Bloomberg has been busy lately with cyber reporting. On December 10th, 2014, they reported that the attack on the Turkish BTC pipeline in 2008 was likely a cyber attack.
The Department of Energy’s Idaho National Laboratory caused a 1 megawatt generator to blow up to prove a point a couple of years before this, so from a possibility standpoint, this is not news. What is news is that terrorists are moving from possibility to actuality.
The pipeline had sensors and cameras to monitor all 1,100 miles of pipe but curiously, neither the cameras nor the sensors detected the blast. The pipeline operator found out about the blast and fire when a civilian called the control center on their phone.
The Turkish government blamed a malfunction (kind of like Sony saying they were investigating an IT incident a couple of weeks ago). A group of Kurdish separatists claimed credit. BP said there was a fire (true, but kind of missing an important point).
According to 4 different sources, the hackers shut down alarms, cut off communications and over pressurized the pipeline until it exploded and caught fire. Apparently, the chief suspect is Russia.
The NSA had been warning for years that bad guys could blow up infrastructure from afar. Admiral Rogers, the current NSA boss, in fact, stated in testimony before Congress last month that it was no longer a question of if, but rather when. I guess the when was 6 years ago. The NSA did investigate at the time, so like with the Sands attack I reported about yesterday, the NSA is being a tad bit coy with what they do know.
The good news is that the pipeline was repaired in only a couple of weeks.
The article has more details on the attack.
The point of entry was the wireless security cameras themselves. The software had a vulnerability and the cameras were not isolated from the rest of the control or alarm system. Bad boys and girls.
The blast spilled 30,000 barrels of oil and cost BP $5 million dollars a day in transit tariffs. The Republic of Azerbaijan lost $1 billion in export revenue while the pipeline was down. Assuming the pipeline was running at capacity, that revenue was lost for good.
For any organization that has industrial control systems (this is not just the local water company – this includes security cameras, alarm systems, HVAC controllers, elevator controllers and other physical plant equipment – just to name a few possibilities) now would be a good time to be worried and make some changes.