As I continuously report, the Internet is a wonderful information sharing tool. Where else could I watch a video of a presentation (the actual presentation starts at about 15:50) presented earlier today at the 31st Chaos Communication Congress in Hamburg, Germany by a young German lady teaching computer security professionals how to attack a chemical plant.
Marina Krotofil provides a very good and detailed explanation about why it is so difficult to conduct a cyber attack on a chemical manufacturing process. Or at least a successful attack that produces a pre-selected outcome; as she mentions in passing an attack causing disruption or economic damage may be much easier to accomplish.
She does a good job of explaining the cyber-technical details of why it is so hard to cause specific damage to a chemical facility even with a vulnerable control system. This isn’t so much because of the security aspects of the control system, but rather because of the complexity of the chemical system and the complex systems needed to safely control that system.
As a process chemist with some experience in developing the processes by which chemicals are produced and dealing with the upsets that can affect those processes I can fully appreciate how difficult it would seem to an outsider to figure out a way to catastrophically disrupt those systems. Chemists, chemical engineers, and control systems engineers spend the better part of their careers developing systems to prevent those upsets.
But a person with the appropriate background and working experience in process control could take a quick look at the P&ID that Marina showed in her talk and point out dozens of process vulnerabilities that could be susceptible to outside attack. Interestingly these would almost certainly be clearly identified in process hazard analysis that OSHA requires to be conducted on most reasonably hazardous processes.
An effective cyber-attack on something as complex as a chemical manufacturing process is not something that is going to be accomplished by a lone hacker over a highly caffeinated weekend. It will take the skills of a hacker, a control systems engineer and a chemical engineer and perhaps a chemist or two to really effectively execute a catastrophic attack on a modern chemical facility. And it will take time and resources to affect. That is the good news. The bad news is that any nation-state or large sophisticated terrorist organization will have access to plenty of the appropriate talent and resources.
Take the time to look at this hour and a quarter video. If you’re a process control professional, it will scare the hell out of you.
BTW: More about Marina’s brief mention about the NIST test bed effort see my post here - http://chemical-facility-security-news.blogspot.com/2014/08/reconfigurable-industrial-control.html