Abstract
The study of energy sector security is in flux. A traditional focus on exploring the nexus between terrorism and physical energy infrastructure has given way to a new and specific emphasis on cyber attacks targeting electrical power grids. A noticeable gap in the literature exists in terms of presenting a more comprehensive assessment of the general threat environment. Our paper, and the larger project from which it stems, intends to fill this void and prompt more nuanced and empirically driven research on the topic that informs Canadian security policy. Our findings are informed by interviews conducted with American and Canadian energy sector officials, and a questionnaire carried out with energy sector companies. By examining a broader suite of disruptive threats to the energy sector, we paint a more inclusive picture of the many gateways through which the energy sector could be targeted.
Keywords
Introduction
On 29 January 2019, US Director of Intelligence Daniel R. Coats presented the Worldwide Threat Assessment of the US Intelligence Community to the Senate Select Committee on Intelligence. In addition to highlighting expected concerns of America’s national security community such as terrorism, organized crime, weapons of mass destruction, and electoral interference, the report also emphasized threats to an area which receives comparatively little attention—the energy sector. With a standalone section dedicated specifically to economics and energy, the report provides a glimpse into the increased attention America’s national security community is paying not only to the potential risks of changing international energy markets, production, and demand, but to kinetic threats facing critical energy infrastructure in the US. Similarly, other countries around the world have signalled their intent to pay greater attention to this issue. Canada, for example, specifically mentions the energy sector in its National Cross Sector Forum 2018–2020 Action Plan for Critical Infrastructure and its 2018 National Cyber Security Strategy, while the UK, New Zealand, Australia, and others are pursuing a mix of regulatory, information-sharing, and governance changes to better address their respective threat environments.
While many of these disparate initiatives are described as being reflective of “all hazards” (e.g. focusing on a wide range of threats and challenges to critical infrastructure), there is a clear prioritization of cyber attacks, particularly those targeting the electrical grid. The US, for example, in the aforementioned report, discusses its concern about Russia having the “ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours.” 1 Former Department of Homeland Security Secretary Kirstjen Nielsen has echoed this challenge, stating: “An attack on a single tech company, for instance, can rapidly spiral into a crisis affecting the energy grid.” 2 And US President Donald Trump signed Executive Order (EO) 13800 in May 2017, ordering the federal government to prepare for cyber attacks targeting America’s power grid. 3
The energy sector’s emphasis on grid security and defence against digitized attacks is entirely expected, appropriate, and justified given the recent surge in offensive cyber operations and other forms of cyber attack conducted by state and non-state actors targeting power grids and other critical infrastructure, but the energy sector as a whole continues to grapple with numerous other threat vectors that seem to be comparatively overlooked and under-assessed. Because of a continued overemphasis on cyber grid protection, both state and non-state adversaries could pivot to less protected elements of the energy sector where attacks may prove to be equally, if not more, destructive. The purpose of our paper is thus twofold. First, by examining a broader suite of malicious disruptive and damaging threats to the energy sector, inclusive of terrorist attacks and cyber attacks, we paint a more comprehensive and inclusive picture of the many gateways through which the energy sector has been, and could be, targeted. 4 Second, having assessed these diverse risks, we offer two separate sets of recommendations—foundational and operational in nature—that industry and government stakeholders might consider in their approach to commercial and national security. Our findings are informed by a series of scoping interviews conducted with American and Canadian energy sector officials and a questionnaire carried out with energy sector companies. 5
Ultimately, by highlighting the numerous ways in which global energy assets (pipelines, nuclear facilities, electrical grids, production facilities, etc.) have or could be targeted, this paper sheds light on a wider range of threats than has generally been presented in the literature, to inform global policy development, while simultaneously contributing to an area of academic literature which has been largely neglected. Given the strategic importance of energy resources and infrastructure to the world’s largest economies—Canada’s included—the sector has been, and will continue to be, a strategically appealing target for many malicious actors looking to advance their own agendas through nefarious means. By reminding readers of these realities, this paper informs and motivates industry and government to take a more proactive stance on these issues, and create strengthened security frameworks to protect these fundamentally critical assets, networks, and systems.
Structurally, our argument unfolds in four sections. We begin with a summary of the academic literature on physical and digital attacks targeting the energy sector, while touching on the general body of work that explores broader vulnerabilities throughout Canada’s critical infrastructure (CI) landscape (e.g. decentralized CI sectors and responsibilities, lacking leadership, poor planning, etc.). Generally speaking, these issues represent a broader, overarching category of weaknesses that impact Canada’s energy sector and augment the risks posed by everything from terrorist and cyber attacks to natural disasters and industrial accidents. The rationale here is to outline the general ways in which this topic has been approached to date, while also identifying the gap our research intends to address. Next, the paper presents a high-level empirical overview of the various ways in which the energy sector has been attacked globally, with a view to better conceive, approach, and refine energy sector safeguards and security. In the third section of the paper, we detail our findings from the En-Threat Project, providing summaries of the interview and questionnaire data. The fourth section, functioning as our conclusion, provides potential policy options and thoughts for further research.
What the literature doesn’t say: Research gaps on energy sector attacks
At a glance, the relatively small body of scholarly literature and reporting on energy-specific attacks and threats has experienced a sort of ebb and flow, reflective of real-world events, some energy related, some not. However, al-Qaeda’s 2001 terrorist attack on the United States as well as Russia’s attack on Ukraine’s electrical grid in 2015 represent the two most significant events which fundamentally changed how people thought of energy infrastructure security, and how these anxieties were expressed and represented throughout the literature. Though cliché, the literature on energy security is largely divided into two periods—post 9/11 and post Ukraine. Naturally, following 9/11, there was a noticeable increase in scholarly work assessing the nexus between critical infrastructure protection and physical terrorist attacks, with specific emphasis on the strategic thinking and operational abilities of al-Qaeda. 6 Generally, these works point to the thinking of the al-Qaeda leadership as detailed through various proclamations and intelligence reports in potentially targeting critical energy sites such as US nuclear facilities, as well as lesser-known attacks the group and their affiliate organizations had actually carried out on energy infrastructure throughout the Middle East and North Africa.
