Blog

Securing Critical Gas Infrastructure

Secure gas
– The security resilience of Europe's critical gas infrastructure against cyber and physical threats depend on new resilience concepts and investments in innovation.

Europe relies heavily on imported natural gas, and the Gas Critical Infrastructure (GCI) involved in transporting, storing and distributing it must be made secure and resilient to both physical and cyber threats. However, the complexity of the gas network – including its diversity of transportation lines, geographies crossed, and production and storage facilities – make it a challenging environment to secure and a tempting target for attackers. Meanwhile, the attractiveness of the gas infrastructure is only growing, making it even more essential to protect it and make it resilient.

Natural gas accounts for 25% of Europe’s total energy consumption, and two thirds of this gas is imported, with the main supplier, Russia, providing around 40% of the gas (compared to 25% of imported crude oil). This dependency, along with the long history of tensions in countries along the Russian gas transit routes (specifically Ukraine and Belarus), have long fueled concerns in the EU about the security of the Russian gas supply. Now, EU states including the Baltics, Bulgaria and Greece, as well as central and eastern European countries that are not yet members of the EU (e.g. Ukraine), are noticing an increase in threats to gas networks. These threats are both cyber and physical in nature and are often combined into cyber-physical threats. Alongside the COVID-19 pandemic’s effects on the gas market and the EU-Russia gas relationship, these threats have heightened concerns about energy security right as Europe’s economy is slowly recovering from the pandemic, when cheap and guaranteed energy is most crucial. Safeguarding this supply will demand national efforts combined with EU-wide policy coordination.

European societies rely heavily on the effective functioning of gas critical infrastructure (CI). Yet due to their distributed nature and often public routes, gas grids are prone to physical attacks, cyberattacks (e.g. SCADA manipulations) and cyber-physical attacks. An example of the latter is the long-term, coordinated cyber-physical attack on Ukraine’s power distribution network, which took about 30 substations offline, affected two power distribution centres and left more than 23,000 people in the dark for hours.

The majority of gas systems are poorly protected against cyber threats and lacklustre security has already allowed a number of destructive cyberattacks to damage some of the most high-profile companies in the industry. From Night Dragon to Shamoon, oil and gas companies have been victims of sophisticated cyber threats since 2009. Many of these attacks have caused considerable financial damage – and yet the industry has been painstakingly slow to deploy proper cybersecurity measures adapted to their infrastructure. Spending has picked up considerably since 2014, but the majority of employees in the oil and gas industries have inadequate knowledge of corporate cyber threats such as SpyEye, Zeus, Stuxnet and Flame.

Security Throughout the Supply Chain and Lifecycle

The oil and gas industry operate through a global supply chain that is typically divided into three segments: the upstream segment finds and produces crude oil and natural gas; the midstream segment handles the processing, storing and transporting of energy commodities; and the downstream segment includes oil refineries, retail outlets and natural gas distribution companies. Thus, Gas Critical Infrastructure (GCI) consists of a series of elements including system pipes, compressor stations and meter stations, as well as storage facilities, distribution infrastructure and other installations throughout the gas supply chain.

As GCI grows, it offers an ever-larger attack surface, growing more vulnerable to cyber threats. In response, and to adapt to technological advances, the industry’s security systems and architectures are continuously evolving. Security is a continuous process: to be most effective, security must be included in the lifecycle design from the outset. Building the system with a robust security architecture at its core, and integrating with broader organisational compliance and governance efforts, can achieve more effective, lower-cost security.

Nevertheless, security incidents will inevitably occur. Indeed, most gas companies have experienced numerous cyberattacks in recent years, incurring huge losses. Disruptions created by the attack on Saudi Aramco echoed for months, highlighting the importance of cybersecurity to prevent such attacks. Recently, the COVID-19 pandemic has accelerated the Bring Your Own Device (BYOD) trend, further exposing gas companies to phishing attacks. Network security measures and firewalls are expected to become increasingly popular to help protect against this threat. In the meantime, increased digitalisation of the gas sector, including the use of Internet of Things (IoT) functionalities, is likely to increase threats to IT and OT (operational technology), including attacks planned using public knowledge about the technological specifics of installations. Finally, an increased number of connections between gas elements, more interfaces with other grids, and the increased use of automated monitoring and regulation loops may cause cascading (or snowball) effects and lead to the emergence of novel types of threatening behaviour.

