Skip to content

Ch9 Sabotage

Sabotage

The risk of sabotage is difficult to fully assess because such threats are so situation specific and subject to rapid change. The assessment is usually subject to a great deal of uncertainty. Nonetheless, the potential exists for most pipeline systems and should not be ignored. It is recommended that the sabotage threat be included as a stand-alone assessment. As an intentional, rather than accidental-, event, it represents a unique type of threat that is independent and additive to other threats.

The likelihood of a pipeline system becoming a target of sabotage is a function of many variables, including the relationship of the pipeline owner with the community and with its own employees or former employees. Vulnerability to attack is another aspect. In general, the pipeline system is not thought to be more vulnerable than other municipal systems. The motivation behind a potential sabotage episode would, to a great extent, determine whether or not this pipeline is targeted. Reaction to a specific threat would therefore be very situation specific. Note, that some already-discussed risk variables and possible risk reduction measures overlap the variables and measures that are normally examined in dealing with sabotage threats. These include security measures, accessibility issues, training, safety systems, and patrol.

The exposure level to a sabotage event can first be assessed based on the current socio-political environment in the area of the pipeline as well as inside the pipeline company itself. Then a damage potential can be estimated, based on the presence of mitigating measures. Finally, the ability of the component to resist the attack is estimated.

Guidance documents concerning vulnerability assessments for municipal water systems are available and provide insights into the threat.

Attack potential

To assess the attack potential, the definition of ‘failure’ used for the risk assessment must first be reviewed. If the risk assessment is strictly leak/rupture based, then exposure events are clear—they must threaten integrity. Attacks unrelated to integrity issues can be included in the risk assessment, but must be acknowledged in the ‘failure’ definition, in order that exposure, mitigation, and resistance values can be assigned. For example, if an event of interest is a cyber attack intended to steal company-sensitive information, (perhaps to give competitive advantage to the thief) that type of event can be included in the definition of ‘failure’.

When failure also includes service interruption, then identifying exposure events becomes more challenging. Although there is much overlap, the focus in this chapter will generally be on the former—threats related to leak/rupture potential. See for a discussion of the latter.

Sabotage can be thought of as intentional third-party damage event. Sabotage often has complex socio-political underpinnings. As such, the likelihood of incidents is usually difficult to judge. Even under higher likelihood situations, mitigative actions, both direct and indirect, are possible.

Vandalism can be considered a type of sabotage. However, defacing (for example, spray painting) or minor theft of materials are exposures that are readily resisted by most pipeline components. If the sabotage exposure count includes vandalism events, then resistance estimates must consider the fraction of exposure events that are vandalism spray-paint-type events and therefore 100% resisted by the component. With the possible exception of instrumentation or control systems, pipeline components are generally more resistive to vandalism than to sabotage. Again, the definition of ‘failure’ governs how events are included into the risk assessment.

Cyber Attacks

Cyber security is a more recent consideration for pipelines. Historically, pipeline electronic systems were thought to be relatively immune to such attack for several reasons:

  • Most critical operations such as valve open/close, pump start, etc, required human physical interaction.
  • Control systems were isolated; in particular, they were separate from the Internet.
  • Redundancies in control and safety devices prevented malicious threats to integrity, if not also to continuous operation (ie, no flow interruptions).
  • The control systems were difficult to understand by outsiders.
  • Little damage potential beyond nuisance data interruptions were foreseen.

Today, remote sensing, automation, and interconnectivity is prevalent among control systems. Vulnerability, as well as availability and value of information moving through cyber systems are all much higher than in years past.

Pipeline equipment commonly used and vulnerable, to varying degrees, to cyber attack include components of systems with labels such as:

  • PLC (programmable logic controller)
  • DCS (distributed control systems)
  • SCADA (supervisory control and data acquisition)
  • PCS (process control system)
  • ICS (industrial control system).

