Protection, detection, reaction: protecting pipelines from cybercrime

Cybercrime is one of the greatest threats of the 21st century. Anyone can be affected: perpetrators can steal identities, distribute hateful messages or incite terrorism.

For the pipeline industry, computer hacking is one of the biggest dangers. Hacking can shut down computer networks, which are critical for the safe operation and monitoring of pipelines.

CEPA members take cybersecurity extremely seriously. Therefore, they seek expertise from outside their companies to ensure the most effective protections are in place.

Brian Masch, Associate Partner, Western Cybersecurity Leader at EY Canada, a global advisory firm, is one of those experts. He has worked as part of the National Energy Cybersecurity team in the U.S. and recently brought his extensive experience to Canada.

“We typically work with companies to assess their current systems, identify strengths and gaps, and to help them find ways to improve or enhance their systems to protect themselves,” said Masch.

“We work with teams to understand the full scope of their cyber demands and identify security control protocols for their data management and security.”


The threats


Any cybersecurity incident can be critical for pipelines, especially to safety and downtime, said Masch.

“There’s loss of revenue, loss of data and property, and an inability to meet customer demands,” he said. “But, more than that, there are safety and environmental issues – especially because of the risk it poses to members of the public and staff, as well as long-term environmental harm.”

“Cyber hackers could neutralize sensors that sense temperature increases, they could cause the temperature to go up, or they could interfere with the opening and closing of valves – just to mention a few of the risks that could occur.”


The approach


When advising pipeline companies, EY bases its cybersecurity approach on three tenets:

Protection: building the right controls to protect from hackers getting in

Detection: detecting when someone is trying to get through those protections

Reaction:  quickly mitigating any exposure, recovering systems and/or data, and minimizing downtime

“In recent years there’s been increased targeting of the pipeline industry. And although there’s been evidence of breaches, it’s been difficult to gather accurate data in the past to confirm, because this information was perceived to be confidential,” Masch said.

“Recent regulatory improvements now allow for more effective information sharing.”


The protection protocol


In putting together protective mechanisms, EY focuses on three areas:

  • People: cybersecurity human resources that are able to keep one step ahead of the hackers
  • Processes: repeatable and sustainable processes to effectively and efficiently manage any threats
  • Technology: availability of current technology and tools, such as data loss prevention tools, to support organizations to put up a robust defense

“Organizations are adding technology to enable business at a fast pace. And every time they introduce new technology they increase the cyber threat risk,” said Masch.


The people factor


The biggest positive impact comes from ensuring that there’s constant awareness of the threats throughout the organization, said Masch.

“That means you’re not just including cybersecurity training in your orientation, you’re making it part of your everyday business.”

“Some companies have begun including awareness activities in their daily safety briefings. They have topic-of-the-month briefings, or posters with useful info, such as the number of days since the last cyber incident.”

Companies must be aware that inadvertent actions, or occasionally intentional ones, can also be a risk within their organizations.

“Recognizing that you’re unlikely to fully stop people from clicking on the wrong link, organizations need to be taking stock of the right tools that not necessarily prevent the breach but allow [companies] to contain it. People are the biggest security, but they’re also the biggest risk.”

Read more about cybersecurity and pipelines on CEPA’s blog: