9 SABOTAGE

Highlights

#
9.1 Attack potential........................ 283
9.1.1 Cyber Attacks.................. 283
9.1.2 Exposure Estimates.......... 285
9.2 Sabotage mitigations................. 286
9.2.1 Types of Mitigation.......... 287
9.2.2 Estimating Effectiveness... 289
9.3 Resistance................................ 289
9.4 Consequence considerations.... 290

The potential for an intentional

attack on a pipeline must be assessed

independently from other threats.

Sabotage

pra.indb 281 1/18/2015 1:28:16 PM

 Pipeline Risk Assessment: The Definitive Approach and Its Role In Risk Management

Exposures events/mile-year
Labor dispute 6330
disgruntled employee 63430
terrorist 550

Mitigations % Effectiveness
n
To Stao barriers 6%
aon 121.4
From St .2 mile-yr
realtime detection/response 56%
ID 114 failures/ advance detection/response 56%
ACME P
L 0.0003 community partnering 56%
Thd Pty 0.0001
n Ext 0.0002
Corrosio
n Int 0.00006
Corrosio
Cracking 0.000008 Resistance % Effectiveness
Geohaz 0.00003 diameter 57%
ile-year) Inc Ops 0.00007 wall
oF(per m
P 8
42%
0.00076 Sabotage SMYS 42%
2) 7 8,400 weaknesses effective wall loss
Area ( 0
EL ($/mile
-year)
Hazard m gs $ 32,00 acetylene weld 45%
76 D 0
$ 19,000
r
$ Recepto ss
mitre bend 35%
ncident) Busin es s Lo
4 8 ,0 0
CoF ($/i ,000 Costs
$ wall loss 29%
$ 99 Indirect dent 31%

The risk of sabotage is difficult to fully assess because such threats are so situation
specific and subject to rapid change. The assessment is usually subject to a great deal
of uncertainty. Nonetheless, the potential exists for most pipeline systems and should
not be ignored. It is recommended that the sabotage threat be included as a stand-alone
assessment. As an intentional, rather than accidental-, event, it represents a unique type
of threat that is independent and additive to other threats.
The likelihood of a pipeline system becoming a target of sabotage is a function of
many variables, including the relationship of the pipeline owner with the community
and with its own employees or former employees. Vulnerability to attack is another
aspect. In general, the pipeline system is not thought to be more vulnerable than other
municipal systems. The motivation behind a potential sabotage episode would, to a
great extent, determine whether or not this pipeline is targeted. Reaction to a specific
threat would therefore be very situation specific. Note, that some already-discussed
risk variables and possible risk reduction measures overlap the variables and measures
that are normally examined in dealing with sabotage threats. These include security
measures, accessibility issues, training, safety systems, and patrol.
The exposure level to a sabotage event can first be assessed based on the current
socio-political environment in the area of the pipeline as well as inside the pipeline
company itself. Then a damage potential can be estimated, based on the presence of
mitigating measures. Finally, the ability of the component to resist the attack is esti-
mated.

282

pra.indb 282 1/18/2015 1:28:16 PM

 9 Sabotage

Guidance documents concerning vulnerability assessments for municipal water

systems are available and provide insights into the threat.

