As I continuously report, the Internet is a wonderful
information sharing tool. Where else could I watch a video of a presentation
(the actual presentation starts at about 15:50) presented earlier today at the 31st
Chaos Communication Congress in Hamburg, Germany by a young German lady
teaching computer security professionals how to attack a chemical plant.
Marina Krotofil
provides a very good and detailed explanation about why it is so difficult to
conduct a cyber attack on a chemical manufacturing process. Or at least a
successful attack that produces a pre-selected outcome; as she mentions in
passing an attack causing disruption or economic damage may be much easier to
accomplish.
She does a good job of explaining the cyber-technical
details of why it is so hard to cause specific damage to a chemical facility
even with a vulnerable control system. This isn’t so much because of the
security aspects of the control system, but rather because of the complexity of
the chemical system and the complex systems needed to safely control that
system.
As a process chemist with some experience in developing the
processes by which chemicals are produced and dealing with the upsets that can
affect those processes I can fully appreciate how difficult it would seem to an
outsider to figure out a way to catastrophically disrupt those systems.
Chemists, chemical engineers, and control systems engineers spend the better
part of their careers developing systems to prevent those upsets.
But a person with the appropriate background and working
experience in process control could take a quick look at the P&ID that
Marina showed in her talk and point out dozens of process vulnerabilities that
could be susceptible to outside attack. Interestingly these would almost
certainly be clearly identified in process hazard analysis that OSHA requires
to be conducted on most reasonably hazardous processes.
An effective cyber-attack on something as complex as a
chemical manufacturing process is not something that is going to be
accomplished by a lone hacker over a highly caffeinated weekend. It will take
the skills of a hacker, a control systems engineer and a chemical engineer and
perhaps a chemist or two to really effectively execute a catastrophic attack on
a modern chemical facility. And it will take time and resources to affect. That
is the good news. The bad news is that any nation-state or large sophisticated
terrorist organization will have access to plenty of the appropriate talent and resources.
Take the time to look at this hour and a quarter video. If you’re
a process control professional, it will scare the hell out of you.
BTW: More about Marina’s brief mention about the NIST test
bed effort see my post here - http://chemical-facility-security-news.blogspot.com/2014/08/reconfigurable-industrial-control.html
Posts
3 comments:
I enjoyed Marina's talk. Once you sit down and think about this attack scenario, the attacker will need a lot of time (unless it's an inside job). So defending this scenario is good news since time is on our side. Defenders can use Network Security Monitoring techniques to watch the ICS access points and crown jewels (in case it's an inside job) to detect abnormal activity, investigate it, and respond to it. Look at all the logs, network bandwidth, cpu%, and don't forget physical security. If you are persistent in monitoring your ICS network, then the easier it will be to find evil (and human errors too).
Found the video also on YouTube.
URL is enclosed.
https://www.youtube.com/watch?v=TPUzNMcFb4A
Following up on Chris's comment, even for complex processes, we know what we should definitely NOT do if we expect the equipment to stay in one piece.
If we were to sit down with process engineers and think of those scenarios, we could then think of simple controls and interlocks which would inhibit those commands, or at least alarm when they occur.
Nevertheless, there will always be risks and we should be mindful of those risks every time we take them. We know that there is a small possibility that the airliner we're boarding might crash and if it does, it will probably be bad for many people. But we do it anyway because the rewards are worth the small risk.
Likewise the Tennessee Eastman process has risks. We need to be cognizant of those risks and we need to be aware of those situations when attackers are most likely to deploy their malware.
Post a Comment