2008 and in South Korea last July in an attack of 12,000 computers in that country and 8,000 in other countries.
With regard to critical energy infrastructure, the EU has recognized two major challenges that it needs to confront:
• The spread of information and communication technologies (ICT) highlights numerous new security implications for our dependencies on them in all areas of our daily life. Market liberalization and privatization of state-owned infrastructure operators, as well as new regulations, have made private industry and government agencies increasingly dependent on external providers of goods and services, including commercial off-the-shelf (COTS)-products. At the same time, almost every single service depends directly or indirectly on the secure supply of electricity. The physical, virtual or logic networks have grown in size and complexity. As the result of those growing interdependencies between various critical infrastructures (see Figure 1), those dependencies and impacts of supply shortages and disruptions are often not apparent until a crisis occurs and connection breaks down. Even smaller outages, failures and disruptions can have dramatic consequences in ever more complex systems (“the vulnerability paradox”), something which has not been anticipated.
Figure 1. Source: Federal Ministry of the Interior (BMI), Protecting Critical Infrastructures – Risk and Crisis Management, Berlin, January 2008
• Previously energy supply systems were decentralized with a power plant for each region and a local distribution network which connected the producer with the consumers. If the power plant failed, the whole region was without energy. When regional networks were interconnected by transmission networks, security of supply was enhanced by the possibility to exchange energy between these networks. It also saved financial resources, particularly on the side of producers. Today these regional networks have been expanded across national boundaries, connecting individual EU member states with the perspective of creating a common, liberalized energy market in the entire EU. Whereas this is true for both electricity and gas supplies, the European pipeline-based gas supply system, perceived as the "Achilles heel" of the European energy supply security, covers a much wider geographical area by long distance gas pipelines. They start in external producer states (such as Russia or in difficult environments such as in the North Sea, in the Maghreb and in the future also in the Arctic region, in the Caspian Basin, in the Persian Gulf/Middle East and in Central Africa) and transport natural gas across state borders via other transit states to the final consumer countries and their distribution grids, often distances of more than 1,000 km.
By increasing and diversifying its gas supplies from outside Europe, European gas supply security will be enhanced, but at the same time numerous vulnerabilities will increase by expanding network interconnections. This increased vulnerability is true not just in terms of gas networks (pipeline and LNG-based – see Figure 2), but also in regards to the interconnectedness of ICT to the networks of other critical infrastructure systems.
Figure 2. Source: Octavio-Project
The Natural Gas Supply Chain, the Functionalities of Gas Control Centers and its Vulnerabilities
The European gas supply system is overwhelmingly based on pipelines and supported by compressor stations and storage sites. The operational processes of the natural gas supply chain as well as its security and control are highly dependent on the ICT infrastructure. In contrast to the EU’s oil supply security (based on flexible shipping imports), a much more inflexible pipeline gas supply system creates many more dependencies, risks and vulnerabilities – particularly obvious during crisis situations as Europe experienced with the Russian-Ukrainian gas conflicts in 2006 and 2009 when gas flow was cut.
Natural gas systems involve a series of processes and components at different physical facilities. Once the gas has been explored and exploited at a gas field, in mixtures with other hydrocarbons, a pipeline gathering system directs the flow of gas to a processing plant where is it purified. From these plants it can be transported directly to the mainline transmission grid and through its often long-distance “trunk lines” (with a pressure typically up to 100-120 bars), and finally distributed by smaller pipelines to final customers (see Figures 3 and 4). Unlike the electricity system, natural gas can be stored for an indefinite period of time using storage facilities in order to meet balanced demand requirements during different seasons and to insure against unforeseen supply disruptions such as accidents, natural disasters or disruptions which are politically motivated. The main components of the complex transmission grid include pipelines, compressor stations, storage sites, metering stations and city gate stations.
Energy control centers control the operation of power plants as well as of networks. The operation of huge border crossing gas networks require a network management and a control center hierarchy to ensure security of gas supplies:
• Main Control Centers (i.e. system and network control centers) responsible for generation coordination, load dispatching, as well as monitoring and controlling the storage sites and transmission network to provide reliable communication, to keep the integrity and security of the complete network, and to guarantee the supply of the services;
• Regional Control Centers responsible for monitoring and controlling the distribution network within a specific area;
• District Control Centers responsible for monitoring and controlling the distribution network within a specific district.
Figure 3. Source: Octavio-Project
Figure 4. Source: Octavio-Project
The efficiency of control centers by applying methods of data handling and processing is closely linked with the development and application of ICT. Their task is:
• Measurement and information gathering: By sensors including satellite-based surveillance and control of pipeline systems, power plants, pump stations, storage sites and networks;
• Acquisition: Transmission of necessary information from the network to the Control Center, and transmission of commands from Command Centers to “operational” components like substations;
• Processing, display and archiving of information: Generating control information from network data.