9.1 ATTACK POTENTIAL

To assess the attack potential, the definition of ‘failure’ used for the risk assessment
must first be reviewed. If the risk assessment is strictly leak/rupture based, then expo-
sure events are clear—they must threaten integrity. Attacks unrelated to integrity issues
can be included in the risk assessment, but must be acknowledged in the ‘failure’ defi-
nition, in order that exposure, mitigation, and resistance values can be assigned. For
example, if an event of interest is a cyber attack intended to steal company-sensitive
information, (perhaps to give competitive advantage to the thief) that type of event can
be included in the definition of ‘failure’.
When failure also includes service interruption, then identifying exposure events be-
comes more challenging. Although there is much overlap, the focus in this chapter will
generally be on the former—threats related to leak/rupture potential. See Chapter 12
Service Interruption Risk for a discussion of the latter.
Sabotage can be thought of as intentional third-party damage event. Sabotage of-
ten has complex socio-political underpinnings. As such, the likelihood of incidents is
usually difficult to judge. Even under higher likelihood situations, mitigative actions,
both direct and indirect, are possible.
Vandalism can be considered a type of sabotage. However, defacing (for example,
spray painting) or minor theft of materials are exposures that are readily resisted by
most pipeline components. If the sabotage exposure count includes vandalism events,
then resistance estimates must consider the fraction of exposure events that are van-
dalism spray-paint-type events and therefore 100% resisted by the component. With
the possible exception of instrumentation or control systems, pipeline components are
generally more resistive to vandalism than to sabotage. Again, the definition of ‘fail-
ure’ governs how events are included into the risk assessment.

9.1.1 Cyber Attacks

Cyber security is a more recent consideration for pipelines. Historically, pipeline elec-
tronic systems were thought to be relatively immune to such attack for several reasons:
• Most critical operations such as valve open/close, pump start, etc, required hu-
man physical interaction.
• Control systems were isolated; in particular, they were separate from the Inter-
net.
• Redundancies in control and safety devices prevented malicious threats to integ-
rity, if not also to continuous operation (ie, no flow interruptions).
• The control systems were difficult to understand by outsiders.
• Little damage potential beyond nuisance data interruptions were foreseen.
283

pra.indb 283 1/18/2015 1:28:16 PM

 Pipeline Risk Assessment: The Definitive Approach and Its Role In Risk Management

Today, remote sensing, automation, and interconnectivity is prevalent among con-

trol systems. Vulnerability, as well as availability and value of information moving
through cyber systems are all much higher than in years past.
Pipeline equipment commonly used and vulnerable, to varying degrees, to cyber
attack include components of systems with labels such as:
• PLC (programmable logic controller)
• DCS (distributed control systems)
• SCADA (supervisory control and data acquisition)
• PCS (process control system)
• ICS (industrial control system).

Related to both cyber security and service interruption is the potential use of di-
rected energy weapons, including electromagnetic pulse devices that can destroy elec-
tronic components. Such pulses are also naturally occurring (see Chapter 7 Geohaz-
ards). When weaponized, a small, perhaps briefcase- sized device, can be placed in
proximity (perhaps outside a fenceline) to a surface facility and, when ‘detonated’
cause significant damages. Some older analog style electronics are relatively immune
and more vulnerable components can be ‘hardened’ to defend against such attacks.
A sometimes complex chain of events needs to be identified and scrutinized to
fully understand certain failure scenarios involving failures of electronic components.
Most pipeline facilities employ ‘failsafe’ protocols whereby single or even multiple
instrumentation failures may interrupt service but do not threaten integrity.
The ability to orchestrate a failure (by whatever definition of ‘failure’ is being used
in the risk assessment) through a component of such cyber-systems should be identi-
fied. This may require a special group of SME’s using thorough scenario-generation
techniques such as HAZOPS. Susceptible components must then be linked to portions
of the pipeline system since the origination of the sabotage event may be different
from the point of failure on the pipeline. For example, an attack on a SCADA system’s
central computer may trigger a valve closure impacting a specific portion of a certain
pipeline system.
Once susceptible components are identified and associated with pipeline system
failure points, the frequency of potential attacks should be estimated. Several types of
potential cyber attackers and their possible motivations are identified [1010]:
• Garden variety hacker: hobby, notoriety, nuisance
• Hactivist: support cause, disrupt or delay project, discredit company, personal
agenda
• Cyber-criminal: financial or competitive gain, business disruption, market im-
pact, service for hire, sales of information
• Nation state: intellectual property theft, political agenda, economic gain, disrupt,
degrade, or destroy systems.

