Measurement Data Corruption

For a blogger it is always gratifying when a post generates intelligent discussions in multiple fora. My recent post about Marina Krotofil’s presentation Damn Vulnerable Chemical Process has done just that. One of the most important discussions has been taking place on the  ICS-ISAC Group on LinkedIn. Marina has been having an interesting back and forth discussion with Sinclair Koelemij that is well worth reading.

In her latest reply Marina is discussing control system measurement integrity making the point that if you can corrupt the measurement system or its controller than all of the data security measures in the world will not protect the control system from reacting inappropriately to the actual state of the process.

In that discussion Marina states:

“The attackers are becoming very sophisticated, I know the case of the spoiled batch at the pharmaceutical factory (extortion case).”

As a process chemist this is the type of cyber-attack that worries me most, not the catastrophic attack on critical infrastructure. This is the type of attack that you can see motive from multiple parties for the conduct of an attack. This is the type of attack that is the least likely to be reported to the authorities. And finally, it is the least likely attack to be detected (except in cases of extortion).

The catastrophic attack on a chemical facility is going to be much harder to effect due to all of the safety systems in place to prevent a catastrophic accident. Many of those systems will be able to be overcome by a properly motivated, skilled and resourced team of attackers, but that will almost certainly require the resources of something approaching a nation-state actor. Those capabilities are almost certainly being developed in multiple places in the world, but most nation-state actors fully understand that the deploying of such capabilities against critical infrastructure will result in retaliation in kind (or worse).

Making a batch of chemicals commercially unusable, however, would not require the same level of sophistication because it can be done without ever having to involve a production safety system. It can be done by corrupting the output of a single measurement device; a flow meter, a load-cell, temperature or pressure indicator. In many batch chemical processes it can even be done by corrupting the output of an HMI since the operator is actually the process controller.

I really became interested in control system cybersecurity as the capabilities of the Stuxnet worm were being described by Ralph Langner. His descriptions of how the man-in-the-middle attack presented the system operators with the information that they wanted and expected to see while it was slowly destroying their equipment offended me at the most basic level as a process chemist. I have literally spent thousands of hours going over process historian data trying to track down process problems or improve a chemical process and never once questioned the veracity of the data that I was looking at. If I cannot trust the information that the control system is presenting me, I might as well go back to standing next to the reaction vessel with a clipboard, recording the output of analog measurement devices.

Few people outside of the chemical process community really understand how far we have come in production quality and process performance since the industry started to use modern process control systems. I would venture to claim that the vast majority of modern pharmaceuticals could not be produced without properly functioning industrial control systems.

I know that the batch to batch variability of all sorts of industrial chemicals has been reduced by orders of magnitude by the deployment of these control systems. That in turn makes products made from those chemicals (also made with modern control systems) more reproducible and more effective.

The ability of a potential attacker to change the measurement outputs that form one of the most important bases for the modern chemical process control system scares me to the core. This capability alone allows an attacker to destroy a modern chemical facility without physically hurting anyone or endangering the environment. Such a capability would be useable by many who would never consider blowing up a chemical facility because of the collateral damage a physical attack would entail. I have met plenty of people in my lifetime with grudges (real and imagined) against chemical companies would love to be able to attack a facility in this manner.

And the capability to do so is becoming more and more readily available.