Related to both cyber security and service interruption is the potential use of directed energy weapons, including electromagnetic pulse devices that can destroy electronic components. Such pulses are also naturally occurring (see ). When weaponized, a small, perhaps briefcase- sized device, can be placed in proximity (perhaps outside a fenceline) to a surface facility and, when ‘detonated’ cause significant damages. Some older analog style electronics are relatively immune and more vulnerable components can be ‘hardened’ to defend against such attacks.

A sometimes complex chain of events needs to be identified and scrutinized to fully understand certain failure scenarios involving failures of electronic components. Most pipeline facilities employ ‘failsafe’ protocols whereby single or even multiple instrumentation failures may interrupt service but do not threaten integrity.

The ability to orchestrate a failure (by whatever definition of ‘failure’ is being used in the risk assessment) through a component of such cyber-systems should be identified. This may require a special group of SME’s using thorough scenario-generation techniques such as HAZOPS. Susceptible components must then be linked to portions of the pipeline system since the origination of the sabotage event may be different from the point of failure on the pipeline. For example, an attack on a SCADA system’s central computer may trigger a valve closure impacting a specific portion of a certain pipeline system.

Once susceptible components are identified and associated with pipeline system failure points, the frequency of potential attacks should be estimated. Several types of potential cyber attackers and their possible motivations are identified [1010]:

  • Garden variety hacker: hobby, notoriety, nuisance
  • Hactivist: support cause, disrupt or delay project, discredit company, personal agenda
  • Cyber-criminal: financial or competitive gain, business disruption, market impact, service for hire, sales of information
  • Nation state: intellectual property theft, political agenda, economic gain, disrupt, degrade, or destroy systems.

To the extent that they are consistent with the definition of ‘failure’ guiding the risk assessment, the contribution from each of these should be included in the sabotage exposure estimate. Even if thought to be ‘insignificant’, a value—reflecting best estimate of future frequency of events—should still be included in the risk assessment.

Exposure Estimates

In the absence of strong, quantitative data, qualitative descriptors could be linked to exposure frequencies as a starting point in the risk assessment. PRMM provides a sample of such qualitative descriptors. A sample of a quantitative range estimate—future event frequencies—is associated with those descriptors as follows:

  • Low attack probability P90 exposure frequency is less than 0.001 events per km-yr on buried portions; perhaps 10 to 100 times higher for surface facilities. Indications of impending threats are nonexistent or very minimal. The intent or resources of possible perpetrators are such that real damage to facilities is only a very remote possibility. No attacks other than random (not company or industry specific) mischief have occurred in recent history. Simple vandalism such as spray painting and occasional theft of non-strategic items (building materials, hand tools, chains, etc.) may also warrant this exposure level.
  • Medium probability P90 exposure frequency = 0.01 to 0.1 events per km-yr on buried portions; perhaps 10 to 100 times higher for surface facilities. A credible threat exists. Attacks on this company or similar operations have occurred in the past few years and/or conditions exist that could cause a flare-up of attacks at any time. Attacks may tend to be propagated by individuals rather than organizations or otherwise lack the full measure of resources that a well-organized and resourced saboteur may have.
  • High probability P90 exposure frequency = 0.1 to 10 events per km-yr on buried portions; perhaps 10 to 100 times higher for surface facilities. Threat is known and significant. Attacks are an ongoing concern. There is a clear and present danger to facilities or personnel. Conditions under which attacks occur continue to exist (no successful negotiations, no alleviation of grievances that are prompting the hostility). Attacks are seen to be the work of organized guerrilla groups or other well-organized, resourced, and experienced saboteurs.

These are samples only. In any specific situation, actual values may be orders of magnitude higher or lower. Actual situations will always be more complex than what is listed in these much generalized probability descriptions. A more rigorous assessment examine location specific aspects of attack potential.

