A report that will be ‘released’ tomorrow by Symantec (available on their site now) outlines what they are calling the ‘Nitro Attacks’ on information assets of a number of chemical companies. The attacks were (conducted from late-July to mid-September of this year) apparently an attempt to gather “intellectual property such as design documents, formulas, and manufacturing processes [emphasis added]” (pg 1). This may be being done just to gain a competitive advantage (China is mentioned but not accused in the report), but there may be a more control-system security-related reason as well (my opinion not Symantec’s).
With W32.Duqu apparently targeting industrial equipment suppliers (As do apparently the Nitro Attacks; Symantec lists among the target companies those “involved in developing manufacturing infrastructure for the chemical and advanced materials industry) and now someone trying to gain information on chemical processes, one begins to suspect (only a bit of paranoia here) that a combination of the two types of information may allow for targeted attacks on chemical control systems.
A side note to authors Chien and O-Gorman: I like the term ‘manufacturing infrastructure’ much better than ‘industrial industry manufacturers’. Are they both describing similar targets?
While I have long maintained that multiple-random PLC manipulations will suffice for successful attack on a chemical processing system, I must note that for a truly catastrophic attack on a chemical facility, one must understand both the process system/equipment and the methodology of the attack. These two recent attacks on chemical manufacturing related targets makes me think that someone else (with less benign intentions) agrees with me.
In any case, I encourage everyone in the chemical processing industry to read this Symantec report. Not only does it provide an important warning about the targeting of that industry, it also provides a nicely detailed description of how one goes about executing a social engineering attack on a specific industry.