Saturday, February 19, 2011

TSA Pipeline Threat Assessment

[SECURITY WARNING: various government agencies have warned employees and contractors that accessing limited distribution documents via open sources may be considered a violation of security policies. Keep that in mind when opening the first two links in this post.]


Yesterday the folks at PublicIntelligence.net posted an excerpt from the January 2011 report by TSA Office of Intelligence on their assessment of the risk of a terrorist attack on the US pipeline industry with a link to the entire document. The unclassified, for-official-use-only (FOUO) document is based, at least in part, upon open-source intelligence information collected in 2010 from January thru October. Generally speaking, TSA-OI reports “with high confidence that the terrorist threat to the U.S. pipeline industry is low” (pg 3).

A closer reading of the document shows the limitations that the intelligence analyst has to work under when preparing a threat analysis like this.

Credible Threats

First off, the report clearly states that al-Qa’ida (apparently the current rendering of the Arabic into English of the name of our best known terrorist adversary) has expressed an interest in conducting (or having someone conduct) attacks on pipeline or other energy related assets in the United States. It also notes that eco-terrorists, lone wolf attackers, and disgruntled insiders all pose a potential threat to these pipelines.

While reporting that TSA knows of potential actors that might be interested conducting terrorist attacks on pipeline interests in the United States, the report states:

“TSA-OI has no specific or credible threat information indicating that violent transnational extremist groups or domestic extremists are actively plotting [emphasis added] to conduct attacks on the U.S. pipeline industry”
The problem with that statement is that the US Intelligence community has demonstrated singularly little capability to infiltrate these extremist groups. The FBI has been able to identify and ‘assist’ a number of individuals and small groups of local wackos that have had plans to conduct a variety of attacks over the last couple of years, but we have seen no reports [even I have to use these intelligence weenie caveats] of any significant human intelligence penetration of the target organizations.

The extensive technical intelligence collection capabilities that the US developed in its post-WWI conflict with the Soviet Union (reconnaissance satellites and electroic intercept capability) have been of little use against sophisticated terrorists since 9-11. Early successes at intercepting communications were negated when politicians publicly bragged about listening in on satellite-phone conversations between al Qaeda planners.

So the ‘lack of credible threat information’ is, to my mind, not that good an indicator of terrorist intentions as many in the intelligence community would like people to believe. It is certainly a piece of information that must be included in the analysis, but it should not be the primary indicator of threat intentions.

Missing Information

The other limitation is the timeliness of this report. The publication date is January 18, 2011 yet the document notes that the intelligence reports that it uses covered the time period of January to October 2010 (to be fair the ‘Endnotes’ page lists one source with later a later date; the TSA Suspicious Activity Database, December 3rd, 2010). The time lag certainly had little to do with the process of writing this document and more with the political approval process before it could be shared with the private sector.

The early cut-off date for the intelligence makes it almost certain that the most important information about the Stuxnet malware did not have a chance to influence the brief discussion in this report about cyber security. Stuxnet was mentioned, but was passed over as being more of academic interest because it was beyond the capability of al Qaeda to use such sophisticated attack tools. Later Stuxnet reports tend to indicate that the development of Stuxnet required advanced cyber capabilities, but that subsequent use of the tools made available by that worm would be well within the capabilities of anyone that understood the physical processes being attacked. Oil and gas processing and pipeline operations are well understood by many of the engineers associated with al Qaeda.

The early cut-off date for information on worldwide attacks on pipelines also meant that there was no mention in this report of a series of attacks on remote Canadian gas pipelines from 2008-9 (almost certainly a lone wacko) and some spectacular (physically, politically and economically) attacks on oil pipelines in Mexico from the same time period, attacks attributed variously to native rebel groups, the drug cartels or a combination of the two. Both of these sets of attacks are much more relevant to a discussion of US pipeline security than the politico-economic attacks in Nigeria.

Night Dragon Impact

Of course the most important piece of intelligence information directly applicable to this report broke publicly after the publication date, so the TSA-OI people can be excused for not including it in their analysis. I’m talking, of course about the ‘Night Dragon’ report. The extensive compromise of oil and gas industry computer systems, reportedly including SCADA systems, changes the whole potential for cyber attacks on pipeline control systems by a wide variety of potential antagonists; including terrorists, criminals, foreign government agents and even commodity speculators. Hopefully TSA-OSI will issue an emergency advisory dealing with that potentiality in the not too distant future.

I have no great hopes for that; there are very few people in the intelligence community in general, and almost certainly none at TSA that would understand control system vulnerabilities. That’s not a slam against TSA or the intelligence community in general. There are not that many people in the world that really understand control system engineering and they’re making more money in industry than the government could pay.

Besides TSA deals with transportation security and everyone knows that there are no cyber control systems employed in the transportation industry; outside of pipeline control rooms, railroad positive train control (PTC) systems, the FAA, various vehicle control systems…. Hmm; maybe the TSA needs to get some control system experts too.

How Vulnerable are Pipelines?

So how good is the conclusion of this report? It feels like an underestimation of the threat to me, but don’t ask me to prove it. I’m smart enough to know that I don’t have enough information to predict the intentions of any one of a number of potential terrorist adversaries. I doubt that anyone does. And that includes the various intelligence agencies that are required to make such predictions.

During my brief stint working in tactical intelligence in the Army, I quickly had it beat into my head that predicting enemy intentions was akin to reading a crystal ball. You provided the Commander with information about enemy capabilities and described what that particular enemy had done in similar situations in the past. And you knew that the best commanders would do something unpredictable; that’s what made them good. So you kept watching, tasking people to look for specific indicators, and hoped that you didn’t miss anything.

The one major thing that is missing from this threat assessment is an analysis of potential consequences of a terrorist attack. What would happen to the economy if a major fuel pipeline pumping station were successfully attacked and destroyed? What would the consequences be if an anhydrous ammonia pipeline in the Tampa, FL area were attacked where it crossed, above ground, a river? What would happen if a natural gas pipeline control system were directed to over-pressurize long stretches of urban pipelines?

The answer to these questions would tend to put the ‘conclusion’ of this report in proper perspective. The threat may be low (I don’t think so, but it may be), but the potential consequences are high. We can’t dismiss the low threat, knowing what we don’t know about the adversary’s intentions, and knowing what the potential consequences really are.

No comments:

 
/* Use this with templates/template-twocol.html */