In and around this post-9/11 period, relatively loose attempts to create a theory, or at least theoretical parameters, for what constitutes “energy terrorism” began to emerge. For example, Ali Koknar suggests that the concept of energy sector terrorism is not narrowly limited to armed attacks on major energy infrastructure, but rather that it ought to account for a wider range of activities such as theft or sabotage, extortion, and support to any groups involved with these activities. 7 Relatedly, Tamara Makarenko identifies seven categories of terrorist attacks to the energy sector, reflecting a wide range of threat vectors and varying levels of severity. 8 First, Makarenko identifies bomb attacks on pipelines as being among the most easily carried out, while rendering the largest impact. In a sense, this type of attack represents the biggest “bang for your buck” to terrorists. Second, and very much in line with the first type of attack, are sabotage attacks on pipelines, with the objective of causing downstream economic losses to the state. Makarenko then highlights attacks on petroleum company offices as the third type of attack that ought to be considered, despite these cases being relatively infrequent and inefficient. Attacks on depots, storage facilities, refineries, and downstream assets are the fourth type of attack captured under energy sector terrorism. The fifth type includes raiding or hijacking energy facilities, which may or may not include hostage-taking. At the time of Makarenko’s writing (2003), these types of attacks were relatively infrequent, or perhaps nearly unheard of. The sixth type of attack involves direct militant attacks on oil and gas facilities with the aim of incurring casualties, and the seventh involves kidnapping of persons employed at these types of facilities and plants.
Aside from these works, and potentially a very small handful of other theoretical articles and/or related research on this topic, the largest segment of literature throughout this post-9/11 period relates to the strategic appeal of striking US and allied energy infrastructure for major terrorist groups, particularly al-Qaeda, and what these types of attacks might look like if attempted or successfully carried out. For example, Jan Fedorowicz discusses why terrorist organizations, specifically al-Qaeda, choose to attack certain energy sites and infrastructure over others, and when. He suggests that traditionally, terrorist groups look for damaging impacts that are “potentially global” in nature, and that “attacks on some piece of energy infrastructure are not as appealing as high-profile civilian devastation unless they cross a threshold where rather than being lost in obscurity, they can damage particular regimes, drive up energy prices, or slow down entire economies.” 9 Similarly, Martin Rudner focused on al-Qaeda in his 2009 article “Protecting Canada’s critical national infrastructure from terrorism: Mapping a proactive strategy for energy security.” Rudner discusses al-Qaeda doctrine, ideology, and motivations at length, writing that al-Qaeda’s strategy of targeting energy infrastructure and resources is “economic jihad aimed at ‘infidel’ countries, first and foremost the United States, so as to damage and weaken their industrial, financial, and military capabilities to resist the Islamist onslaught.” 10 Years later, in his Foreign Policy article “Osama’s oil obsession,” Daveed Gartenstein-Ross discusses al-Qaeda’s strategic interests, and specifically Osama bin Laden’s, in targeting critical oil hubs in Saudi Arabia. The strategy, he argues, revolves primarily around the US “addiction” to oil, and American enemies looking to cripple US and allied economies through disrupting both international access to oil, as well as energy prices and markets. 11 Overall, these examples highlight the way researchers collectively approached energy sector attacks during the mid-2000s, with a strong focus on physical terrorist attacks.
Things changed on 23 December 2015 when Russia penetrated Ukraine’s electrical grid, turning the lights off for hundreds of thousands of civilians. Overriding the SCADA [supervisory control and data acquisition] systems of three Ukrainian electricity companies, the hackers opened breakers at dozens of distribution terminals throughout Kiev and the Ivano-Frankivsk region, leaving Ukrainian civilians in the dark for hours. 12 Representing what is commonly considered to be the first successful attack on a power grid (though massive cyber attacks in the energy sector had been documented years before), this event marked a significant turning point for international policymakers, industry personnel, and national security practitioners. At this point, a dramatic shift in the literature began to take shape, with scholarly works almost entirely moving towards assessing the potential vulnerabilities of the electrical grid, whether industry and government are doing enough, and what outages of varying lengths could mean in terms of international security and targeted economies. 13 For example, Chih-Che Sun, Adam Hahn, and Chen-Ching Liu have stressed the need to bolster investments in this space, writing that “in 2015, a sophisticated cyber attack targeted Ukraine’s power grid causing wide area power outages. It highlights the importance of investment on cybersecurity against intruders.” 14 Sacha Meckler, Edward Cottle, Usen Antia, and David Healy express similar thoughts, and ask whether enough is being done on this issue throughout Europe, writing that “although a fundamental revision of the structure and organization of energy grids is inevitable, there are nonetheless stark differences in the readiness and level of interest of different Member States (of the EU) to embark upon significant changes to their energy systems.” 15 Tiina Kovanen, Viivi Nuojua, and Martti Lehto also focus on the changing environment, grid security, and the need for owners, operators, and governments to better prepare and collaborate, writing that “readiness plans have to be kept up to date and rehearsed regularly in order to keep them effective.” 16 Furthermore, government and major industry associations in Canada, the US, Australia, and the UK have all signalled their concern regarding potential cyber attacks in the energy sector, with the release of high-level strategic documents on cyber security planning, with specific emphasis on grid security.
