November 2023, Vol. 250, No. 11
Features
Emerging Threats of Climate Change, Vandalism
By Eduardo Munoz, Technical Authority, Dynamic Risk
(P&GJ) — Pipeline integrity management systems (PIMS) are now in common practice, driven by the Pipeline and Hazardous Materials Safety Administration (PHMSA) requirements in the U.S. In June 2022, PHMSA updated an advisory bulletin on earth movement and geohazards, to monitor changing weather patterns and consider the risk posed by climate change1.
Beginning in 2022, and prompted by the Colonial Pipeline cyberattack in 2021, PHMSA is inspecting for and enforcing components of cybersecurity — mainly control room regulations, integrity management plan requirements and emergency plan regulations2.
Risk varies over time and so too the effectiveness of the prevention and mitigation measures. Risk assessment, an integral part of PIMS, must evolve to address new threats prompted by:
- Extreme weather events
- Increased computational capabilities and data availability
- Changes in behavioral patterns
- Enhanced mobility
- The complexity of cyber-physical networks and malevolent intent to disrupt the operation of critical infrastructure
This article discusses the threats associated with climate change, vandalism and cyberattack, from the perspective of existing risk models.
Climate Change
Extreme weather event occurrences have increased in the last decade. For example, the greater Houston area has experienced five once in a lifetime events: three winter storms (2014, 2021 and 2022), a Category 5 hurricane (2017) and its first tornado (2022). Management of extreme weather events with the potential to impact Oil and gas assets requires long term regional predictions.
Climate scientists are aware decision makers require narrowing the uncertainty of future predictions. A review of temperature models showed identical predictions in a 15-year horizon but high variability beyond that, creating a spread in results3.
The uncertainty in climate models arises from three factors: (1) internal fluctuations of the system that might reverse — for up to a decade — the long-term trends of climate change, (2) model uncertainty in response to radiative forcings and (3) scenario uncertainty in future influencing factors, such as greenhouse gas emissions. The importance of internal model variability increases at smaller spatial scales and shorter times scales.
Proper initialization and validation of the model requires adequate observational data, which is currently scarce. It is envisioned that real time data feedback will eventually be used to adjust climate models. Paraphrasing a recent update on the state of climate models: “Waiting for perfect information, as climate scientists are continually urged to do, means it will be too late to act. […] Sensible risk management addresses risk in time to prevent it to happening, and the time is now”4.
Extreme weather events are herein defined as meteorological events with a 30% increased intensity and coverage from the maximum recorded event, in accordance with a Canadian advisory for future planning.
Extreme weather events cannot be readily incorporated in the existing risk models, due to the high uncertainty of their likelihood and the lack of meaningful lagging/leading indicators. The proposed climate change risk management framework, shown in Figure 1, consists of speculative (“what if”) scenarios of extreme weather events, with an emphasis on consequence assessment.
The integrity team should also consider “double-whammy” scenarios, which are simultaneous events or events in sequence. A double-whammy example would be the wildfires in late 2017, followed by high winds and heavy rains in early 2018, resulting in mudslides and debris flow over the Montecito hillside in California, which led to 22 deaths and a two-week period of gas service interruption for nearby communities5.
The third step of the framework reviews the risk model in place to make sure it has the adequate features to model extreme weather events.
Hazard identification (HAZID), or threat re-assessment, should be performed regularly to identify new or emerging threats. All internal and external stakeholders should be engaged in the discussion about the impact of climate change on the existing asset inventory and routine operations. Threat interactions also should be considered. The conclusions from the hazard/threat identification process should be documented, for reference in the subsequent steps and for eventual review by the pertaining regulators.
When climate change has been identified as an active threat, the integrity team should define the extreme weather events to be modeled. Table 1 presents a non-exhaustive list of common, extreme weather events to consider, dependent on the type of asset and location.
The integrity team should also consider double-whammy scenarios, which are simultaneous events or events in sequence. A double whammy example would be the wildfires in late 2017, followed by high winds and heavy rains in early 2018, resulting in mudslides and debris flow over the Montecito hillside in California, which led to 22 deaths and a two-week period of gas service interruption for nearby communities5.