In contrast to the former auxiliary function for the control of operations of plants and networks, the control function is transferred to a centralized complex instrument with the central function in energy supply. Without this central function, any operation within the energy and gas supply chains ranging from production to distribution and supply would be impossible. The efficiency and reliability of those Control Centers, in particular the System or Central Command and Network Control Centers, is essential and is the biggest vulnerability in case of physical or electronic attacks. This could have extensive follow-up consequences on other critical infrastructures and lead to heavy losses at the stock exchange.
Acquisition and processing tasks are elements of a SCADA (Supervisory Control and Data Acquisition) System. With SCADA, control centers are able to identify and repair interferences, to take necessary measures of repairs centrally, and to acquire data relevant for planning and further actions. Originally, each power plant had its own control center linked with others as part of a hierarchy of networks. The development of ICT enhances the capability to combine different tasks of the command structure for the hierarchy of networks into a central command center for different media such as electricity, gas, water or district heating. The latter have extended their capabilities by using Geographical Information Systems (GIS) to provide geo-referencing information of facilities, networks, vehicles and geographical or political details. Modern SCADA systems use standard interfaces and standard components (of computers operating under UNIX or Windows). SCADA systems have improved system interconnections and efficiencies, but they have also significantly increased system vulnerabilities to outside electronic attacks.
Figure 5: Octavio-Project
European infrastructure security by and large follows the guidelines applied to US facilities. However, the extent of newly implemented technologies, modernization, the limitations imposed by national postures, the divergent risks inherent in divergent suppliers, systems and transit zones, the uneven exposure to potential violence (be it by terrorists or in war-like situations), the competitiveness governing European energy markets, and the limitations on flexibility of adoptions to changing challenges inherent in gas pipeline systems all pose additional challenges to energy industries as well as to national, EU and international governmental authorities - be they producers, transit providers or suppliers.
Given the growing extension and complexity of energy systems (i.e. of gas supply systems), the requirements for the effectiveness and the security of control centers get more demanding, and trade-offs between effective and secure solutions become more challenging. The requirements for effective and secure control centers are made even more critical by the increasing number of interconnectors between gas systems, the cost of ever larger numbers of sites and growing size of systems, the vast areas they cover, and the inherent risks resulting from how administrative units and control centers are often connected, typically needing control engineers, ICS operators and IT security professionals to cooperate closely.
A broad and systematic analysis of control center vulnerabilities is thus an important step. But the conditions for moving from highly decentralized to increasingly centralized energy systems differ from the US and the EU with regard to regional and state energy demands and decision-systems.
Security Conditions in Perspective for Asset Criticality in Gas Supply Systems: The Octavio Project
The criticality of assets, in particular of control centers, for the functioning of gas supply systems depends on both the degree to which technical security requirements are met and on the conditions under which they are expected to function. Technical security requirements are indispensable, but their criticality depends also on a variety of additional conditions such as (1) assumed general security conditions of gas pipeline systems; (2) the size, length and expected growth of pipeline systems; (3) design parameters; (4) the given security status; (5) geographical conditions; (6) conditions of social-political stability; (7) economic conditions;(8) strategic conditions; and (9) costs and investment choices.
Depending on the type of attack, all elements of a pipeline system can be targeted. Attacks on control centers (in addition to compressor stations) are, however, among the most attractive targets for sabotage, terrorists, multiple attacks, etc. The Octavio Project has therefore concentrated especially on attack options against and protection of control centers. Yet the functioning of SCADA systems is itself a condition that deserves special analysis.
In general, the size, length and expected growth of European and global natural gas networks will impact on both the need for control assets and the security requirements of control centers and other critical components:
• Except for LNG transport, there does not exist a global gas supply system. But enabled through IT developments and driven by increasing demand and supply, as well as increasing competitiveness within the gas market, gas supply systems are growing steadily in terms of identified resources, length of transport lines, transit zones, diversity of geophysical conditions, and distribution of critical assets - with ever wider regional differences.
• Increasingly demanding security requirements for gas pipelines systems are necessitated by the growing size of gas supply systems, the length of pipes, the diversity of regional conditions, the increasing exposure to both accidental and intentional hazards, the vast amount of critical information from far away locations, the vulnerability of systems for controlling the flow of gas, the security of the system requirements, the need to integrate warning signals from a given system with higher-level crisis information, and the fact that awareness is the single most important aspect of preparedness.
• The increasing size, length and complexity of pipeline systems are of the most critical factors in this vulnerability assessment. However, there is no direct link between the overall size (i.e. kilometers) of gas pipeline systems in the world and an increase in security requirements. Between 2002 and 2005 the totals in kilometers globally increased by more than 30%. Rather than just concentrate on the overall global trend, it is particularly important to recognize the regional trends in major gas markets like the EU, the US, the Persian Gulf, as well as in South Asia.