Through a combination of limited empirical research and a heavy dose of conjecture, this increasingly expansive subsection of the literature continues to take shape as new cyber attacks on international energy companies and assets come to light. Overall, works on physical attacks and cyber attacks vary widely, not only in their level of technical granularity, but in the ability of authors to comprehensively examine the strategic nature of cyber attacks, emerging trends, and threat actor characteristics, among other things. Given the limitations of attributing cyber attacks—in addition to the fact that most energy sector attacks target privately owned companies and assets rather than government-operated facilities—reporting on attacks, or at least fully disclosing the severity and type of cyber attack, is relatively infrequent, and so we see these limitations reflected throughout the literature, at least relative to works and studies on more traditional forms of physical attacks. Moreover, state-level knowledge about malicious cyber campaigns is not readily accessible—despite detailed reports and assessments being publicly available in some instances, many of these pertinent and insightful details do not make it into the literature. 17 Rather, what we are left with are high-level warnings or “naming and shaming” headlines in mainstream media, such as “Russian hackers appear to shift focus to US power grid,” 18 or “Cyberattacks put Russian fingers on the switch at power plants, US says.” 19
In addition to these two clusters of literature, there is another segment of scholarly work on energy sector vulnerabilities that takes a more practical approach to unpacking sectoral threats and shortcomings: works related to broader CI security, or lack thereof. This body of research, which is largely an outgrowth or by-product of both 9/11 and the Ukraine cyber attacks, as well as significant natural disasters, focuses more heavily on emergency management, strategic policy development, and governance. In one sense, this portion of the literature is not so much interested in the threats themselves, but in analyzing how governments at all levels, as well as owners and operators of Canadian CI, are proactively preparing for disaster (or not), whether it be physical, digital, or natural; and how certain deficiencies increase the energy sector’s exposure to crises or threats of various sorts. In line with the arguments of this paper, at least in terms of thinking more comprehensively and proactively about Canada’s threat environment, Dan Henstra writes that “interest in disaster mitigation tends to be highest during the period immediately following a major disaster, when public attention focuses on vulnerabilities that must be addressed through policy.” 20 Likewise, Henstra and Gordon McBean argue that little is done in terms of proactive mitigation strategies, with too much federal effort focused on post-disaster recovery. On that, Henstra and McBean say “it is better to make policies for disaster mitigation during ‘normal’ periods, where there is less political pressure to act quickly and where policy can be formulated without specific reference to the most recent catastrophic event.” 21 Others have expressed similar concerns on strategically preparing for threats and incidents, through honing in on issues ranging from Canada’s diverse and decentralized critical energy infrastructure sectors, incompatible institutional cultures, misaligned jurisdictional responsibilities and incentives, to poor federal–provincial relations on CI protection, lacking federal guidance and leadership, insufficient prioritization of certain threats, and fractured cohesion amongst energy sector stakeholders and various levels of government. 22
Cumulatively, these works represent but a small portion of analysis undertaken which questions how to best manage and mitigate threats, rather than assessing the actual nature of specific adversarial activities or strategies. Important to note is that much of this literature takes other, non-malicious sources of infrastructure disruption into account, whereas the other aforementioned clusters of material generally do not. Examples include industrial accidents, vulnerabilities associated with aging and deteriorating infrastructure, and of course, disruptions borne of weather, climate change, and other natural disasters. We raise this because despite our paper’s primary focus on exploring physical and cyber attacks in the energy sector conducted by individuals, non-state, and state-based organizations, there remains a wide range of other non-malicious threats to the energy sector and Canadian CI which, by some interpretations, pose an equal if not far greater challenge to energy sector security and resilience than terrorism or cyber attacks.
All told, then, a relatively neglected or dated subset of the literature focuses on purely physical (terrorist) attacks on the energy sector, a limited body of research addresses sectoral cyber attacks, and a wide range of policy-centric work assesses mitigation, governance, and planning weaknesses. Ultimately, this leaves us with a noticeable gap in the literature in terms of presenting a more comprehensive picture of the general threat environment. Our paper, and the project from which it stems, intend to fill this void by presenting a blended and specific analysis of both physical and cyber attacks, while prompting additional, more nuanced, and empirically driven scholarly research on the topic.
Energy sector security revisited
While cyber security in the energy sector has become the paramount concern for government and industry, there remain numerous pathways to attacking energy sector assets which the international sector has experienced. This section of the paper serves as an empirical refresher on some of these attacks, with the intent of highlighting the attractiveness of energy sector targets and the potential that similar attacks could be repeated in the future.