The third step of the framework reviews the risk model in place to make sure it has the adequate features to model extreme weather events.
In my experience, the following three features need to be reviewed in pipeline risk models:
- Verify that the weather related outside forces (WROF) assessment method is suited to model the effects of extreme weather events.
- Modify the consequence of failure (CoF) algorithm to represent the increased costs/times for remediation, in the aftermath of an extreme weather event.
- Verify that the IO assessment method is capable to account for the increase in operation stress during an extreme weather event.
At the end of the model review, the integrity team should be able to propose an implementation roadmap for the pertinent algorithm/tool modifications.
Following the risk model review, the fourth step consists in reviewing the What If tool/module to ensure its capability to make a risk run, with the inclusion of each severe weather event as determined in the second step, focused on the group of assets or regions of interest.
The third and fourth steps of the framework involve iterative modifications to the risk model and What If tools, and these could take years to implement, depending on the team resources and priorities. Once the required features are in place, the integrity management team should run the extreme weather scenarios and report the findings.
Climate change is an evolving threat that should not be reported on an annual basis. Its impact does not translate well in a corporate risk matrix. Our framework recommends a standalone report of the extreme weather events assessed, with an emphasis on the increase in CoF provoked by the different scenarios considered.
Results should be communicated to all internal and external stakeholders, with pertinent subject matter experts (SMEs) workshops to determine a list of mitigation/remediation measures, the associated cost/benefit analysis and an implementation timeline. The results of the What If analysis can also be used in resilience plans for natural forces, like the one recently prepared by the Southern California Gas Company6.
Vandalism (Security Risk)
ASME B31.8S – 2020 classifies vandalism as a threat under third-party damage, with data requirements listed in Appendix A, along with the number of past incidents caused by vandalism. Depending on the definition, vandalism might have a component of intentionality.
The framework proposed herein aligns with the security risk guidelines issued by the U.S. DOT Transportation Security Administration (TSA) and the American Petroleum Institute (API).
Hence, there is a preference to use the term “security risk” to represent the different degrees of malicious threats (e.g., theft, vandalism, arson, sabotage, terrorism, armed conflict). However, a cyberattack/cyber-security threat is generally left out of the physical security (i.e., vandalism) risk framework.
The integrity team is generally not in charge of asset security. The asset security team in turn is generally not familiar with the concept of degradation risk, though they may use some indicators such as crime indexes. The two relevant security guidelines in the U.S.7 8 have similar methods and a proposed, unified risk-based method (Figure 2).
An effective Corporate Security Plan should provide guidance for the following minimum items:
- Roles and responsibilities
- Inventory and hierarchy of assets to be assessed for security risk
- Data sources and data providers
- Criticality Assessment Method
- Security Vulnerability Assessment (SVA) method corporate risk matrix
- Scheduling rules (monitoring and SVA)
- Baseline security measures implementation criteria
- Enhanced security measures implementation criteria
It is inconvenient to perform an SVA and implement enhanced security measures on all physical assets, since the inventory can be extensive and across different jurisdictions. Any risk-based approach should be based in a ranking system of the assets, to help prioritize the in-depth assessment and the ensuing security risk reduction measures. An initial asset categorization should be performed in a “criticality” assessment, which would ideally be a desk review in one session by the security team. A proposed criticality ranking is based on the following criteria:
- Critical asset designation by the local regulators
- Asset loss financial value
- Asset attractiveness
- Criminality activity in the vicinity
- Presence of inside actors
Regulators, such as TSA or the Canada Energy Regulator (CER), have the power to designate a facility as a Critical Asset; those assets should be prioritized in the SVA schedule. Most pipeline risk models include a financial factor to represent material losses, service interruption, loss of life, loss of reputation and impact on the environment. Financial factors should also take into account the impact on system redundancies, asset interdependencies and the interruption of contracts in place.
Asset attractiveness is a factor that assesses the perceived value of the asset and has two components: (1) potential consequence and (2) target recognition. Asset attractiveness is an indication of the correct selection of the target, the likelihood of the attack and the effect of any deterrence measures.
A simple assessment method of the target attractiveness would factor the following items: (1) land use as an indicator of remoteness, (2) service/utility as a classifier for perceived consequence and (3) lack of signage and fencing as a measure of lack of deterrence.
