Canada’s Natural Gas Distribution Network is the Latest Target for Russian Hackers
Once again, more than a decade after NSA contractor Edward Snowden departed the United States with a massive trove of classified documents, a failure of information security imperils US national security. This latest blunder has been well-covered and appears most damaging to Ukraine in its effort to launch a late Spring counteroffensive. The leak of this information deeply hurts the relationship with Kyiv at a critical point in the Ukraine War. The world didn’t need to know that Ukraine might be running down to the bottom of its supply of Surface-to-Air Missiles (SAMs). Ancillary damage has also come with the revelation that the US Intelligence Community continues to spy on allies. The good news is that there’s nothing as damaging as allegations of tapping former German chancellor Angela Merkel’s cell phone. But another item making the rounds from the fifty-odd, folded briefing sheets matters to the energy security component of international geopolitics. Alleged in one of the briefing slides is that a private Russian hacker group boasted that it compromised the security of a Canadian natural gas distribution system. This deserves some attention and background.
Hacking natural gas networks is nothing new. In the lore of cyberattacks against energy targets is the story of a massive pipeline explosion in the Soviet Union. According to a former Reagan administration official, Thomas C. Reed, the US allowed the Soviets to acquire computer hardware that had been subject to a form of tampering before delivery. As per Reed’s account, when the tampered system failed, the result was a catastrophic 1982 pipeline explosion deep inside the Soviet Union. His story made it into the pages of The New York Times in Nixon speechwriter William Safire’s column too. Was it a true account or disinformation? We are left to wonder. But the detonation of natural gas by cyber means remains very much front of mind.
When a major explosion shuttered the Freeport, Texas liquefied natural gas (LNG) terminal on June 8, 2022, a chorus wondered aloud, “Was it cyber?” At Freeport, it most certainly was not. The Pipeline and Hazardous Materials Safety Administration (PHMSA) report on the blast indicated a host of other factors contributing to it, not least deficiencies in valve testing, malfunctioning control room alarms, and electrical wiring. Failures of managerial oversight and an absence of the safety culture ubiquitous in the oil and gas industry can largely be blamed for the incident. Fortunately, no lives were lost, and the terminal is back in operation.
Setting aside Colonial Pipeline, which has been well documented, there have been several cyberattacks against gas infrastructure in the United States. In February 2020, the Department of Homeland Security (DHS) revealed that a pipeline system was temporarily disabled by cyberattack. “The attackers gained access to information technology systems, infecting them with ransomware that jumped to operational technology systems, or OT systems, which control industrial systems in factories, plants and infrastructure.” There was no catastrophic explosion, but service was interrupted for approximately two days.
More troubling in some ways was the cyberattack launched against Latitude Technologies, a provider of services for, “electronic data-sharing between pipeline companies and their gas producer and utility customers.” While largely dismissed at the time as an attack on a business network, not an industrial control system (ICS) actually moving gas, we know from the Colonial ransomware attack that cyberattack on business systems can also be detrimental to pipeline operations. The data processing involved in moving liquids or gas are often mated to business systems responsible for processing orders. When the business system fails, so can the ICS.
This brings us to the latest revelation by leaked a mishandled Top Secret/Signals Intelligence/No Foreign Dissemination (TS/SI/NF) document. Making the rounds along with the rest of the rumpled briefing slides is one that alleges that the Russian Zarya hacking gang gained control of a Canadian gas pipeline computer network. It then reported its success to Russia’s FSB, which is nominally the country’s internal intelligence service. No blasts have been reported. Indeed, the head of the Canadian Gas Association stated to the Globe and Mail that he was, “not aware of any compromised gas distribution infrastructure in this country or of an attack on it by hackers.”
Nonetheless, there is significant concern in the ever-growing energy cybersecurity community over the report. That it showed up in the leaked documents gives it some credence, however, remember that several of these documents appear doctored, potentially by the FSB, or other Russian intelligence services. Such a hack would be of greatest interest to the Russian GRU, which generally holds responsibility for cyberattacks designed to break things, like the one aimed at the Ukrainian electrical grid in 2015. We have not seen a new release from the Cybersecurity and Infrastructure Security Agency (CISA) on the Canadian matter. So, other than the possibly doctored slide, we don’t have much to go on. Additionally, information is not likely to trickle out due to the level of classification now labeling pipeline and other energy cyberattack activity. On this one, we will not likely know more anytime soon.
Hacks on gas are typically sensationalized because gas explosions can be both catastrophic and deadly. The 1989 Ufa train disaster, in which propane and butane leaked from a faulty pipeline and pooled around a railway line and detonated, is an exemplar. Sparks from the train triggered the explosion, killing at least 575 and wounding nearly twice as many. Islamic State confederates hoped to trigger a catastrophic blast at the then-Statoil gas production center at In Amenas, Algeria in 2013. Fortunately, their trigger-happy behavior led to an electrical short venting the gas trains. Here is the bottom line. If ever there was a target for cyberterrorism, natural gas would be the exemplar. The UH-Rice Atlantic Council Cyber 9/12 team competed on a scenario related to this area (and took second place!). Hacks on gas are scary because gas is volatile. This is why the Biden Administration continues to push into regulatory territory on cybersecurity and energy.
This post originally appeared in the Forbes blog on Apr. 13, 2023.