A brief overview of physical attacks in the energy sector
For decades, terrorist groups have been strategically targeting energy sector assets across the world. Nearly 30 years ago, Osama bin Laden called for attacks on Yemeni oil installations, 23 while the 9/11 commission report released over a decade later said that Mohamed Atta, pilot of American Airlines Flight 11, “considered targeting a nuclear facility he had seen during familiarization flights near New York.” 24 We have also come to learn that al-Qaeda’s second-in-command (now the head of al-Qaeda), Ayman al-Zawahiri, called for “mujahedeen to concentrate (their) attacks on oil stolen from Muslims, from which most revenues go to the enemies of Islam.” 25 To a certain extent, these prophetic calls for action were realized when al-Qaeda attacked Saudi oil facilities in Yanbu and Khobar in 2004, and the Abqaiq oil processing complex—the largest in the world—in February 2006. 26 Moreover, on 16 January 2013, al-Qaeda-linked terrorists attacked the Tiguentourine gas facility in Algeria. 27 The group is also responsible for attacks on offshore oil facilities in Yemen, pipelines in Egypt (which transport gas between Egypt, Israel, Jordan, and other countries), and numerous facilities throughout Iraq. 28 Similarly, the Islamic State (ISIS) has clearly integrated energy sector attacks into their strategic planning. However, unlike al-Qaeda, ISIS is (or was) primarily concerned with the exploitation of regional oil and gas resources for their own financial gains. Throughout 2014, ISIS took control of more than 60 percent of Syrian oil production, and gained somewhere in the range of 20 oil fields with a total production capacity of around 100,000 barrels per day. Estimates suggest that ISIS was generating somewhere between $2 million and $4 million per day during this timeframe, or between $730 million and $1.4 billion per year. 29 In terms of attacks, ISIS carried out deadly operations throughout 2014, 2015, and 2016, including numerous attacks on oilfields, pipelines, transmission lines, and facilities in Libya, Iraq, and Syria. 30 Beyond al-Qaeda and ISIS, other non-state actors in the region are also strategically targeting the energy sector, as illustrated by the drone attacks on Saudi Aramco in September 2019. Using “kamikaze” or “suicide drones,” Iran-backed Houthi rebels in Yemen flew some 20 drones and several cruise missiles into Saudi Aramco’s Abqaiq oil processing facility in Buqayq, interrupting nearly six million barrels of Saudi oil production per day, or nearly 5 percent of the world’s daily crude supply.
However, attacks of this nature are not isolated to Middle Eastern countries, and threat actors markedly different from al-Qaeda have carried out damaging and even deadly attacks throughout the world. For example, data gathered by the Global Terrorism Database—or GTD—found that attacks on everything from electricity pylons to pipelines, transmission lines, and electricity towers have taken place in Nepal, Thailand, the Philippines, India, and Pakistan, just to name a few cases. Separatist groups such as Thailand’s Barisan Revolusi Nasional, Pakistan’s Balochistan Liberation Army, and the Philippines New People’s Army highlight the fact that physical attacks on international energy assets are carried out by a wide range of non-state actors, motivated by a diverse spectrum of ideological perspectives, grievances, and expectations. That said, the data do point to major oil producing countries bearing the brunt of most attacks.
For example, Africa’s largest energy producer, Nigeria, has experienced a significant volume of energy sector attacks. Beginning in 2006, the Movement for the Emancipation of the Niger Delta (MEND) began a campaign targeting energy sector sites, including kidnappings, pipeline attacks, and oil theft or “oil bunkering”; by 2007, it was estimated that MEND attacks had reduced Nigeria’s oil output by “roughly one-third.” 31 Over time, MEND eventually dissolved and remerged as the Niger Delta Avengers, a more formidable force that has staged long-term, energy-specific campaigns of attack which have reduced Nigeria’s oil production by nearly a million barrels per day. Their attacks have disrupted operations carried out by some of the world’s largest energy companies, such as Chevron, ExxonMobil, and Shell.
Numerous oil-producing countries throughout Latin America have also grappled with physical attacks on their energy infrastructure. For example, in 2018, Canadian Frontera Energy suspended production at the largest oil field in Peru after activists severed a major pipeline, taking nearly 10,000 barrels of oil per day offline. More recent examples include the February 2019 bombings of pipelines owned by Colombian state-run oil company Ecopetrol, as well as the Mexican pipeline explosion in January 2019 which killed dozens after fuel thieves caused a pipeline rupture.
While such attacks might seem farfetched or even unimaginable in Canada, the Canadian Security Intelligence Service warned energy companies in 2016 that the sector was “vulnerable to explosives,” 32 which for many was a reminder of the 2008–2009 pipeline bombings in British Columbia. Furthermore, in 2016, five oil pipelines carrying Canadian crude oil in the United States were disrupted by coordinated environmental protests, and in 2017, vandals caused $500,000–$700,000 in damages to a Paramount Resources pipeline in Hythe, Alberta. While these situations pale in comparison to a devastating pipeline explosion or a refinery being overrun by terrorists, they speak to the ease with which individuals using cheap and unsophisticated techniques can cause significant damage to critical infrastructure.
A brief overview of cyber attacks in the energy sector
In terms of cyber attacks, the energy sector remains one of the more frequently targeted sectors, at least in Canada and the US, with some of the most devastating cyber attacks having been carried out upon it.
For example, though often approached and/or studied through the lens of counter-proliferation, or broader American–Israeli national security considerations, the Stuxnet worm discovered in 2010 was ultimately an energy sector attack targeting Iran’s nuclear program. It is estimated that the attack destroyed nearly 1000 uranium enrichment centrifuges, and decreased Iran’s enrichment efficiency by a third. 33 Less than two years later in 2012, Saudi Arabia’s largest oil company, Saudi Aramco, was attacked in what is still considered the most damaging cyber attack in history (at least from a financial perspective). Carried out during the holy month of Ramadan while most employees were on holiday, the attack effectively shut down all corporate operations to the point that the company “started giving oil away for free to keep it flowing in Saudi Arabia.” 34 Five months and 50,000 computers later, the energy giant was back and fully operational, but the damage had been done. That same year, Qatari natural gas company RasGas had its website and e-mail servers hacked, while Iran’s National Iranian Oil Company also sustained cyber attacks to its servers and websites. Cyber attacks throughout the Middle East, particularly those targeting critical energy infrastructure, represent regional geopolitical disputes moving into a new and extremely disruptive domain, which can cause—and has caused—international repercussions throughout the sector.