Criminal activity in the vicinity of an asset can be used to forecast opportunistic and premeditated attacks. Some property algorithms (e.g., CAP Index) have been developed to forecast attacks targeting specific types of business (e.g., retail, banking, utilities, government, and hospitals among others), and these algorithms can be easily incorporated into the criticality assessment.
Physical security risks distinguish between external and internal actors; both TSA and API guidelines recommend making a distinction on the nature of the adversary.
In this author’s opinion, internal actors optimize the target selection, render any deterrence measures ineffective and can elucidate walks around most physical measures.
From the risk model perspective, the presence of inside actors should do the following: (1) maximize or invalidate the attractiveness factor, depending on the algorithm, since any target obfuscation and deterrence is ineffective; (2) decrease the credit of any physical measure factored into the asset vulnerability and (3) increase the likelihood of failure (LoF) until the insider is deactivated.
Developing indicators for the presence of inside actors is controversial, since it implies having some type of intelligence on the operators’ own employees and contractors. A proposed (non-controversial) leading indicator of insiders’ presence would factor: (1) the recent turn-around of employees and contractors and (2) the satisfaction level from any internal surveys.
The output of the criticality assessment should be a ranking of assets by criticality score. A threshold value to consider an asset critical should be determined beforehand. Any critical asset should be scheduled for an SVA, with those assets designated critical by the regulators prioritized.
Non-critical assets should enter a (lower priority) monitoring program to assess the necessity of baseline security measures, such as fencing and signage. SVA should be performed on critical assets, and this assessment can be adapted to be equivalent to a risk assessment.
The SVA is an in-depth assessment, preferably done on site, and it requires the participation of asset stakeholders.
The purpose of the assessment is to determine risk as a function of the following factors:
- Active threats
- Asset attractiveness
- Asset vulnerability
- Actors/adversaries
- Financial consequence
Financial consequence and target attractiveness consider the same factors specified for the criticality assessment and should be updated with any additional information the asset stakeholders might provide. Asset vulnerability is a measure of the effectiveness of the security measures in place and is generally assessed through a long questionnaire concerning the implementation of physical and technical measures, as well as security programs and procedures.
Dynamic Risk has reworked those questionnaires to match the measures/programs with the right active threats and adversaries. For example, cursory vehicle identification and search help prevent theft and terrorism, but they are not necessarily effective against political demonstrations or arson.
The SVA results should be used as the basis for the implementation of enhanced security measures specific to the active threats and actors and hardening measures aimed at reducing the consequence of a potential attack.
Criticality should be re-assessed when a major modification to the asset process occurs (i.e., asset upgrade/downgrade), when planned security or hardening measures are implemented or when a pre-established reassessment interval occurs.
Cybersecurity Risk
Oil and gas processes and systems have increased in operational complexity (increased pressures/flows, more interdependencies, tighter combination between the computational systems and physical units). The constant technology innovation creates new cyber-threats with initial high uncertainty, thus making it difficult to model them quantitively. The oil and gas cyber-physical systems are deemed more complex — and thus more prone to cyberattacks — in the upstream and downstream sectors than in the midstream sector.
For example, exploration and production (E&P) systems currently operate with relatively low cyber-risks, but their operations will soon require real time big data acquisition and processing in computing clusters, which in turn will multiply the cyberattack effects. Legacy E&P assets with low cybersecurity considerations will magnify those cyber-vulnerabilities during operation and abandonment.
Finally, cyber-risks at the top tier (IT systems) and bottom tier (field technology systems) have greater consequences in the upstream sector. In contrast, the midstream sector is — and will remain — a series of SCADA-centric systems.
Cyberattacks can do either of the following: (1) invade and control Internal Control Systems (ICS) seeking to compromise business continuity or (2) target sensitive data on business or enterprise networks that could impact current and future ventures. PIMS is primarily concerned with attacks on its ICS. API Standard 11649 provides a framework for pipeline ICS cybersecurity risk management, which is an adaptation of the wider application framework published in NIST SP 800.3710. The API framework kept all the elements of the NIST framework, as illustrated (Figure 3).
