Academic journal article Energy Law Journal

Acknowledging the Threat: Securing United States Pipeline Scada Systems

Academic journal article Energy Law Journal

Acknowledging the Threat: Securing United States Pipeline Scada Systems

Article excerpt

Synopsis: The threat of large-scale cyber attacks on the nation's oil and gas pipeline SCADA systems is increasing. Despite the growing threat, pipeline SCADA systems remain wanting in the area of cybersecurity. However, the newly created NIST Framework and the ONG-C2M2 model combine to lay a strong foundation for the development of increased cybersecurity in the oil and gas pipeline sectors. With increased information sharing between the private sector and the government, and specific, numeric objectives to work toward in developing cybersecurity programs for pipeline SCADA systems, the voluntary measures currently in place might prove effective in protecting systems nationwide. These voluntary measures could be strengthened through legislation streamlining the information sharing process and providing liability and privacy protection for oil and gas pipeline owners, which would further incentivize industry participation.


Although the United States has recently focused heavily on foreign policy and international economic stability, cybersecurity in the oil and gas industries may have been neglected due to generational differences in recognizing the threats that cyber vulnerabilities can create.1 The 2003 electrical blackout and the 2010 discovery of the malware known as Stuxnet caused the electric grid and nuclear systems to receive attention in recent years, but cybersecurity of oil and natural gas pipelines has not received the same attention.2 Some sources report that oil and gas companies lose as much as $8.4 million per day due to cyber attacks.3

Many pipelines today are controlled by computerized Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems have been criticized as non-standardized and vulnerable to cyber attacks.4 Currently, the U.S. Department of Homeland Security (DHS)-in conjunction with the U.S. Department of Transportation's (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA)-monitors pipeline security through the Transportation Security Administration (TSA).5 Some argue that DHS lacks adequate resources and has struggled with regulations to promulgate SCADA standards, leading to a discretionary mix of security efforts.6 This comment suggests that the newly introduced National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Framework), combined with the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG- C2M2) put forth by DHS and the U.S. Department of Energy (DOE), creates a solid foundation for pipeline SCADA system cybersecurity that DHS can utilize as it intensifies its standardization efforts in the oil and gas industry.7


A. SCADA Systems in Oil and Gas Pipelines

Liquid and gas transmission pipelines span far enough to circle the globe seven and twelve times, respectively, and they transport nearly two-thirds of the United States' energy supply.8 Gas distribution pipelines span an additional 1.9 million miles throughout the United States, creating a vast national pipeline network.9 Technological advances over the past decade have reduced the cost of SCADA systems, allowing virtually uniform use of SCADA technology throughout interstate pipelines.10 Through SCADA, the industry can control thousands of miles of pipeline from one central location.11 Human controllers can input commands to remotely operate pipeline control equipment.12 These instruments relay critical measurements such as pressure, temperature, and rate of oil or gas flow back to the main control computer via remote terminal units, and indicate any change in status along the pipelines so that human controllers can maintain pipeline stability.13

Although there are numerous SCADA software packages, most SCADA systems contain a three-layer architecture that may be analyzed as a data layer, a processing layer, and a user interface layer.14 The processing layer gathers data from remote terminal units, storing it in the data layer, and issues commands to controls along the pipeline to change or maintain their states. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.