However, we have also witnessed a dramatic rise in internationally oriented cyber attacks, and a transition away from disruptive cyber attacks on companies with the intent of causing financial damage, to potentially life-threatening attacks impacting civilians that reach far beyond a standalone owner or operator. In other words, while cyber attacks were, until very recently, fairly contained and reflective of regional dynamics and disputes, both geopolitical and economically related, in the last five years the threat environment has become much more dynamic, disruptive, and far-reaching, with international attacks becoming more pervasive, and the likelihood of loss of life increasing. Some energy sector attacks have also raised concerns that an attack, depending on its nature, level of severity, and timing, could fundamentally disrupt and undermine democratic processes. Speaking to this very issue, in a July 2018 report published by the US attorney general’s Cyber Digital Task Force, the Task Force wrote that “cyber operations could seek to undermine the integrity or availability of election-related data. For example, adversaries could employ cyber-enabled or other means to … target the power grid or other critical infrastructure in order to impair an election.” 35
Relatedly, in 2016, the former secretary of homeland security under US president Barack Obama, Jeh Johnson, suggested designating the American election system as “critical infrastructure,” a “category that includes bridges and the power grid.” 36 Now, years later, US intelligence officials appear to be equally concerned with the prospect of power outages, particularly during an election period, with Russia apparently more interested in causing grid outages than direct electoral manipulation. 37 In a January 2019 Wall Street Journal article, Rebecca Smith and Rob Barry reconstruct the most significant hack of America’s utilities sector in 2017, and paint a disturbing picture of how sophisticated some of these state-level attacks are and how damaging they can be, as well as how little we actually know about these issues, and how vulnerable the industry is. 38
While these selected examples only represent a subset of the cyber attacks targeting the global energy sector, they speak to the changing nature of national security, of increasing threat vectors, and of potentially new pathways and triggers to the outbreak of conflict and war. Whether or not government and industry are fully appreciative of these realities is another issue.
En-Threat Project findings
With support from the Canadian Network for Research on Terrorism, Security and Society, we were able to interview subject matter experts and security practitioners in both Canada and the US, as well as disseminate a cyber-specific survey for industry, with the help of the former Canadian Cyber Incident Response Centre (CCIRC). The intent of this research was twofold: to develop a more granular understanding of which threats (both cyber and physical) government and energy industry personnel are seized with; and to assess how different actors from the public and private sectors approach threat mitigation.
In October 2018, eight interviews were conducted in Ottawa, Canada, and Washington, DC, USA, with interviewees from the US and Canadian national security and intelligence community, Canada’s foreign service, as well as the US Department of Energy and the North American Electric Reliability Corporation. Our cyber survey was distributed by CCIRC through their industry-targeted, energy-specific network of Canadian owners and operators, and was completed by over 30 Canadian energy companies. Acknowledging that our interviews and survey were limited in scope and sample size, and potentially hindered by a reluctance of participants to fully delve into and/or speak to certain issues, our efforts add an additional layer of empirical research to our analysis and create a foundational starting point for additional works on this topic to build from.
Ultimately, these interviews and survey results led us to three high-level findings: that industry is more concerned with physical security in the energy sector than government; that cyber-literacy in the energy sector remains insufficient to adequately address the rapidly evolving threat environment; and that industry and government efforts to counter both physical and cyber threats are carried out in silos.
In terms of physical threats to the energy sector, our interviews confirmed that American energy sector owners and operators are more proactive and collaborative in this space than their Canadian counterparts. While cyber threats are discussed regularly through a wide range of various forums in the US, physical threats remain consistently top of mind for many industry and government personnel as well, with one US interviewee describing it as a “priority”; “how could it not be? We’ve got to look at both issues regularly.” On the contrary, in discussions with Canadian officials, little seemed to be known about what industry was doing in this space, which not only spoke to a disconnect between government and industry, but to a potentially fractured interdepartmental community to address physical threats to the energy sector. Ultimately, we found that very few Canadian officials knew much, if anything at all, in terms of what initiatives or efforts were underway in this area, with most interviewees in Canada having little to no familiarity with the history of physical attacks on energy infrastructure in Canada or internationally. Our interviews corroborate findings developed by the Canadian government itself in 2003: “Currently there is a limited ability on the part of federal and provincial government departments and agencies to collect, collate, analyze and synthesize the modest amount of substantive qualitative information on actors, their actual and potential capabilities, intended targets, and recorded attempts to penetrate or attack assets or systems.” 39 Unfortunately, this may very well remain an accurate statement decades later, given the voluntary nature of Canada’s critical infrastructure protection planning, and inherent communication and collaboration issues that can and do arise from shared responsibilities amongst federal, provincial, and territorial governments, as well as local authorities and owners and operators.
On cyber security, interviewees in both Canada and the US were adamant that government and industry need to allocate greater resources and efforts towards increasing their cyber-literacy and understanding not only the technical side of cyber security and cyber threats, but the actual threat environment and the various emerging trends impacting the sector. Our survey supported this suggestion, with nearly 20 percent of respondents indicating that their biggest challenge in implementing and maintaining an adequate cyber security plan was “lack of trained cyber security personnel,” with another 20 percent pointing to “budget restrictions” as their main obstacle. Moreover, when asked “Do you feel like your organization is sufficiently equipped internally to deal with the cyber threats you’re facing?” over 40 percent of respondents said “no,” despite 47 percent of respondents indicating that their organization experienced more than 1,000 cyber attacks per year, and 57 percent indicating that a successful attack on their company could “impact Canada’s national security.” Furthermore, nearly 30 percent of respondents indicated that “internal human error” was their “biggest cyber security challenge.” Interviewees also discussed a need to increase bilateral information-sharing amongst government and industry on cyber and physical threats, as well as mitigation measures. Relatedly, 53 percent of questionnaire respondents said they “communicate on cyber security issues with domestic partners regularly,” while only 28 percent of respondents said they “communicate on cyber security issues with both domestic and international partners regularly.”