Cyber-threats risk assessment is similar to that of other threat risk models. LoF considers the following: (1) threat specific factors and (2) the system’s vulnerability. Common threat-specific factors to consider are the skill required for the attack, an opportunistic attack vs. persistent attack and the actor/adversary.
The vulnerability of the system can be characterized by the discoverability, exploitability, awareness/confidentiality and detectability (i.e., a logged/not logged user).
CoF should consider common business factors, such as financial and reputation loss, and additional technical factors such as data integrity loss, IGS availability loss, confidentiality loss and user accountability loss.
The API STD 1164 risk scoring, risk rating and impact severity levels are aligned with API STD 780. Hence, there is the possibility to unify the security and cyber-security risk models.
Pipeline Risk Models
The ability to model emerging threats is challenged by data and monitoring method availability. Initial risk models for these threats are, at best, index-based rankings suitable to prioritize mitigation measures, which might conflict with the maturity of other components in the pipeline risk model.
The effect of climate change cannot be incorporated in most risk models for generating annual predictions, with the effects instead most effectively modeled as “what if” scenarios, to define response plans and resilience measures. The risk models for security and cybersecurity can be implemented into an existing risk model or their risk results can be incorporated as inputs.
Stand-alone models managed by SMEs external to the PIMS team tend to create data silos and incompatible data repositories. A protocol for stakeholder and tool management is recommended to make available all information relevant to PIMS decision-making.
Conclusions
- The effects of Climate Change can be assessed by modeling extreme weather scenarios with a “what if” tool.
- TSA guidance and API STD 780 provide a framework for security risk assessment.
- API STD 1164 provides a framework for pipeline cybersecurity risk assessment.
- Both security and cybersecurity risk assessments can be integrated into an existing pipeline risk model.
- Security and cybersecurity risk assessment will require the integration of new SME information, which traditionally resides outside pipeline integrity departments.
References:
- Department of Transportation - Pipeline and Hazardous Materials Safety Administration, “Docket No. PHMSA–2022–0063 - Potential to Damage to Pipeline Facilities Caused by Earth Movement and Other Geological Hazards,” 87 FR 106, 02 06 2022.
- Pipeline and Hazardous Materials Safety Administration, “Remarks of the Deputy Administrator Tristan Brown Before the American Petroleum Institute Control Room and Cybernetics Conference,” 03 05 2022. [Online]. Available: https://www.phmsa.dot.gov/news/remarks-deputy-administrator-brown-beforeamerican-petroleum-institute-cybernetics-conf.
- E. Hawkins and R. Sutton, “The Potential to Narrow Uncertainty in Regional Climate Predictions,” American Meteorological society, pp. 1095-1107, August 2009.
- D. Spratt and I. Dunlop, What Lies Beneath, Melbourne, Australia: National Centre for Climate Restoration, 2018.
- Federal Emergency Management Agency, “California Wildfires, Flooding, Mudflows and Debris Flows (DR-4353),” 17 September 2018. [Online]. Available: https://www.fema.gov/disaster/4353.
- SoCalGas, “Case Studies in Multi-Sectoral Resilience to Natural Disasters,” ICF, https://www.socalgas.com/1443742022576/SoCalGas-Case-Studies.pdf, 2022.
- Transportation Security Administration, Pipeline Security Guidelines, Springfield, VA, 2021.
- American Petroleum Institute, API STD 780 - Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, Washington D.C.: American Petroleum Institute, 2018.
- American Petroleum Institute, API STD 1164 - Pipeline Control Systems Cybersecurity, American Petroleum Institute, 2021.
- NIST Joint Task Force, SP 800-37 Rev. 2 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, National Institute of Standards and Technology (NIST), 2018.
Presented at the 35th Pipeline Pigging & Integrity Management Conference, February 2023. Copyright 2023 Clarion Technical Conferences and the authors.
Used with permission.
Author: Eduardo Munoz is a technical authority with nearly 20 years of experience in risk management and integrity assurance for onshore/offshore assets. As principal consultant for Dynamic Risk, he is responsible for the continuous improvement of the risk models and works closely with Technical Services and the clients’ counterparts to provide sound technical solutions.
Comments