I’ve been talking for some time now about the ICS security community’s awareness that control system vulnerabilities are not enough alone to affect a successful attack on a control system. There must be some understanding of the process which will be controlled by the targeted system. Those discussions have centered on the need for a team of people to conduct a successful attack. The assumption is that the team would need at least a control system expert and a process expert that understands the process involved.
My agreement with that basic premise was shaken a bit here just recently. A reader contacted me with a request for a favor. He worked for a control system security research firm that was pitching some sort of ICS security project to a customer. The customer was a chemical processing facility and the security folks wanted to show a reasonable scenario where a control system vulnerability could be turned into a method of attack.
Now these ICS folks understood the control system side of things real well, but they didn’t know enough about the facility to describe a specific process vulnerability to exploit with their control system knowledge. So, what were they going to do? Go out and hire a process engineer with specific knowledge of that type of facility just to make a pitch? Probably not a good business decision, especially if they couldn’t sell the idea to the customer.
No, what they did was contact their local friendly chemical safety/security gadfly who wrote blog posts about chemical safety and control system security; yep, yours truly. They asked me if I could come up with a process vulnerability that could be exploited by a cyber attack. They didn’t want a detailed plan, just a basic scenario to turn loose their ICS experts on for the purposes of the pitch.
Well, I almost turned them down. The type facility (their OPSEC was good they didn’t tell me the actual facility) was one that I had never been in before (there are plenty of those) and I wasn’t really familiar with the chemistry involved (and there’s lots of those too), so I didn’t have any immediate ideas about what they wanted.
But, I really do hate to admit I don’t know something about everything (I try, I really do), so I decided to do a real quick internet search and see what I could come up with. And sure enough in about 5 minutes I had a copy of a hazard identification document that was part of a PHA for just that kind of facility; actually I had PHA documents for three different facilities in two countries.
So I selected the best file, the one with facility schematic and P&IDs for the critical processes and in about 10 minutes I found an interesting process vulnerability. It wouldn’t cause any catastrophic damage or earth shaking releases, but it would certainly shut the facility down while they repaired the damage and rethought their process design. Oh, and the environmentalists would have a PR field day.
So I reported this back to my reader who was very happy (maybe happy enough to make a small contribution to the blog). And then I stopped and thought about what we just did and how easy it really was to do.
If this had been a real group intending to attack the facility, this would be just the first step. But conceptually this is the step that we in the industry have been saying is the hard part of a cyber attack on a chemical facility; understanding the process well enough to determine how to properly attack it. Now there are still lots of things to do to turn this into a successful attack, but it wouldn’t take much more process knowledge than I just provided after less than an hour’s research. The rest of it is pretty much just control system hacking (engineers hate it when I say stuff like that).
Now I am a bit of a process geek and I do seem to have a knack for finding problem areas in processes (much to the chagrin of some of my previous bosses), but there are plenty of people out there with chemical process knowledge and all sorts of radical groups of a wide variety of persuasions have demonstrated how easy it is to recruit disaffected technical professionals.
Oh, and one final thing… Why in the HELL would someone put their PHA documents on the internet? A PHA is nothing more than a detailed look at the hazards associated with your process and a description of how you plan to mitigate those hazards. It is essentially an intelligence work up in preparation for an attack on your facility. Please lock those puppies up tight.