Skip to main content

A risky business

Hydrocarbon Engineering,

The full version of this article is available to subscribers in the December 2011 issue of Hydrocarbon Engineering.

Subscribe here to read the full article, existing Subscribers can login here to read the December issue.

It is a sad fact that these days hardly a month goes by without an aggressive act toward the global energy sector. In the spring of 2011, protesting workers began setting up barriers to isolate the Rubiales Field in Colombia. The protests eventually escalated into violent confrontation that shut down more than a third of the country’s output by cutting off 225 000 bpd of production.

In July, terror suspect Anders Breivik set off several bombs in the government district of Oslo, Norway, severely damaging the Ministry of Petroleum and Energy building, before allegedly going on a shooting rampage that left 77 dead. Police later found plans in his possession to attack an offshore oil rig in the North Sea.

In August, an Oklahoma man called a local 911 operator and claimed he had placed a bomb on a pipeline. The Oklahoma Highway Patrol Bomb Squad discovered an improvised explosive device (IED) attached to a large interstate gas line in central Oklahoma. The IED was successfully removed and rendered harmless. The FBI subsequently arrested Daniel Herriman and charged him with attempting to destroy real property used in interstate or foreign commerce.

Evaluating the risk

In the wake of the September 11th terrorist attacks, there was a lot of risk assessment work done on energy infrastructure including pipelines and refineries. Assessments included a gamut of potential adversaries and scenarios, from vandalism to environmental protests to criminal acts, and finally, state sponsored terrorism. Any assessment carried out on a particular asset or potential target would include an examination of these likely threats, including their probability. This would help to determine the facilities’ vulnerabilities and what could be done to mitigate their happening.

Risk assessment starts with an examination of actual threats that have previously arisen, looking in detail at past history and the likelihood of repetitions. Examples include environmentalists chaining themselves to property and disgruntled employees causing harm. It is also helpful to look at what has happened to similar assets in other places and potential threats that may have been directed against the industry.

Risks associated assets such as refineries are roughly subdivided into internal and external threats. External threats include direct attack by terrorists, as well as non-violent interruption of operations by environmentalists.

Hack attack

A new threat has emerged over the last decade: computer system breaches. These invasions can range from hackers breaking through firewalls simply for the challenge, to state sponsored acts of aggression.

In the spring of 2007, a coordinated denial of service (DOS) attack occurred against banks and government institutions in Estonia. DOS attacks involve assembling a network of botnets (servers infected with malicious software), then instructing the network to bombard a website with data requests until it overloads and crashes. At the time of the attacks, Estonia had stirred controversy within Russia when it moved a World War Two memorial of a Russian soldier. NATO investigated and found Russian hackers had been involved, but also traced attacks to computers in Canada and other countries.

There are a number of risk assessment options that can be implemented for these types of attacks. These include assessments of both physical and electronic security plans, testing of internal and external network infrastructure against penetration, evaluation of remote access security, control system and supervisory control and data acquisition (SCADA) security, and even examination of telephone and voice messaging systems vulnerability: essentially, anything that has the potential to be compromised by hackers or attackers.

Cyber vulnerability audits can take up to two months for large, complex environments and often cost between US$ 25 000 - 100 000, or more. However, the value of such a project is obvious. Audits can uncover unprotected network access points that even the client does not know about. On many occasions, systems or software can be controlled by accounts for which the passwords are still set to the factory default. These types of holes are a huge advantage for any hacker.

Risk from natural causes

Humans are not the only risks to infrastructure; nature can contribute more than its fair share of havoc. When Hurricane Katrina struck the Gulf of Mexico in 2005, it laid waste to large swaths of the pipeline network, sweeping away shallow lines with wave action, snagging other sections with platform anchors, sinking production barges and undercutting onshore pump stations. In all, the hurricane caused several billions of dollars worth of damage and almost US$ 100 billion in curtailed production. Working in conjunction with various state and federal agencies, the industry has since hardened the infrastructure, redesigned anchors and built in redundancies.

The future

When assessing where risk will emerge in the future, a lot depends on the geographical location of assets. Although the 9/11 event showed that no region is immune to terrorist attack, risks in North America or Europe are generally limited to individuals with grievances, like the alleged mass killer in Norway or the Oklahoma gas line bomber. Yet, the plain truth is the energy industry has thousands of miles of pipeline, and if someone wants to put a bomb on one it is impossible to stop every attack. Of course, there are measures to be taken that will significantly reduce the likelihood of attack and minimise impacts should any occur.

The full version of this article is available to subscribers in the December 2011 issue of Hydrocarbon Engineering.

Subscribe here to read the full article, existing Subscribers can login here to read the December issue.

Read the article online at:


Embed article link: (copy the HTML code below):