To the extent that they are consistent with the definition of ‘failure’ guiding the risk
assessment, the contribution from each of these should be included in the sabotage ex-
284

pra.indb 284 1/18/2015 1:28:16 PM

 9 Sabotage

posure estimate. Even if thought to be ‘insignificant’, a value—reflecting best estimate

of future frequency of events—should still be included in the risk assessment.

9.1.2 Exposure Estimates

In the absence of strong, quantitative data, qualitative descriptors could be linked to

exposure frequencies as a starting point in the risk assessment. PRMM provides a sam-
ple of such qualitative descriptors. A sample of a quantitative range estimate—future
event frequencies—is associated with those descriptors as follows:
• Low attack probability P90 exposure frequency is less than 0.001 events per
km-yr on buried portions; perhaps 10 to 100 times higher for surface facilities.
Indications of impending threats are nonexistent or very minimal. The intent or
resources of possible perpetrators are such that real damage to facilities is only a
very remote possibility. No attacks other than random (not company or industry
specific) mischief have occurred in recent history. Simple vandalism such as
spray painting and occasional theft of non-strategic items (building materials,
hand tools, chains, etc.) may also warrant this exposure level.
• Medium probability P90 exposure frequency = 0.01 to 0.1 events per km-yr on
buried portions; perhaps 10 to 100 times higher for surface facilities. A credible
threat exists. Attacks on this company or similar operations have occurred in the
past few years and/or conditions exist that could cause a flare-up of attacks at
any time. Attacks may tend to be propagated by individuals rather than organi-
zations or otherwise lack the full measure of resources that a well-organized and
resourced saboteur may have.
• High probability P90 exposure frequency = 0.1 to 10 events per km-yr on
buried portions; perhaps 10 to 100 times higher for surface facilities. Threat is
known and significant. Attacks are an ongoing concern. There is a clear and
present danger to facilities or personnel. Conditions under which attacks occur
continue to exist (no successful negotiations, no alleviation of grievances that
are prompting the hostility). Attacks are seen to be the work of organized guer-
rilla groups or other well-organized, resourced, and experienced saboteurs.

These are samples only. In any specific situation, actual values may be orders of
magnitude higher or lower. Actual situations will always be more complex than what is
listed in these much generalized probability descriptions. A more rigorous assessment
examine location specific aspects of attack potential.
A less obvious, less newsworthy (at least less ‘headlines-grabbing’), but potential-
ly dramatically consequential attack potential lies in sabotage to a corrosion control
system. As discussed in the corrosion threat assessment, CP systems are commonly
used to protect buried structures from corrosion. These systems are readily convert-
ed into damage-causing rather than damage-preventing systems. Simply reversing the
polarity on a rectifier can convert the previously protected metal into an anode, caus-
ing rapid corrosion. Since thousands of miles of pipe, tanks, foundations, and other
285

pra.indb 285 1/18/2015 1:28:16 PM

 Pipeline Risk Assessment: The Definitive Approach and Its Role In Risk Management

critical infrastructure are protected by CP systems, there is great vulnerability. Being

hidden from sight, the damage would typically not become apparent until leaks began,
at which time extensive and widespread damage may have occurred. Sensitivity to this
potential is the first opportunity for prevention. Continuous monitoring via SCADA,
additional oversight, and device security are among defense options.

