Professional Documents
Culture Documents
PL RA CH 9-307-318
PL RA CH 9-307-318
Highlights
#
9.1 Attack potential........................ 283
9.1.1 Cyber Attacks.................. 283
9.1.2 Exposure Estimates.......... 285
9.2 Sabotage mitigations................. 286
9.2.1 Types of Mitigation.......... 287
9.2.2 Estimating Effectiveness... 289
9.3 Resistance................................ 289
9.4 Consequence considerations.... 290
Sabotage
Exposures events/mile-year
Labor dispute 6330
disgruntled employee 63430
terrorist 550
Mitigations % Effectiveness
n
To Stao barriers 6%
aon 121.4
From St .2 mile-yr
realtime detection/response 56%
ID 114 failures/ advance detection/response 56%
ACME P
L 0.0003 community partnering 56%
Thd Pty 0.0001
n Ext 0.0002
Corrosio
n Int 0.00006
Corrosio
Cracking 0.000008 Resistance % Effectiveness
Geohaz 0.00003 diameter 57%
ile-year) Inc Ops 0.00007 wall
oF(per m
P 8
42%
0.00076 Sabotage SMYS 42%
2) 7 8,400 weaknesses effective wall loss
Area ( 0
EL ($/mile
-year)
Hazard m gs $ 32,00 acetylene weld 45%
76 D 0
$ 19,000
r
$ Recepto ss
mitre bend 35%
ncident) Busin es s Lo
4 8 ,0 0
CoF ($/i ,000 Costs
$ wall loss 29%
$ 99 Indirect dent 31%
The risk of sabotage is difficult to fully assess because such threats are so situation
specific and subject to rapid change. The assessment is usually subject to a great deal
of uncertainty. Nonetheless, the potential exists for most pipeline systems and should
not be ignored. It is recommended that the sabotage threat be included as a stand-alone
assessment. As an intentional, rather than accidental-, event, it represents a unique type
of threat that is independent and additive to other threats.
The likelihood of a pipeline system becoming a target of sabotage is a function of
many variables, including the relationship of the pipeline owner with the community
and with its own employees or former employees. Vulnerability to attack is another
aspect. In general, the pipeline system is not thought to be more vulnerable than other
municipal systems. The motivation behind a potential sabotage episode would, to a
great extent, determine whether or not this pipeline is targeted. Reaction to a specific
threat would therefore be very situation specific. Note, that some already-discussed
risk variables and possible risk reduction measures overlap the variables and measures
that are normally examined in dealing with sabotage threats. These include security
measures, accessibility issues, training, safety systems, and patrol.
The exposure level to a sabotage event can first be assessed based on the current
socio-political environment in the area of the pipeline as well as inside the pipeline
company itself. Then a damage potential can be estimated, based on the presence of
mitigating measures. Finally, the ability of the component to resist the attack is esti-
mated.
282
To assess the attack potential, the definition of ‘failure’ used for the risk assessment
must first be reviewed. If the risk assessment is strictly leak/rupture based, then expo-
sure events are clear—they must threaten integrity. Attacks unrelated to integrity issues
can be included in the risk assessment, but must be acknowledged in the ‘failure’ defi-
nition, in order that exposure, mitigation, and resistance values can be assigned. For
example, if an event of interest is a cyber attack intended to steal company-sensitive
information, (perhaps to give competitive advantage to the thief) that type of event can
be included in the definition of ‘failure’.
When failure also includes service interruption, then identifying exposure events be-
comes more challenging. Although there is much overlap, the focus in this chapter will
generally be on the former—threats related to leak/rupture potential. See Chapter 12
Service Interruption Risk for a discussion of the latter.
Sabotage can be thought of as intentional third-party damage event. Sabotage of-
ten has complex socio-political underpinnings. As such, the likelihood of incidents is
usually difficult to judge. Even under higher likelihood situations, mitigative actions,
both direct and indirect, are possible.
Vandalism can be considered a type of sabotage. However, defacing (for example,
spray painting) or minor theft of materials are exposures that are readily resisted by
most pipeline components. If the sabotage exposure count includes vandalism events,
then resistance estimates must consider the fraction of exposure events that are van-
dalism spray-paint-type events and therefore 100% resisted by the component. With
the possible exception of instrumentation or control systems, pipeline components are
generally more resistive to vandalism than to sabotage. Again, the definition of ‘fail-
ure’ governs how events are included into the risk assessment.
Cyber security is a more recent consideration for pipelines. Historically, pipeline elec-
tronic systems were thought to be relatively immune to such attack for several reasons:
• Most critical operations such as valve open/close, pump start, etc, required hu-
man physical interaction.
• Control systems were isolated; in particular, they were separate from the Inter-
net.
• Redundancies in control and safety devices prevented malicious threats to integ-
rity, if not also to continuous operation (ie, no flow interruptions).
• The control systems were difficult to understand by outsiders.
• Little damage potential beyond nuisance data interruptions were foreseen.
283
Related to both cyber security and service interruption is the potential use of di-
rected energy weapons, including electromagnetic pulse devices that can destroy elec-
tronic components. Such pulses are also naturally occurring (see Chapter 7 Geohaz-
ards). When weaponized, a small, perhaps briefcase- sized device, can be placed in
proximity (perhaps outside a fenceline) to a surface facility and, when ‘detonated’
cause significant damages. Some older analog style electronics are relatively immune
and more vulnerable components can be ‘hardened’ to defend against such attacks.
