Emerging Frontiers in Risk
With the success of high-profile ransom-ware attacks wanna-cry and petya last year, businesses and individuals may be seeking to reduce risk resulting from cyberterrorism attacks. More recently, a new malware strain dubbed TRITON attacked Triconex industrial safety PLC equipment targeting the shutdown subroutines in the safety PLC creating potentially dangerous situations. After TRITON was used to target Triconex PLCs, other manufacturers warned their customers to be on guard for similar attacks to those systems as well.
Not all attacks are meant to steal intellectual property or financial information. An attacker’s goal may be equipment damage and business interruption. Some, like the hacktivist group Anonymous, are known to target groups and businesses with the goal of interrupting normal operation. Hacktivists are malicious users intent on promoting a social or political cause.
Networks and network infrastructure are vulnerable to a wide range of risks. Physical risks to network infrastructure can be mitigated by limiting access to the equipment (e.g. modems, switches, routers, etc.). Connecting a network to the internet is a common practice that allows remote operation and offsite backup of historical data but also carries the risk of allowing malicious users access to that network. Figure 1 depicts a simple control network connected to the internet.
A Phishing attack is the least sophisticated cyber-attack. Phishing depends on an end user volunteering information. Sometimes that information is financial, other times it is login credentials. These attacks depend on the end user being unable to tell the difference between legitimate and deceptive information requests.
A Malware attack is the use of a virus that evades conventional anti-virus software. While the perpetrators of malware attacks may not have interest in gaining access to a particular network, the information they gather can be sold to malicious users interested in accessing that network. Both Phishing and Malware attacks are generally used in the information gathering stage of a more sophisticated attack. If network login credentials are obtained in these attacks, a network intrusion can be accomplished remotely.
Distributed Denial of Service (DDoS) attacks involve malicious users deluging a target network with data thus slowing it. These attacks are not considered dangerous to equipment and are typically used as publicity stunts by hacktivists. In a worst-case scenario, a sustained DDoS attack may result in a business interruption.
An Advanced Persistent Threat (APT) is the type of attack most commonly associated with damage to equipment. Perpetrators of APTs are resourceful, purposeful, and understand their target systems. An attacker with knowledge of a process can halt that process by attacking vulnerable points.
When malicious users gain access to a network they also gain access to any processes controlled by that network. With access to a network, they can damage process equipment by changing critical operational data. One of the most well-known attacks to damage process equipment was the use of the Stuxnet worm, the first known cyber-weapon, against the Iranian Natanz nuclear facility in 2010. The attack caused the suspension of the Iranian uranium enrichment program.
Not all cyber-attacks use cyber-weapons. In 2008, malicious users allowed physical access to the Baku-Tbilisi-Ceyhan pipeline in Turkey. During this attack, hackers circumvented alarms, communications and security equipment that would have allowed personnel to respond. With the cyber-attack underway, two people sabotaged the pipeline. The malicious users then deleted security camera footage. One camera was not connected to the network and captured images of the two saboteurs. Had that camera been connected to the network, equipment failure would have been blamed for the incident. The damage caused 30,000 barrels of oil to spill into a nearby aquifer.
Identifying The Signs
Tests conducted in controlled environments have demonstrated that equipment can be damaged by hackers with knowledge of how that equipment functions. Simple alterations made to critical systems by knowledgeable personnel can be used to devastating effect.
• Preventing cooling fans from operating causes overheating and eventual process equipment failure.
• Opening and closing main circuit breakers on generators causes damage throughout electrical transmission systems.
• Manipulating valves on pipelines causes overpressure and material release events.
• Changing the set point temperature on process control systems causes damage to chemical processes.
To the casual observer, simple changes made by malicious users can be interpreted as accidental device failure. Other indications of tampering may be present, many that might have escaped an initial investigation. A qualified expert might ask:
• Did the alarms alert personnel that the process had gone awry?
• Why didn’t automatic shutdown procedures function?
• Did the personnel attempt to intervene but manual process overrides failed to function?
• Did the control system survive, and can the information contained therein be accessed and recovered?
When attempting to damage equipment, malicious users exploit their knowledge of automation system implementation to disable alarms and automatic shutdown features. During a sophisticated attack, personnel may not recognize trouble until damage is inevitable. The example illustrated by Figure 2 is an APT attack targeting a pump process. A remote malicious user obtained access to the facility level control system via the network connection to the internet. From there, they attacked the pump process through the unit 1 controller with the intention of causing damage. Alternatively, the malicious user could have attacked the cooling fan process through the unit 2 controller and ignored the pump controls.
The example illustrated in Figure 3 is similar to that in Figure 2 in that it is an example of an APT attack targeting a pump process, but the method of attack is drastically different. In this example, the malicious user has physically gained access to the facility and compromised the unit 1 controller directly. In this type of attack, the local malicious user would insert a program into the unit 1 controller without needing to bypass or compromise any server or station level security counter measures.
When one controller in a network is compromised by a malicious user, it does not necessarily follow that all of the controllers are compromised. In Figures 2 and 3, the unit 2 controller is not considered compromised. With the sophistication of modern process equipment automation systems, a total failure of all alarms and shut down features is unlikely. The possibility of a cyber attack should be considered when:
• Alarm and shut down features are found to be disabled.
• Alarm and shut down features are found to be intact but personnel report never being alerted.
• If devices are found that do not belong to the facility or to authorized personnel.
• If security camera footage is missing after an incident.
If a cyber-attack is a suspected, a qualified expert should be contacted to examine the equipment and the controller code. Engineers at EDT are licensed in every state and several are capable of interpreting control system code and historical data.