Pipeline and Network Security: Protecting a Series of Tubes

With Lulzsec’s recent press and the big FBI cyber busts, I was reminded of similar yet seemingly unrelated security challenge. This February, I was invited to give a talk in the Netherlands on Caucasian security. Sitting on a panel with the nation’s experts on Eurasian geopolitics, I decided to leave the big picture to them and drill down on one fascinating problem, pipeline security.

In this oil and gas rich region, most of the hydrocarbons pass through the conflicted Kurdish region of Turkey on their way to energy-hungry United States and Europe. Turkey derives tremendous revenue from transit fees and rent through their oil pipelines, and is expanding to gas and LNG. Given the importance of the pipelines, the PKK puts pressure on Turkey and Iraq by continuously blowing them up, burning fuel, and disabling miles of international infrastructure for millions of dollars of damage. As an added bonus, Turkey is embarrassed and loses investor confidence.

Though damaging, these attacks are cheap and simple, requiring no more than two guys, a truck, shovel, and some home-made explosives. Protecting those pipelines, however, is an almost impossible task. Thousands of miles long, they cannot be patrolled across their entire lengths, which mostly pass through hostile regions with difficult terrain. Pipelines are easy to find as even when they are buried they tend to be marked above ground and their location is public knowledge.

Turkey has tried and failed to prevent attacks with numerous approaches over the years. They saturated the area with six times the number of US troops in neighboring Iraq at a cost of 2-3% of their GDP. They put pressure on the Kurds with brutal and aggressive counterinsurgency techniques and at the same time met most of the initial Kurdish demands over the years to no avail. They’ve also put their faith in expensive technology and are developing more, hoping that their problems have a technical solution.

Pipeline security reminds me cyber security. Both are daunting problems of countless vulnerabilities to attack and the potential for tremendous economic and even diplomatic fallout. In both cases, it’s nearly impossible to truly harden the targets, due to the nature of pipelines, which must be extremely long and go through Kurdish land to effectively reach the West, and the structure of the internet, whose infrastructure promotes openness and convenience rather than security.  Attribution is another common problem, with hackers launching attacks through third parties and covering their tracks and the PKK blending seamlessly into Kurdish villages.

Not surprisingly, both security problems have similar remedies. The most effective way to protect your network from cyber attack is to assume that malware will make it through, even that your network is already compromised, and then ensure that it is robust enough to bounce back from minor attacks. Pipelines are the same way. The most cost effective response to pipeline bombings has been to keep plenty of spare parts and streamline the repair process to minimize damage and lower the rewards for attacks.

In cyber security, detection and monitoring are critical through intrusion detection systems, intrusion prevention systems, and better log monitoring. The former two simplify the latter and allow for better scheduling. Administrators are rarely able to monitor all network activity, so having them jump in when the automated systems find an anomaly can reduce required manpower while improving remediation. Turkey is seeing success with a similar strategy. They have deployed seismic monitoring along lengths of their pipelines, which, while expensive, is highly effective for detecting strange behavior across great lengths. The monitors detect vibrations in the pipelines and can recognize a truck driving too close, footsteps approaching where a pipe is buried, and digging, allowing an expeditionary security force to be deployed quickly for an active defense versus the passive defense of constant patrols. This also cuts down on required personnel, which may make up for the cost of the new technology.

Overall, however, for both complex security environments, there is no magic bullet. Better means of protecting pipelines helped when the Turkish government continued to put pressure on the PKK, but a heavy-handed counterinsurgency only served to make martyrs until it was combined with soft power. Damaging the PKK also required transnational actions and support, as the leaders were scattered through the Kurdish diaspora. Cyber security also requires a mix of protection, active defense (read: offense), international cooperation, technological advances, and hours of hard work. While resilience and remediation are the most effective means of dealing with both sorts of attacks, both will remain towering problems that can only be mitigated with a medley of techniques and never completely overcome.


4 thoughts on “Pipeline and Network Security: Protecting a Series of Tubes

  1. my periodic analogy for cybersecurity is putting things behind a bank vault door which has been installed in an open field … with no corresponding bank vault

  2. cybersecurity threat tends to be to data “at rest” (at end-points, not “in flight”) and typically involves strong financial motivation, the crooks using harvested information for fraudulent transactions. frequently the end-points are merchants where the value of the information (to merchants) is profit from transaction (possibly a couple of dollars), while the value of the information to crooks is for fraudulent transactions that drain the account (potentially several hundred dollars). As a results, the attackers can potentially afford to outspend the defenders by a factor of 100 times (inverted asymmetric threat)

    the financial infrastructure has strong vested interest in preserving the current infrastructure status quo with interchange rates strongly related to possible fraud. a decade ago there were a number of “safe” internet payment products being hawked to merchants … which saw strong acceptance until the “cognitive dissonance”. merchants had been programmed for decades that the interchange fees charged were strongly correlated with potential fraud … and they expected “safe” payment products to reduce those fees by an order of magnitude (or more). However, they were then informed that the interchange rates for the “safe” payment products would basically be a surcharge on top of the highest fee they were already paying … and all the efforts fell apart.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s