Finally, when it comes to our suggestion that government and industry work in siloes on cyber and physical security, interviewees said that this is likely attributable to most of the energy sector being privately owned and operated, and not under the purview of a federally regulated infrastructure. They also pointed out that critical infrastructure protection planning is primarily voluntary—at least in Canada, the US, and the UK. While Canada has a National Cross-Sector Forum, a Regional Resilience Assessment Program, and a Critical Infrastructure Information Gateway among other things, there appears to be a disconnect in that owners and operators of critical energy infrastructure are only as engaged and communicative on these matters and their own planning processes as they want to be, which in many cases likely does not suffice in appropriately meeting the complexities of the current threat environment, both physical and cyber. Public Safety Canada’s 2016 Cyber Review Consultations reached similar conclusions in finding that greater clarity was needed “on how and with whom the private sector should engage” 40 at the federal level on cyber security. Furthermore, a report released in March 2019 by the Canadian Association of Defence and Security Industries found that “government and industry lack the mutual trust required to effectively collaborate in the cyber defence of Canada. This distrust has been sown over time through a history of unproductive engagements, limited communications, and inadequate mutual understanding of each other’s capabilities.” 41 Our interviewees expressed a similar sentiment in saying that a comprehensive, open, and porous dialogue with industry owners and operators is still an obstacle in effectively supporting each other and cooperatively working towards cyber security protection, both throughout industry and government. Interviewees hinted that information-sharing from their end is often limited or watered down due to classification and sensitivity issues, whereas with industry, their lack of trust and reservations on communication stem from risks to shareholder confidence. However, it is not all doom-and-gloom between government and industry. In 2018, the Communications Security Establishment launched the new Canadian Centre for Cyber Security, which intends to be a gathering place where private and public sectors work side-by-side on cyber issues, and where industry can come for guidance, advice, and support. Another noteworthy organization is the industry-led Canadian Cyber Threat Exchange, which acts as a forum to exchange everything from threat information to best practices, techniques, and insights.
More needs to be done, though: as various forms of emerging technology augment the abilities of adversaries to carry out a diverse range of cyber attacks, government, industry, and even academia will need to be more communicative, trustworthy, and innovative in how they share information, work together, and cooperatively protect Canada’s most critical infrastructure, systems, and networks.
Policy options and concluding thoughts
Based on our research findings, and as a result of our reviewing the literature and empirical record on physical and cyber threats to the energy sector, we have developed two separate, concise, and preliminary sets of recommendations for government to consider in terms of creating a more comprehensive approach to energy sector protection, and which strike a better balance between physical and cyber attacks. The first set of recommendations, which we refer to as “foundational improvements,” are fundamental issues which are to be treated as prerequisites for our second set of recommendations, which we consider to be “operational improvements.” It should be noted that neither the proposed foundation or operational improvements are exhaustive lists, nor are they mutually exclusive. Rather, given the inherent complexities of CI protection, and more specifically energy sector resilience and security, the proposed changes in each category are, in fact, inextricably connected and contingent upon one another.
Foundational improvements
First, despite “trust”—or what Canada’s National Strategy and Action Plan for Critical Infrastructure (NS&AP) refers to as “relationship building”—being a core strategic objective, more must be done in terms of improving trust, not only between the federal government, provinces, territories, and municipalities, but between the federal government and the Canadian public. On this, Kevin Quigley wrote in 2013 that: [p]olling in most Western countries suggests that trust in government is in decline. In this sense, in trying to build up trust with CI owners and operators, government might be going in the wrong direction. Rather, they should try to build up trust among citizens in government’s ability to regulate CI and those responsible for it. After all, critical infrastructure is not critical for industry but society as a whole. Ironically, while citizen response is crucial to successful emergency management … the NS&AP is completely silent on citizen engagement and outward accountability.
42
Second, increasing transparency amongst this same set of stakeholders is critical to safeguarding Canada’s energy sector. While on the one hand it can be argued that “open communication” is a fundamental element of building trust, it can be simultaneously argued that too much transparency can lead to industry fears of revealing commercially sensitive or commercially damaging information on risks and vulnerabilities—or from government’s perspective, too much insight into ongoing issues, national security files, sources, and the government’s toolkit. Working towards a transparency framework that respects everything from market competition dynamics to operational national security concerns, legal barriers, capacities to share, institutional cultures, and public reaction to certain information would benefit government and energy sector stakeholders in having more robust information and a fuller, potentially more compelling understanding of the risks and threats facing Canada’s energy sector. Quigley, Calvin Burns, and Kristen Stallard point out that certain scholars argue that “transparency and the right to access government information are now internationally regarded as essential to democratic participation and trust in government,” 43 and yet, for all of the efforts to build partnerships and improve communication and collaboration, the actual substance of the information shared in both directions continues to be an issue.
Third, clarity in terms of identifying lanes of accountability needs improvement. With over 80 percent of energy sector assets and installations privately owned and spread across a highly dispersed landscape, with ambiguous divisions of responsibilities, determining who is and who is not accountable for energy sector security, and under which circumstances, remains a challenging task. According to Angela Gendron, “critical infrastructure is particularly vulnerable when it crosses boundaries and borders because it is precisely in such circumstances that jurisdictional regulations and security standards diverge, and issues relating to direction, control and accountability are most obscure.” 44 Furthermore, Quigley suggests that “more transparency and clearer accountability will help to generate a more effective dialogue and stable solutions,” 45 while Andrew Graham writes that “the central thesis based on the research to date is that ownership of CI is widely distributed and responsibility, in terms of who must lead the overall process, and accountability, in terms of who must ultimately answer for specific results, is diffused.” 46 Evidently, just as trust and transparency are key themes throughout the literature as far as areas needing improvement, so too is the idea of accountability. Should a physical or cyber attack target critical energy infrastructure in Canada, knowing who to turn to for assistance and support could be the deciding factor between life and death.