A less obvious, less newsworthy (at least less ‘headlines-grabbing’), but potentially dramatically consequential attack potential lies in sabotage to a corrosion control system. As discussed in the corrosion threat assessment, CP systems are commonly used to protect buried structures from corrosion. These systems are readily converted into damage-causing rather than damage-preventing systems. Simply reversing the polarity on a rectifier can convert the previously protected metal into an anode, causing rapid corrosion. Since thousands of miles of pipe, tanks, foundations, and other critical infrastructure are protected by CP systems, there is great vulnerability. Being hidden from sight, the damage would typically not become apparent until leaks began, at which time extensive and widespread damage may have occurred. Sensitivity to this potential is the first opportunity for prevention. Continuous monitoring via SCADA, additional oversight, and device security are among defense options.

Sabotage mitigations

As the potential for an attack increases, preventive measures become more important. However, any mitigating measure can be overcome by determined saboteurs. Therefore, the probability can only be reduced by mitigation, rarely eliminated. Most anti-sabotage measures will be highly situation specific. The designer of the threat assessment should assign values based on experience, judgment, and data, when available.

Evaluating the potential for sabotage will often also assesses the host country’s ability to assist in preventing damage. Sabotage reduction measures are generally available to the pipeline owner/operator in addition to any support provided by the host country.

Some mitigation measures are specifically designed and installed to prevent sabotage while others are measures that happen to help prevent sabotage while performing another function. Considerations for happenstance mitigative benefits from barriers, detection, and others may also be appropriate. For example:

  • Patrolling—A high visibility patrol may act as a deterrent to a casual aggressor; a low-visibility patrol might catch an act in progress.
  • Station visits—Regular visits by employees who can quickly spot irregularities such as forced entry, tampering with equipment, etc., can be a deterrent.
  • Varying the times of patrol and inspection can make observation more difficult to avoid.
  • Monitoring equipment including motion sensors, infrared video, sound detectors, and others.
  • Depth of cover—Perhaps a deterrent in extreme cases—ie, >10’ of cover—but a few more inches of cover will probably not dissuade a serious perpetrator.
  • ROW condition—Clear ROW makes spotting of potential trouble easier, but also makes the pipeline a target that is easier to find and access.

Sabotage prevention benefits from third-party access barriers, including railings, 6-ft chain-link fence, barbed wire, walls, ditches, chains, locks, and others. Also available are various station security detection systems and equipment, including gas/flame detectors, motion detectors, audio/video surveillance,and station lighting systems, including security and perimeter systems covering equipment and working areas.

Beyond mitigation measures designed for an operating facility, other sabotage prevention measures are available to the operating company. For instance, during construction:

  • Materials and equipment are secured; extra inspection is employed.
  • 24-hour-per-day guarding and inspection
  • Employment of several trained, trustworthy inspectors
  • Screened, loyal workforce—perhaps brought in from another location
  • System of checks for material handling
  • Otherwise careful attention to security through thorough planning of all job aspects.

An opportunity to combat sabotage also exists in the training of company employees. Alerting them to common sabotage methods, possible situations that can lead to attacks (disgruntled present and former employees, recruitment activities by saboteurs, etc.), and suspicious activities in general will improve the vigilance. Other human resources opportunities for threat mitigation include the installation of deterrents.

A number of obstacles to internal sabotage can be considered mitigation measures against attacks that may otherwise occur. Common deterrents include:

  • Thorough screening of new employees
  • Limiting access to the most sensitive areas
  • Identification badges
  • Training of all employees to be alert to suspicious activities.

Types of Mitigation

Several potential sabotage-specific mitigating measures are discussed in PRMM. These include:

  1. Community Partnering
  2. Intelligence
  3. Security Forces
  4. Resolve
  5. Industry Cooperation
  6. Facility Accessibility (barrier preventions, detection preventions).

Community partnering

Supporting communities near to the pipeline by building roads, schools, hospitals, etc. is can change the dynamics of a company’s relationship to the local population. This is done not only to become a good neighbor and dissuade some would-be attackers, but also enlist allies—adding to the eyes and ears interested in preserving the assets. See PRMM.