9.2 SABOTAGE MITIGATIONS

Hazard
As the potential for an attack increases, preventive
Barriers
measures become more important. However, any mit-
igating measure can be overcome by determined sab-
oteurs. Therefore, the probability can only be reduced
by mitigation, rarely eliminated. Most anti-sabotage
measures will be highly situation specific. The design-
Incident er of the threat assessment should assign values based
on experience, judgment, and data, when available.
Evaluating the potential for sabotage will often also assesses the host country’s ability
to assist in preventing damage. Sabotage reduction measures are generally available
to the pipeline owner/operator in addition to any support provided by the host country.
Some mitigation measures are specifically designed and installed to prevent sabo-
tage while others are measures that happen to help prevent sabotage while performing
another function. Considerations for happenstance mitigative benefits from barriers,
detection, and others may also be appropriate. For example:
• Patrolling—A high visibility patrol may act as a deterrent to a casual aggressor;
a low-visibility patrol might catch an act in progress.
• Station visits—Regular visits by employees who can quickly spot irregularities
such as forced entry, tampering with equipment, etc., can be a deterrent.
• Varying the times of patrol and inspection can make observation more difficult
to avoid.
• Monitoring equipment including motion sensors, infrared video, sound detec-
tors, and others.
• Depth of cover—Perhaps a deterrent in extreme cases—ie, >10’ of cover—but a
few more inches of cover will probably not dissuade a serious perpetrator.
• ROW condition—Clear ROW makes spotting of potential trouble easier, but
also makes the pipeline a target that is easier to find and access.

Sabotage prevention benefits from third-party access barriers, including railings,

6-ft chain-link fence, barbed wire, walls, ditches, chains, locks, and others. Also avail-
able are various station security detection systems and equipment, including gas/flame
detectors, motion detectors, audio/video surveillance,and station lighting systems, in-
cluding security and perimeter systems covering equipment and working areas.

286

pra.indb 286 1/18/2015 1:28:16 PM

 9 Sabotage

Beyond mitigation measures designed for an operating facility, other sabotage pre-
vention measures are available to the operating company. For instance, during con-
struction:
• Materials and equipment are secured; extra inspection is employed.
• 24-hour-per-day guarding and inspection
• Employment of several trained, trustworthy inspectors
• Screened, loyal workforce—perhaps brought in from another location
• System of checks for material handling
• Otherwise careful attention to security through thorough planning of all job as-
pects.

An opportunity to combat sabotage also exists in the training of company employ-

ees. Alerting them to common sabotage methods, possible situations that can lead to
attacks (disgruntled present and former employees, recruitment activities by saboteurs,
etc.), and suspicious activities in general will improve the vigilance. Other human re-
sources opportunities for threat mitigation include the installation of deterrents.
A number of obstacles to internal sabotage can be considered mitigation measures
against attacks that may otherwise occur. Common deterrents include:
• Thorough screening of new employees
• Limiting access to the most sensitive areas
• Identification badges
• Training of all employees to be alert to suspicious activities.

9.2.1 Types of Mitigation

Several potential sabotage-specific mitigating measures are discussed in PRMM.

These include:
1. Community Partnering
2. Intelligence
3. Security Forces
4. Resolve
5. Industry Cooperation
6. Facility Accessibility (barrier preventions, detection preventions).

9.2.1.1 Community partnering

Supporting communities near to the pipeline by building roads, schools, hospitals, etc.
is can change the dynamics of a company’s relationship to the local population. This is
done not only to become a good neighbor and dissuade some would-be attackers, but
also enlist allies—adding to the eyes and ears interested in preserving the assets. See
PRMM.

287

pra.indb 287 1/18/2015 1:28:16 PM

 Pipeline Risk Assessment: The Definitive Approach and Its Role In Risk Management

Similarly, efforts to avoid disgruntled employees or former employees is an anal-

ogous mitigation.
While some might view such activities as a change in exposure, rather than a miti-
gation, consider that the attack potential is the starting point and is normally the result
of local geopolitical history. The community partnering program intervenes in this at-
tack potential and therefore can be viewed as a mitigation. In some cases, this variable
could command a relatively high percentage of possible mitigation benefits—perhaps
20–70%.

9.2.1.2 Intelligence Gathering

Gathering of intelligence regarding potential attacks is commonplace among some cor-

porate security departments. See PRMM.
Effectiveness of intelligence gathering is difficult to measure and can change
quickly as fleeting and time-sensitive sources of information appear and disappear. To
the extent that the company is able to reliably and regularly obtain information that is
applicable in preventing or reducing acts of sabotage, real risk mitigation occurs.
In a preliminary assessment of this mitigation measure, a simple ratio can be used:
Number of acts interrupted through intelligence gathering efforts ÷
number of acts attempted

For example, if it is believed that three acts were avoided (due to forewarning) and
eight acts occurred (even if unsuccessful, they should be counted), then 3/11 = 27%
may be an appropriate mitigation effectiveness value.