Managing risks and recognising vulnerabilities in the current infrastructure are major security concerns among gas enterprises. In addition to increased spending on cybersecurity and regulatory compliance, cyberattacks related to IoT technologies are driving the market for gas network security. Plants and storage areas are high-security zones. These challenges highlight the need for joint physical, cyber and especially cyber-physical threat risk analysis and management, including preparation for and prevention and detection of cyber threats, as well as optimised response, recovery and restoration systems.

Role of EU Innovation Projects: SecureGas Approach

Research and innovation programmes play a central role in enabling the scientific and industrial community to tackle current and emerging challenges posed by cyber threats, not only at the “operational” level (e.g. new tools, solutions, etc.) but also at the “strategic” level, by embedding a resilience approach into management processes of organisational security. The “Secure Societies – Protecting freedom and security of Europe and its citizens” initiative within the EU Horizon 2020 Research and Innovation programme is one of the EU’s flagship efforts to address this challenge. It directly contributes to the Focus Area “Boosting the effectiveness of the Security Union” to the tune of €704.59 million.

A challenge many research and innovation programmes face is adapting traditional business models to a new, complex security environment while responding to constraints faced by the industry. In the gas sector, while many small and large gas companies have adopted physical and cybersecurity solutions, most enterprises still rely on existing security solutions. Technological innovation and increased use of cloud technologies and online platforms have made companies’ security perimeters more porous to cyber threats and vulnerabilities. In this complex and evolving environment, the industry needs security solutions that:

  • Are designed to be applicable to all phases of the lifecycle of an infrastructure (from planning up to operation and maintenance), including the emergency/crisis management phase;
  • Provide a systemic view of risks and threats by adopting a combined physical-cyber approach;
  • Are flexible enough to be adapted to the needs and requirements of small to large companies;
  • Are easy to use and easy to operate;
  • Enable forward-looking approaches and strategies by mapping trends in technological and non-technological risks, thus supporting strategic and long-term decisions;
  • Put resilience at the core of operational applications, by preventing, promptly detecting, quickly responding to and cost-effectively recovering from disruptions caused by cyber threats.

This is where innovation-oriented research projects implemented by large consortia of operators, researchers and private sector actors play an important role. One such project is SecureGas, which provides i) a flexible and modular architecture that can be adapted and customised to different security needs, requirements and company sizes; ii) a dynamic methodological framework to constantly monitor potential risks and threats; iii) a full set of components supporting effective responses to potential cyber threats or attacks and iv) a set of communication guidelines for proper security implementation among different stakeholders.

SecureGas addresses GCI security and resilience and aims to integrate the resilience capabilities (plan/prepare, absorb, recover and adapt) in the disaster risk management cycle (preparation, response, recovery and mitigation) within an asset lifecycle perspective, thus securing resilience across the various phases of the lifecycle of an infrastructure. The project offers several solutions. A Conceptual Model (CM) and a High-Level Reference Architecture (HLRA) provide a blueprint and the rules for its implementation, detailing how gas installations and systems have to be planned, designed, constructed, operated and maintained to be secure and resilient against physical, cyber and cyber-physical threats. The project also developed a resilience-based solution for asset management of GCI, which includes support for gas companies in evaluating and identifying hazards and risks, a quantitative risk and resilience analysis, security threat management, a business continuity plan and management, competency management and training.

These solutions only begin to address the important challenge facing the industry. SecureGas’ ambition is to secure a long-lasting impact in terms of:

  • Integrating resilience capabilities (and indicators) into the asset management process from planning and design up through normal and emergency operations, with the aim of reducing foreseen risks, optimising monetary investment and reducing uncertainties over the lifecycle of the asset;
  • Operationalising resilience guidelines and impact assessment models for maximum business continuity and non-disruptive operations through effective preventative actions and emergency plans including interconnected gas networks in severe crisis situations affecting EU gas supply;
  • Applying resilience and impact guidelines to validate sustainable and security-tested solutions to end-customers and consumers via strong dependencies on connecting grids;
  • Promoting an effective implementation of regulatory instruments and standardisation initiatives for GCI;
  • Proactively raising awareness via dynamic approaches to inform populations, providers and operators of representative risk scenarios and to educate them in adopting appropriate behaviours for security and safety.

Thumbnail Image credits: @jkraft5 on @EnvatoElements.

Join the EU Cyber Direct Network

Subscribe to the EU Cyber Direct newsletter and receive updates on our latest research, news, and events