Monday, December 29, 2014

Damn Vulnerable Chemical Process

As I continuously report, the Internet is a wonderful information sharing tool. Where else could I watch a video of a presentation (the actual presentation starts at about 15:50) presented earlier today at the 31st Chaos Communication Congress in Hamburg, Germany by a young German lady teaching computer security professionals how to attack a chemical plant.

Marina Krotofil provides a very good and detailed explanation about why it is so difficult to conduct a cyber attack on a chemical manufacturing process. Or at least a successful attack that produces a pre-selected outcome; as she mentions in passing an attack causing disruption or economic damage may be much easier to accomplish.

She does a good job of explaining the cyber-technical details of why it is so hard to cause specific damage to a chemical facility even with a vulnerable control system. This isn’t so much because of the security aspects of the control system, but rather because of the complexity of the chemical system and the complex systems needed to safely control that system.

As a process chemist with some experience in developing the processes by which chemicals are produced and dealing with the upsets that can affect those processes I can fully appreciate how difficult it would seem to an outsider to figure out a way to catastrophically disrupt those systems. Chemists, chemical engineers, and control systems engineers spend the better part of their careers developing systems to prevent those upsets.

But a person with the appropriate background and working experience in process control could take a quick look at the P&ID that Marina showed in her talk and point out dozens of process vulnerabilities that could be susceptible to outside attack. Interestingly these would almost certainly be clearly identified in process hazard analysis that OSHA requires to be conducted on most reasonably hazardous processes.

An effective cyber-attack on something as complex as a chemical manufacturing process is not something that is going to be accomplished by a lone hacker over a highly caffeinated weekend. It will take the skills of a hacker, a control systems engineer and a chemical engineer and perhaps a chemist or two to really effectively execute a catastrophic attack on a modern chemical facility. And it will take time and resources to affect. That is the good news. The bad news is that any nation-state or large sophisticated terrorist organization will have access to plenty of the appropriate talent and resources.

Take the time to look at this hour and a quarter video. If you’re a process control professional, it will scare the hell out of you.

BTW: More about Marina’s brief mention about the NIST test bed effort see my post here -


Chris Sistrunk said...

I enjoyed Marina's talk. Once you sit down and think about this attack scenario, the attacker will need a lot of time (unless it's an inside job). So defending this scenario is good news since time is on our side. Defenders can use Network Security Monitoring techniques to watch the ICS access points and crown jewels (in case it's an inside job) to detect abnormal activity, investigate it, and respond to it. Look at all the logs, network bandwidth, cpu%, and don't forget physical security. If you are persistent in monitoring your ICS network, then the easier it will be to find evil (and human errors too).

Anonymous said...

Found the video also on YouTube.

URL is enclosed.

Jake Brodsky said...

Following up on Chris's comment, even for complex processes, we know what we should definitely NOT do if we expect the equipment to stay in one piece.

If we were to sit down with process engineers and think of those scenarios, we could then think of simple controls and interlocks which would inhibit those commands, or at least alarm when they occur.

Nevertheless, there will always be risks and we should be mindful of those risks every time we take them. We know that there is a small possibility that the airliner we're boarding might crash and if it does, it will probably be bad for many people. But we do it anyway because the rewards are worth the small risk.

Likewise the Tennessee Eastman process has risks. We need to be cognizant of those risks and we need to be aware of those situations when attackers are most likely to deploy their malware.

/* Use this with templates/template-twocol.html */