Similarly, efforts to avoid disgruntled employees or former employees is an analogous mitigation.

While some might view such activities as a change in exposure, rather than a mitigation, consider that the attack potential is the starting point and is normally the result of local geopolitical history. The community partnering program intervenes in this attack potential and therefore can be viewed as a mitigation. In some cases, this variable could command a relatively high percentage of possible mitigation benefits—perhaps 20–70%.

Intelligence Gathering

Gathering of intelligence regarding potential attacks is commonplace among some corporate security departments. See PRMM.

Effectiveness of intelligence gathering is difficult to measure and can change quickly as fleeting and time-sensitive sources of information appear and disappear. To the extent that the company is able to reliably and regularly obtain information that is applicable in preventing or reducing acts of sabotage, real risk mitigation occurs.

In a preliminary assessment of this mitigation measure, a simple ratio can be used:

Number of acts interrupted through intelligence gathering efforts ÷
number of acts attempted

For example, if it is believed that three acts were avoided (due to forewarning) and eight acts occurred (even if unsuccessful, they should be counted), then 3/11 = 27% may be an appropriate mitigation effectiveness value.

Security

Security can take many forms including barriers and accessibility issues, as discussed elsewhere. A security force is another potential mitigation measure. The effectiveness of security measures will be situation specific.

Resolve

As discussed in PRMM, a well-publicized intention to protect the company’s facilities may be a deterrent and hence can be included as a mitigation measure in a risk assessment.

Industry cooperation 

As noted in PRMM, sharing of intelligence, training employees to watch neighboring facilities (and, hence, multiplying the patrol effectiveness), sharing of special patrols or guards, sharing of detection devices, etc., are benefits derived from cooperation between companies.

Facility accessibility 

PRMM describes numerous aspects of accessibility that influence sabotage potential. Attacks will often occur at the readily accessible (most visible and often more vulnerable) targets which are often surface facilities. While a buried pipeline is indeed relatively inaccessible, one common component is a possible exceptions portions of a buried pipeline that are encased in a casing pipe can be more vulnerable to sabotage than directly buried pipe. The vulnerability arises from the common use of vent pipes attached to the casing that provide a route to the carrier pipe from the surface.

Casing vent pipes have historically been used by would-be saboteurs as opportunities to access a carrier pipe. An explosive charge, dropped into a vent pipe, can then detonate against the carrier pipe. Some companies employ design features to prevent intentional and unintentional objects from moving down a vent line to the carrier pipe.

Estimating Effectiveness

As with the estimate of exposure, estimating mitigation effectiveness will necessarily be quite judgmental in many cases. In all assignments of effectiveness, the assessment should carefully consider the “real-world” effectiveness of the anti-sabotage measure. Factors such as training and professionalism of personnel, maintenance and sensitivity of devices, and response time to situations are all critical to the usefulness of most mitigation measures.

The exposures can be offset in the assessment by compiling the effectiveness of all mitigative conditions within the conservatism of the PXX chosen. Preventive measures at each facility can sometimes bring the damage potential nearly to the point of having no such facilities. This is consistent with the idea that “no exposure” will have less risk than “mitigated exposure,” regardless of the robustness of the mitigation measures. From a practical standpoint, this allows the pipeline owner to minimize the risk in a number of ways because several means are available to achieve the highest level of preventive measures to offset the exposure level for the surface facility. However, it also shows that even with many preventions in place, the hazard has not been completely removed.

Resistance

Some sabotage attacks will be unsuccessful not through mitigation—preventing the attack from reaching the component—but rather through the component’s resistance. Paralleling the resistance to other external damage mechanisms such as impacts and earth movement, components more able to absorb forces from sabotage attacks will fail less often when damaged.

