I know that for the last week or so it seems that this blog has become the Cyber Security News, but that’s because of a slew of news reports that address vulnerabilities in control systems that might be used at high-risk chemical facilities. So I thought that this might be a good time to look at how the ability to remotely execute commands on a control system might be used for a physical attack on a chemical facility. The specific target was suggested by the key words used by an unidentified reader yesterday in a search that brought him/her to the site; ‘cyber security storage tanks’.
Most storage tanks are really nothing more than large metal drums holding some sort of chemical. Since everything is chemical, the only sure thing that we can say about a storage tank is that it is used to store chemicals. Those chemicals can be something as innocuous as water or air or as dangerous as chlorine gas or methyl isocyanate.
Probably the majority of storage tanks in existence in the United States have no connection to industrial control systems (ICS), but some large number of tanks are connected in one way or another to some sort of control system. An ICS can be used to monitor conditions (level, temperature, pressure, etc) within the tank. It can also be used to manipulate the contents of the tank through controls of mixing devices, loading or unloading valves, heating and cooling, or pressure manipulation.
Cyber Attack Vectors – Measurement Devices
The ability to manipulate the input or output signal of just about any monitoring or actuation device on a storage tank can be utilized to execute an attack on a high-risk chemical facility where a vulnerable control system is connected to storage tanks. Let’s start with the manipulation of signals from measurement devices:
Level Measurement: There are a wide variety of level measurement devices, but one of the most common is the delta-pressure (DP) device. Pressure measurement sensors are placed at the bottom of the tank and the top of the tank. Using the difference (delta) between those measurements and the programmed density of the material, the DP device calculates the height of the liquid column. Reducing the programmed density would lead to an under-reporting of the liquid level, allowing the tank to be overfilled.
Temperature Measurement: Most temperature measurement devices in storage tanks are used to make sure that the material is in the proper temperature range for the material to be moved from the tank. In some chemicals, however, the temperature is monitored for safety reasons; too high a temperature and chemical reactions start that can lead to uncontrollable chemical reactions that could produce toxic gasses or overpressure situations that could explosively destroy the storage tank. Manipulation of the output of temperature measurement devices could allow the temperature to rise above the critical value for that material while it looks like the temperature remains in safe ranges.
Just about any measurement device could be used as a means of physical attack on the facility. If the device monitors a physical parameter that could lead to an unsafe condition, the manipulation of that output of that device could lead to that condition.
Cyber Attack Vectors – Physical Control Devices
Almost certainly the most common control device at a chemical facility is the valve. Opening and closing valves can be used to physically move material into or out of storage tanks, manipulate the temperature by allowing for the flow of heating or cooling fluid through heat transfer devices, or manipulate storage tank pressures by opening vents or adding gasses to the ‘empty’ headspace in the tank.
The simplest sort of attack is to open the bottom valve on a storage tank when there is no hose or other transfer device attached to that valve. If the level reporting devices are manipulated at the same time, many storage tanks could be completely emptied before anyone becomes aware of the problem.
Catastrophic results could be obtained even if there are transfer lines in place to move the material to locations other than to the local environment. Moving material at the wrong time or in the wrong amount could lead to dangerous chemical reactions that could result in toxic gas releases, fires or explosions; all undesirable results from all but the terrorist’s or criminal’s perspective.
Again, just about any type of physical control can, under the proper circumstances, be used to affect a catastrophic result in a high-risk chemical facility. While manipulation of devices in the production process would require a detailed understanding of that process, much less sophisticated knowledge of storage tanks could allow for a catastrophic attack.
Storage Tank Cyber Vulnerabilities
These are just a few examples of the avenues that the manipulation of industrial control systems could be used to effect an attack on high-risk chemical facilities. Storage tanks may actually be the simplest targets for cyber attack. Since much less process knowledge, and thus intelligence collection or insider knowledge is needed to affect an attack on storage tanks, they are easier to attack. Furthermore, operators spend less time looking at storage tanks than they do process vessels so they would be less likely to detect an attack in progress.