As terrorists move the global guerrilla war paradigm, infrastructure becomes the main focus of attacks. The recent attacks on the Iraq's al Baqra oil terminal (see Journal: Attacks on systems?) and the deadly attack on western petroleum employees in Saudi Arabia, indicate that this shift is already going on. However, US oil infrastructure vulnerability isn't limited to international production and transport, there are significant vulnerabilities within US borders. As with most US infrastructure there are extreme levels of concentration due to under investment and efficiency. Allegro Energy Group's, "How Pipelines Make the US Energy System Work," (PDF) provides insight into this issue.
- Transport concentration. A large majority of US oil (68%) is delivered by domestic pipelines. The US oil pipeline infrastructure is extremely concentrated with relatively few large pipelines. Additionally, US pipelines ship more than just oil. They also provide transport for: diesel and gas. An attack on a pipeline will have an impact on multiple markets. Experience in Iraq shows that even limited physical attacks against oil pipeline infrastructure can disrupt transport for extended periods (months). These physical attacks can be made with relative ease.
- Control system concentration. As with the power system, the US oil system relies on a security-free command and control system (a SCADA network). This system lacks encryption, operates on open networks, and is easily hacked (see "Power Peril" for more on control system vulnerabilities).
- Production concentration. The Gulf Coast provides 55% of domestic crude and 47% of refined product production. This presents a similar vulnerability to the al Baqra oil terminal. A single, well planned attack could provide strategic impact that could not be easily replaced.
How to Limit this Vulnerability
The US oil industry has made some efforts to improve security on our pipeline infrastructure including: increased security for critical facilities, improved coordination with law enforcement, and an Internet mapping system. Unfortunately, the industry is in deep denial as to the potential threat. For example, here's a recent quote form an industry body: "When it comes to pipeline safety and security, Americans have little to fear." A more realistic response would be to add the following security measures:
- A system wide security sensor network and an encypted/secure command and control network. Sensor and wireless technology has made amazing strides over the last decade. It's time to bite the bullet and invest in these networks.
- An industry sponsored private military rapid response team. Infrastructure industries should not rely on US law enforcement for dedicated help. The private military market (which has become both large and sophisticated over the last decade) can provide a high quality dedicated force that can quickly respond to incidents to limit damage.
- Redundancy and local stockpiling. This approach requires a change in mindset from just-in-time delivery (which is efficient) to continuity of supply (which takes into account customer costs due to a disruption of supply).