Drawn primarily from the third body of literature referenced in the second section, these three foundational improvements focused on trust, transparency, and accountability represent, in our view, the most glaring areas in need of attention. Though high-level, and void of detailed recommendations in terms of how to achieve meaningful improvements in these areas of concern, this section serves as a reminder of core issues which have been expressed throughout the literature for many years, and which seem to remain largely neglected. Furthermore, acknowledging these foundational issues, which undoubtedly comprise only a fraction of the key deficiencies, also serves as a warning that pursuit of operationally transformative changes, absent improvements to these most fundamental challenges, would lead to an equally if not more obscure and vulnerable threat environment. Having said that, we now briefly propose three operational improvements that the federal government could pursue as part of its approach to strengthening energy sector security.
Operational improvements
First, Canada must establish mandatory, sector-specific, centrally determined baseline standards for physical security of energy sites which if compromised or attacked could be injurious to Canada’s national security. Given the governance structure of emergency management in Canada, which is largely managed by both federal and provincial governments, these pan-Canadian standards should be developed in concert between different jurisdictions. By ensuring that owners and operators meet mandatory baseline levels of physical security at specific sites, Canada’s energy sector will be better protected against attacks, and better able to address potential “cascading” effects frequently associated with such attacks. 47
Second, Canada should establish mandatory cyber security training for new and existing employees at energy sites in Canada determined to be integral to national security. The federal government should fund and collaboratively develop and design these courses with sector-specific stakeholders from the provinces, academia, and the private sector, the latter of which could further help administer the training on the ground. Such training should account for the interdependence of physical and cyber infrastructure, and should speak not only to the technical elements of cyber attacks and cyber security, but to the emerging trends impacting the sector from a geostrategic perspective.
Third, Canada should consider mandatory reporting (whether it be monthly, quarterly, or annually) by industry, provinces, and territories to the federal government on both physical and cyber security attacks, as well as on the resilience of existing physical and cyber security plans and any measures being undertaken to enhance security. Collecting and analyzing more and better data will help the government to better assess emerging critical infrastructure security threats and needs.
The intent of these proposed policy options is to ensure that Canadian owners and operators of critical energy infrastructure, as well as all other relevant actors, are working as efficiently and effectively as possible on information-sharing (and trust), capacity-building, and resilience in a sector on which all others depend. As societies and economies of the world become increasingly interconnected through digital technologies and innovations, physical–cyber interdependencies continue to enhance the abilities of governments, businesses, and end-users to realize historic improvements in nearly every sphere of our day-to-day lives. However, at the same time, these advancements have also led to new vulnerabilities, threats, and potential gateways of destruction, where an attack on one system, sector, or physical asset could have disastrous cascading effects elsewhere.
To malicious actors around the world, both state and non-state, these risks and vulnerabilities present an appealing window of opportunity which could be exploited through a wide range of tactics, whether they be sophisticated and highly technical cyber attacks, or unsophisticated physical attacks. Therefore, if we are to prepare, prevent, and respond to these threats, not only do all involved parties need to understand and appreciate these risks, they need to increase their collaboration, information-sharing, and policy development—these issues cannot be dealt with in isolation, whether that be amongst domestic players or international partners.
Footnotes
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by Canadian Network for Research on Terrorism, Security and Society (grant number 895-2018-1000).
1
2
3
4
The scope of our research is limited to malicious activities meant to purposefully cause harm to national security interests, rather than on non-malicious risks, concerns, and policy challenges to critical infrastructure stemming from environmental or climatic events (e.g. hurricanes, floods, fire, etc.), aging infrastructure, industrial accidents, regulatory mismanagement, or lack of cross-jurisdictional and public-private collaboration, capability, or oversight.
5
With funding support from the Canadian Network for Research on Terrorism, Security and Society, the authors undertook a year-long project to assess both the cyber and physical risks facing Canada’s energy sector. The En-Threat Project: An Assessment of Physical and Cyber Terrorist Threats to Canada’s Energy Sector project included conducting interviews with both US and Canadian subject matter experts (conducted in 2018), as well as a survey facilitated by the former Canadian Cyber Incident Response Centre, which major Canadian energy companies completed.
6
Mordechai Abir, “The al-Qaeda threat to Saudi Arabia’s oil sector,” Jerusalem Issue Brief 4, no. 13 (Jerusalem Center for Public Affairs), 28 December 2004; Jeffrey J. Stower, “Vulnerability of the United States’ oil supply to terrorist attack,” United States Marine Corps Command and Staff College, 2005; Stewart Bell, “Al-Qaeda-affiliated website calls for attacks on Canadian oil industry,” National Post, 9 February 2007; Ian MacLeod, “Al-Qaeda calls for attacks on Canadian oil facilities,” National Post, 14 February 2007; Jack Williams, “Al-Qaida threats and strategies: The religious justification for targeting the international energy economy,” CEIPPR Research Series no. 3, 2008; Marisa Urgo and Jack Williams, “Al-Qaida’s Medinan Strategy: Targeting global energy infrastructure,” CTC Sentinel, 15 May 2008; Murad Batal al-Shishani, “Al Qaeda & oil facilities in the midst of the global economic crisis,” Journal of Energy Security, 23 April 2009.
7
Ali M. Koknar, “The epidemic of energy terrorism,” In: Luft Gal and Anne Korin, eds., Energy Security Challenges for the 21st Century (Santa Barbara, CA: ABC-CLIO, LLC, 2009), 18–19.