A sometimes complex chain of events needs to be identified and scrutinized to
fully understand certain failure scenarios involving failures of electronic components.
Most pipeline facilities employ ‘failsafe’ protocols whereby single or even multiple
instrumentation failures may interrupt service but do not threaten integrity.
The ability to orchestrate a failure (by whatever definition of ‘failure’ is being used
in the risk assessment) through a component of such cyber-systems should be identi-
fied. This may require a special group of SME’s using thorough scenario-generation
techniques such as HAZOPS. Susceptible components must then be linked to portions
of the pipeline system since the origination of the sabotage event may be different
from the point of failure on the pipeline. For example, an attack on a SCADA system’s
central computer may trigger a valve closure impacting a specific portion of a certain
pipeline system.
Once susceptible components are identified and associated with pipeline system
failure points, the frequency of potential attacks should be estimated. Several types of
potential cyber attackers and their possible motivations are identified [1010]:
• Garden variety hacker: hobby, notoriety, nuisance
• Hactivist: support cause, disrupt or delay project, discredit company, personal
agenda
• Cyber-criminal: financial or competitive gain, business disruption, market im-
pact, service for hire, sales of information
• Nation state: intellectual property theft, political agenda, economic gain, disrupt,
degrade, or destroy systems.
To the extent that they are consistent with the definition of ‘failure’ guiding the risk
assessment, the contribution from each of these should be included in the sabotage ex-
284
These are samples only. In any specific situation, actual values may be orders of
magnitude higher or lower. Actual situations will always be more complex than what is
listed in these much generalized probability descriptions. A more rigorous assessment
examine location specific aspects of attack potential.
A less obvious, less newsworthy (at least less ‘headlines-grabbing’), but potential-
ly dramatically consequential attack potential lies in sabotage to a corrosion control
system. As discussed in the corrosion threat assessment, CP systems are commonly
used to protect buried structures from corrosion. These systems are readily convert-
ed into damage-causing rather than damage-preventing systems. Simply reversing the
polarity on a rectifier can convert the previously protected metal into an anode, caus-
ing rapid corrosion. Since thousands of miles of pipe, tanks, foundations, and other
285
286
Beyond mitigation measures designed for an operating facility, other sabotage pre-
vention measures are available to the operating company. For instance, during con-
struction:
• Materials and equipment are secured; extra inspection is employed.
• 24-hour-per-day guarding and inspection
• Employment of several trained, trustworthy inspectors
• Screened, loyal workforce—perhaps brought in from another location
• System of checks for material handling
• Otherwise careful attention to security through thorough planning of all job as-
pects.
Supporting communities near to the pipeline by building roads, schools, hospitals, etc.
is can change the dynamics of a company’s relationship to the local population. This is
done not only to become a good neighbor and dissuade some would-be attackers, but
also enlist allies—adding to the eyes and ears interested in preserving the assets. See
PRMM.
287
For example, if it is believed that three acts were avoided (due to forewarning) and
eight acts occurred (even if unsuccessful, they should be counted), then 3/11 = 27%
may be an appropriate mitigation effectiveness value.
9.2.1.3 Security
Security can take many forms including barriers and accessibility issues, as discussed
elsewhere. A security force is another potential mitigation measure. The effectiveness
of security measures will be situation specific.
9.2.1.4 Resolve
9.3 RESISTANCE
integrity or even service continuity. Such acts are more readily resisted by the normal
designed strength of most components. The ‘sabotage’ term is reserved for the actions
more focused on causing at least service interruption if not also leak/rupture. With a
more deliberate attempt to cause significant damage, the ability to resist damages is
less certain. It is often conservatively assumed that a determined attacker will eventu-
ally be able to inflict damage on a system as difficult to protect as a long pipeline.
290
benefit of reducing consequences from any other type of failure mechanisms and is
assessed in the cost of service interruption.
The following example begins with a scenario proposed in PRMM and adds more
quantifications, consistent with a newer risk assessment methodology.
The pipeline system for this example has experienced episodes of spray painting
on facilities in urban areas and rifle shooting of pipeline markers in rural areas. The
community in general seems to be accepting of, or at least indifferent to, the presence
of the pipeline. There are no labor disputes or workforce reductions occurring in the
company. There are no visible protests against the company in general or the pipeline
facilities specifically. The evaluator sees no serious ongoing threat from sabotage or
serious vandalism. The painting and shooting are seen as random acts, not targeted
attempts to disrupt the pipeline.
Nonetheless, the P99 risk assessment includes the following threat and conse-
quence analyses:
• An estimated near term exposure of 0.5 events per year at an aboveground loca-
tion and an estimated 20% mitigation effectiveness is assigned. The associated
damage probability is assessed to be 0.5 x (1 – 20%) = 0.4 events per year. A
resistance value of 50% is used, yielding a PoF = 0.2 failures/year, or a failure
every 5 years.
• Consequences, including service interruption costs, are estimated to be $32K per
incident based on a collection of P99 scenarios of damage potential. This leads
to a near term expected loss of 0.2 events/year x $32K/event = $6.4K/year. This
value is carried to risk management meetings to determine appropriate reactions
to this conservatively estimated short term risk.
291
292