9.2.1.3 Security

Security can take many forms including barriers and accessibility issues, as discussed
elsewhere. A security force is another potential mitigation measure. The effectiveness
of security measures will be situation specific.

9.2.1.4 Resolve

As discussed in PRMM, a well-publicized intention to protect the company’s facilities

may be a deterrent and hence can be included as a mitigation measure in a risk assess-
ment.

9.2.1.5 Industry cooperation

As noted in PRMM, sharing of intelligence, training employees to watch neighboring

facilities (and, hence, multiplying the patrol effectiveness), sharing of special patrols
or guards, sharing of detection devices, etc., are benefits derived from cooperation
between companies.
288

pra.indb 288 1/18/2015 1:28:16 PM

 9 Sabotage

9.2.1.6 Facility accessibility

PRMM describes numerous aspects of accessibility that influence sabotage po-

tential. Attacks will often occur at the readily accessible (most visible and often more
vulnerable) targets which are often surface facilities. While a buried pipeline is indeed
relatively inaccessible, one common component is a possible exceptions portions of a
buried pipeline that are encased in a casing pipe can be more vulnerable to sabotage
than directly buried pipe. The vulnerability arises from the common use of vent pipes
attached to the casing that provide a route to the carrier pipe from the surface.
Casing vent pipes have historically been used by would-be saboteurs as opportu-
nities to access a carrier pipe. An explosive charge, dropped into a vent pipe, can then
detonate against the carrier pipe. Some companies employ design features to prevent
intentional and unintentional objects from moving down a vent line to the carrier pipe.

9.2.2 Estimating Effectiveness

As with the estimate of exposure, estimating mitigation effectiveness will necessarily

be quite judgmental in many cases. In all assignments of effectiveness, the assessment
should carefully consider the “real-world” effectiveness of the anti-sabotage measure.
Factors such as training and professionalism of personnel, maintenance and sensitivity
of devices, and response time to situations are all critical to the usefulness of most
mitigation measures.
The exposures can be offset in the assessment by compiling the effectiveness of
all mitigative conditions within the conservatism of the PXX chosen. Preventive mea-
sures at each facility can sometimes bring the damage potential nearly to the point of
having no such facilities. This is consistent with the idea that “no exposure” will have
less risk than “mitigated exposure,” regardless of the robustness of the mitigation mea-
sures. From a practical standpoint, this allows the pipeline owner to minimize the risk
in a number of ways because several means are available to achieve the highest level
of preventive measures to offset the exposure level for the surface facility. However,
it also shows that even with many preventions in place, the hazard has not been com-
pletely removed.

9.3 RESISTANCE

Some sabotage attacks will be unsuccessful not through mitigation—preventing the

attack from reaching the component—but rather through the component’s resistance.
Paralleling the resistance to other external damage mechanisms such as impacts and
earth movement, components more able to absorb forces from sabotage attacks will
fail less often when damaged.
Earlier, a distinction was made between vandalism and sabotage. The former of-
ten includes defacing, theft, and other activities that are not normally direct threats to
289

pra.indb 289 1/18/2015 1:28:17 PM

 Pipeline Risk Assessment: The Definitive Approach and Its Role In Risk Management

integrity or even service continuity. Such acts are more readily resisted by the normal
designed strength of most components. The ‘sabotage’ term is reserved for the actions
more focused on causing at least service interruption if not also leak/rupture. With a
more deliberate attempt to cause significant damage, the ability to resist damages is
less certain. It is often conservatively assumed that a determined attacker will eventu-
ally be able to inflict damage on a system as difficult to protect as a long pipeline.