8
Tamara Makarenko, Terrorist Threat to Energy Infrastructure Increases (St. Andrews: University of St. Andrews: Centre for the Study of Terrorism and Political Violence, 2003).
9
Jan K. Fedorowicz, “The ten-thousand mile target: Energy infrastructure and terrorism today,” Canadian Centre of Intelligence and Security Studies (CCISS), 2007, 5.
10
Martin Rudner, “Protecting Canada’s critical national infrastructure from terrorism: Mapping a proactive strategy for energy security,” International Journal 64, no. 3 (2009): 775–797.
11
Daveed Gartenstein-Ross, “Osama’s oil obsession: Al Qaeda wants to hit Americans where it hurts: in their gas tanks,” Foreign Policy, 23 May 2011.
12
13
Venkatachary Sampath Kumar, Jagdish Prasad, and Ravi Samikannu, “A critical review of cyber security and cyber terrorism – threats to critical infrastructure in the energy sector,” International Journal of Critical Infrastructures 14, no. 2 (2018): 101–119; Don C. Smith, “Enhancing cybersecurity in the energy sector: A critical priority,” Journal of Energy & Natural Resources Law 36, no. 4 (2018) 373–380.
14
Chih-Che Sun, Adam Hahn, and Chen-Ching Liu, “Cyber security of a power grid: State-of-the-art,” International Journal of Electrical Power & Energy Systems 99 (July 2018): 45.
15
Sacha Meckler, Edward Cottle, Usen Antia, and David Healy, “Cyber security strategy for the energy sector,” Directorate-General for Internal Policies of the Union (European Parliament), 2017, 6.
16
Tiina Kovanen, Viivi Nuojua, and Martti Lehto, “Cyber threat landscape in energy sector,” International Conference on Cyber Warfare and Security, 2018, 356.
17
18
19
20
Dan Henstra, “Federal emergency management in Canada and the United States after 11 September 2001,” Canadian Public Administration 46, no. 1 (2008): 103–116.
21
Dan Henstra and Gordon McBean, “Canadian disaster management policy: Moving towards a paradigm shift?” Canadian Public Policy 31, no. 3 (2005): 303–318.
22
See Rudner, “Protecting Canada’s critical national infrastructure from terrorism”; Angela Gendron, “Critical energy infrastructure protection in Canada” (Ottawa: Defence R&D Canada, Centre for Operational Response and Analysis, December), 2010, http://cradpdf.drdc-rddc.gc.ca/PDFS/unc104/p534201_A1b.pdf (accessed 25 November 2019); Andrew D. Graham, “Canada’s critical infrastructure: When is safe enough safe enough?” Macdonald-Laurier Institute, Ottawa, December 2011, https://www.macdonaldlaurier.ca/files/pdf/Canadas-Critical-Infrastructure-When-is-safe-enough-safe-enough-December-2011.pdf (accessed 25 November 2019); Duane Verner, Frederic Petit, and Kibaek Kim, “Incorporating prioritization in critical infrastructure security and resilience programs,” Homeland Security Affairs XIII, article 7 (October 2017), 
(accessed 25 November 2019); Geoffrey Hale and Cailin Bartlett, “Managing the regulatory tangle: Critical infrastructure security and distributed governance in Alberta’s major traded sectors,” Journal of Borderland Studies 34, no. 2 (2019): 257–279; Kevin Quigley, “‘Man plans, God laughs’: Canada’s national strategy for protecting critical infrastructure,” Institute of Public Administration of Canada, 2013; Philip Boyle, “Building a safe and secure Canada: The mechanopolitics of infrastructure,” Resilience: International Policies, Practices, and Discourses 7, no. 1 (2019): 59.
23
Michael Scheuer, Through Our Enemies’ Eyes: Osama Bin Laden, Radical Islam and the Future of America, 2nd ed. (Dulles, VA: Potomac Books, 2006), 122.
24
25
“Poorly protected oil facilities leave West vulnerable: Experts warn of hair-trigger market,” Daily Star, Beirut, 8 May 2006.
26
Rudner, “Protecting Canada’s critical national infrastructure from terrorism.”
27
28
Lukas Tichy and Jan Eichler, “Terrorist attacks on the energy sector: The case of Al Qaeda and the Islamic State,” Studies in Conflict and Terrorism 41, no. 6 (2018): 450–473.
29
Jean-Charles Brisard and Damien Martinez, Islamic State: The Economy-Based Terrorist Funding (Thomson Reuters, 2014), 4–8.
30
Tichy and Eichler, “Terrorist attacks on the energy sector.”
31
32
33
34
35
US Department of Justice, “Report of the Attorney General’s Cyber Digital Task Force,” 2 July 2018, 3.
36
Sue Halpern, “Trump, election hacking, and the Georgia governor’s race,” The New Yorker, 24 July 2018.
37
Sanger, “Russian hackers appears to shift focus.”
38
39
41
Canadian Association of Defence and Security Industries, “From bullets to bytes: Industry’s role in preparing Canada for the future of cyber defence,” 7 March 2019.
42
Quigley, “‘Man plans, God laughs.’”
43
Kevin Quigley, Calvin Burns, and Kristen Stallard, “‘Cyber gurus’: A rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection,” Government Information Quarterly 32, no. 2 (2015): 108–117.
44
Gendron, “Critical energy infrastructure protection in Canada,” 8.
45
Quigley, “‘Man plans, God laughs.’”
46
Graham, “Canada’s critical infrastructure,” 6.
47
We thank an anonymous reviewer for their input here.
Author Biographies
Casey Babb is a PhD student at the Norman Paterson School of International Affairs (NPSIA), Carleton University in Ottawa.
Alex S. Wilner is an Assistant Professor of International Affairs at NPSIA.