Eric Byres has a very interesting blog post over at TofinoSecurity.com about the next stage in the evolution of ‘sophisticated’ control system attack tools based upon the Stuxnet model, what he calls Son-of-Stuxnet. Eric does a great job of explaining the whole thing so I won’t do much more than point you at his blog and strongly recommend that everyone with an interest in chemical facility security or cyber security for industrial control systems should read and re-read Eric’s fine words.
Okay, you didn’t really think that I would stop there, did you? I would like to amplify one point that Eric makes about the need for process knowledge to develop a Son-of-Stuxnet attack.
Eric makes the point that an attacker with the requisite computer knowledge and access to the appropriate tools could easily acquire the necessary process knowledge to effect an attack on control systems. He provides a chilling example of how electrical grid process knowledge recently became available to the hacker community.
Those of us who have spent years working on and refining chemical manufacturing processes like to think that our processes are very sophisticated and complex. The industry likes to think that it does a good job of protecting that process knowledge as a way of maintaining their competitive edge in the market place. Both of these things are generally true.
Recent history has shown, however, that even the most sophisticated cyber security systems are relatively easy to breach using a variety of so-called Advanced Persistent Threat (APT) techniques. An adversary that wants to gain process knowledge to effect a Son-of-Stuxnet attack would be well advised to use these techniques to gain that knowledge.
I am, however, much more concerned with the intelligent cyber adversary realizing that process knowledge is not necessary to effect a successful Son-of-Stuxnet attack on a modern chemical manufacturing facility. The sophistication and complexity of the chemical processes that we have come to rely upon will actually form a very effective basis for attacking those processes.
All an attacker has to do is to execute a series of random changes in the control system for one of these complex chemical manufacturing processes to fatally disrupt that process. Random changes in temperature set points on a continuous distillation process like those found in a refinery would shut the refinery down, potentially with catastrophic physical consequences. Random changes in weighment set points in a pharmaceutical batch process would create a product that would be unusable if detected and potentially hazardous to customers if not detected.
More over, random changes, particularly if protected by the type of man-in-the-middle data-hiding found in Stuxnet would make it next to impossible to troubleshoot the process to correct the problem. This could keep a facility shut down for days or weeks, wrecking financial ruin on the owners.
Process Knowledge Not Necessary
The Son-of-Stuxnet attack profile will provide a cyber-savvy attacker the ability to hold a chemical manufacturing facility hostage, demanding financial compensation to allow the facility to resume routine operations. And sophisticated chemical process knowledge would not be necessary to effect these attacks. This greatly increases the number of potential attackers that might have to be contended with.
As Eric said in closing out his excellent post: “Bottom line: we are in for a tough few years as the industry tries to catch up with the bad guys.”
Cyber Espionage Campaign Hits Energy Companies
5 months ago