Earlier, a distinction was made between vandalism and sabotage. The former often includes defacing, theft, and other activities that are not normally direct threats to integrity or even service continuity. Such acts are more readily resisted by the normal designed strength of most components. The ‘sabotage’ term is reserved for the actions more focused on causing at least service interruption if not also leak/rupture. With a more deliberate attempt to cause significant damage, the ability to resist damages is less certain. It is often conservatively assumed that a determined attacker will eventually be able to inflict damage on a system as difficult to protect as a long pipeline.

Consequence considerations

The probability of more severe consequences may be increased by an intentional and possibly orchestrated release of pipeline contents. The integrity breach may be more likely to cause a rupture rather than a leak and the timing and subsequent chain of events may be influenced by human interaction seeking to exacerbate the scenario, an attacker could time an event for maximum occupancies in surrounding areas or for more problematic emergency response or he could even directly interfere with emergency response in numerous ways.

Fortunately, it is difficult to orchestrate worst-case pipeline failure events via sabotage, unless significant outside force (weaponry) is deployed against a visible component. Even if, despite numerous safeguards, an integrity breach is created, it would be difficult to maximize the ensuing consequences—ie, ensuring ignition at an optimum time, with receptor proximity, etc.

Nonetheless, it is often prudent to conservatively assume, that in the case of sabotage, there is a greater likelihood of the consequences being more severe. Worst case scenarios possibly occurring more frequently under the threat of sabotage is a conservative and reasonable assumption.

Consider also the less dramatic but highly costly sabotage scenarios. Leaks, below detection limits, continuing for long periods of time, may cause extensive environment damage and costly or impossible remediation. Interference with corrosion control systems could cause widespread, difficult to detect damages that, if allowed to accumulate over time, may cause widespread environmental damages and require extensive infrastructure replacements.

Planning and preparation for repair and replacement, can minimize the impact of attacks. This strategy concentrates on reducing consequences—service interruption—rather than PoF reduction through defensive means. The demonstrated ability to recover quickly and efficiently from any possible damages done by an attack may reduce the incentive of potential saboteurs. There are real examples of this approach. After years of attempting to protect a long pipeline, one owner changed strategies and instead assembled spare parts and rapid response capabilities. These costs were offset by the savings from reduced attempts to protect all locations. With a maximum outage period of two days for even the most successful attacks, the damage to company business was minimized and sabotage events dropped significantly. This strategy will have the added benefit of reducing consequences from any other type of failure mechanisms and is assessed in the cost of service interruption.

  1. Sabotage Assessment:

The following example begins with a scenario proposed in PRMM and adds more quantifications, consistent with a newer risk assessment methodology.

The pipeline system for this example has experienced episodes of spray painting on facilities in urban areas and rifle shooting of pipeline markers in rural areas. The community in general seems to be accepting of, or at least indifferent to, the presence of the pipeline. There are no labor disputes or workforce reductions occurring in the company. There are no visible protests against the company in general or the pipeline facilities specifically. The evaluator sees no serious ongoing threat from sabotage or serious vandalism. The painting and shooting are seen as random acts, not targeted attempts to disrupt the pipeline.

Nonetheless, the P99 risk assessment includes the following threat and consequence analyses:

  • An estimated near term exposure of 0.5 events per year at an aboveground location and an estimated 20% mitigation effectiveness is assigned. The associated damage probability is assessed to be 0.5 x (1 – 20%) = 0.4 events per year. A resistance value of 50% is used, yielding a PoF = 0.2 failures/year, or a failure every 5 years.
  • Consequences, including service interruption costs, are estimated to be $32K per incident based on a collection of P99 scenarios of damage potential. This leads to a near term expected loss of 0.2 events/year x $32K/event = $6.4K/year. This value is carried to risk management meetings to determine appropriate reactions to this conservatively estimated short term risk.

As part of the risk management discussion prompted by this assessment, a related decision is made to address the potential for sabotages during future construction. These are to be addressed primarily via additional inspection and monitoring during installation and a robust post-installation ILI.