9.4 CONSEQUENCE CONSIDERATIONS

The probability of more severe consequences may be increased by an intentional and

possibly orchestrated release of pipeline contents. The integrity breach may be more
likely to cause a rupture rather than a leak and the timing and subsequent chain of
events may be influenced by human interaction seeking to exacerbate the scenario,
an attacker could time an event for maximum occupancies in surrounding areas or for
more problematic emergency response or he could even directly interfere with emer-
gency response in numerous ways.
Fortunately, it is difficult to orchestrate worst-case pipeline failure events via sab-
otage, unless significant outside force (weaponry) is deployed against a visible compo-
nent. Even if, despite numerous safeguards, an integrity breach is created, it would be
difficult to maximize the ensuing consequences—ie, ensuring ignition at an optimum
time, with receptor proximity, etc.
Nonetheless, it is often prudent to conservatively assume, that in the case of sab-
otage, there is a greater likelihood of the consequences being more severe. Worst case
scenarios possibly occurring more frequently under the threat of sabotage is a conser-
vative and reasonable assumption.
Consider also the less dramatic but highly costly sabotage scenarios. Leaks, below
detection limits, continuing for long periods of time, may cause extensive environment
damage and costly or impossible remediation. Interference with corrosion control sys-
tems could cause widespread, difficult to detect damages that, if allowed to accumulate
over time, may cause widespread environmental damages and require extensive infra-
structure replacements.
Planning and preparation for repair and replacement, can minimize the impact of
attacks. This strategy concentrates on reducing consequences—service interruption—
rather than PoF reduction through defensive means. The demonstrated ability to recov-
er quickly and efficiently from any possible damages done by an attack may reduce the
incentive of potential saboteurs. There are real examples of this approach. After years
of attempting to protect a long pipeline, one owner changed strategies and instead
assembled spare parts and rapid response capabilities. These costs were offset by the
savings from reduced attempts to protect all locations. With a maximum outage period
of two days for even the most successful attacks, the damage to company business was
minimized and sabotage events dropped significantly. This strategy will have the added

290

pra.indb 290 1/18/2015 1:28:17 PM

 9 Sabotage

benefit of reducing consequences from any other type of failure mechanisms and is
assessed in the cost of service interruption.

Example: 9.1 Sabotage Assessment:

The following example begins with a scenario proposed in PRMM and adds more
quantifications, consistent with a newer risk assessment methodology.
The pipeline system for this example has experienced episodes of spray painting
on facilities in urban areas and rifle shooting of pipeline markers in rural areas. The
community in general seems to be accepting of, or at least indifferent to, the presence
of the pipeline. There are no labor disputes or workforce reductions occurring in the
company. There are no visible protests against the company in general or the pipeline
facilities specifically. The evaluator sees no serious ongoing threat from sabotage or
serious vandalism. The painting and shooting are seen as random acts, not targeted
attempts to disrupt the pipeline.
Nonetheless, the P99 risk assessment includes the following threat and conse-
quence analyses:
• An estimated near term exposure of 0.5 events per year at an aboveground loca-
tion and an estimated 20% mitigation effectiveness is assigned. The associated
damage probability is assessed to be 0.5 x (1 – 20%) = 0.4 events per year. A
resistance value of 50% is used, yielding a PoF = 0.2 failures/year, or a failure
every 5 years.
• Consequences, including service interruption costs, are estimated to be $32K per
incident based on a collection of P99 scenarios of damage potential. This leads
to a near term expected loss of 0.2 events/year x $32K/event = $6.4K/year. This
value is carried to risk management meetings to determine appropriate reactions
to this conservatively estimated short term risk.

As part of the risk management discussion prompted by this assessment, a relat-

ed decision is made to address the potential for sabotages during future construction.
These are to be addressed primarily via additional inspection and monitoring during
installation and a robust post-installation ILI.

291

pra.indb 291 1/18/2015 1:28:17 PM

 Pipeline Risk Assessment: The Definitive Approach and Its Role In Risk Management

292

pra.indb 292 1/18/2015 1:28:17 PM