Asset security in pipeline systems is an important requirement, in many cases much more so than protection of the pipes themselves. It is a prerequisite for effective mitigation against accidents and incidents caused by criminals. Regarding localized hostile attacks, other means become very important, like the speed of response and the means to cope with aggressors. While protection against strategic terrorism requires a broader spectrum of protective means and measures, effective control centers and other critical assets remain an indispensable means of crisis management. In major contingency-scenarios the continued functioning of gas pipeline supplies will depend on a wide variety of circumstances. Agreed definitions regarding the criticality of pipeline assets still need to be refined. Those definitions need to reflect security requirements for assets in pipeline systems in relation to conditions that apply to a given situation. The Octavio Project has laid some useful foundations on which to base more comprehensive sets of security requirements for control centers, gas pipelines and their critical pipeline assets.
Summary and Perspectives
In addition to the new threats coming from terrorist attacks, private or state-sponsored hackers and (transnational) criminal organizations, the vulnerability of the different sector infrastructures has also increased because they are now much more linked with each other - due to the rapid spread of information technologies. ICT infrastructures in the energy, transport, banking and financing sectors have become the nervous system of our modern information society. Disruptions of ICT can cascade to other locations, branches or sectors, with impacts that extend far beyond the original area of damage, as well as across the state-border of an EU-member state, given that critical information infrastructure (CII) is global as well as tightly interconnected and interdependent with other infrastructures. Their security and resilience cannot be ensured and enhanced by purely national and uncoordinated strategies. Furthermore, market forces do not provide sufficient incentives to private operators for investing to protect CII systems at the level that governments would normally demand. In this light, the fundamental and still underestimated problem is that the low level of protection in some member states can increase vulnerabilities in others. Also, the insufficient systematic interstate cooperation in Europe substantially reduces the effectiveness of preventative and timely countermeasures.
The pipeline-based EU gas supply chain and networks need to recognize the dependencies and interconnectedness of critical European infrastructures between the EU as the consumer and non-member states such as Russia, Ukraine, and others as the producer and transit states.
Whereas there is limited availability of financial and human resources for operators to protect their infrastructure systems, it is essential for both the energy industry and for governments to use all available resources efficiently and effectively by assessing risks and setting priorities to achieve adequate risk management. While it is impossible to protect a utility 100% from a physical or a cyber attack on its facilities and infrastructure, these threats need be minimized as much as possible without compromising their productivity and day-to-day operations. A professional security and risk assessment requires a systemic perspective to address physical and cyber security, supervisory control and data acquisition (SCADA) and distributed control systems (DCS), communications security, grid security, distribution security, generation security, and biological/chemical issues. Integrated security concepts such as the TAAS Industrial Corporate Security Awareness Program (ICSAP) are a positive step forward in this regard. With well protected infrastructure programs and well trained-and equipped security forces (e.g. in Saudi Arabia), the oil and gas industry and their governments can foil or mitigate terror attacks on critical oil, gas and other energy infrastructure.
In order to overcome the historical legacies of insufficient physical infrastructure and traditional policies, the EU agreed in March 2009 to create numerous new interconnectors for both trans-border electricity and gas delivery. This new infrastructure, of which control centers for gas and electricity are an important part, will improve individual nations’ energy supplies and promote a common crisis management system.
Any future risk assessment needs to include the wider political-strategic policies and intentions of the EU and its member states for analyzing the concrete risks, along with future vulnerabilities of existing and to-be-built critical energy infrastructure. In this context, the March 2007, November 2008 and March 2009 decisions of the EU’s energy policies and newly built energy infrastructure are of utmost importance. Any analysis of a comprehensive risk assessment of these gas and electricity control centers would be of benefit by including these dimensions and new policies in a strategic perspective for the EU’s future energy infrastructure security. If the EU’s agreed energy policies and projects are implemented, they will greatly enhance common energy security inside the EU and bolster a common crisis management system, a common energy market, and a common foreign energy policy.
In this regard, the future safety and security of gas control centers and any discussions of critical gas infrastructure need to take into account:
• The new transnational dimensions of interconnecting gas supplies and national gas markets within the EU’s internal market.
• The implications of terrorist and cyber attacks on these new or modernized control centers with their high strategic value, which, if disrupted, could have wide-ranging, cascading effects on transnational gas supplies.
• The overall dependence of European gas control centers on external gas infrastructures outside the EU (i.e. Russian or other foreign gas pipelines, gas control centers, etc.) – particularly in light of the EU’s further growing dependence on gas and other energy imports from outside Europe – including much more unstable regions.
Thus, safety and security issues of gas control centers and other gas and energy infrastructure should become an integral part of the EU’s energy foreign policy with other producer and transit states.
Frank Umbach is Senior Associate at CESS and Uwe Nerlich is Co-Director, Centrre for European Security Strategies (CESS), Munich-Berlin.