It has not made the mainstream news yet, but today FireEye
and Dragos are both
reporting an attack on an industrial control system in an unnamed facility in Saudi
Arabia. While the details being released are sketchy (paying customers are
presumably getting more details), the important take-away from these two
reports is that both organizations confirm that a successful attack (plant
shutdown) was made on the safety-instrumented-system (SIS) at the facility.
For those readers with a good technical background, read the
two reports noted above; these two organizations have a much better grasp of
the technical details than I. For those with a less technical background read-on
(and note: the mistakes of interpretation are mine).
Safety Instrumented Systems
For most automated manufacturing systems, if something really
goes wrong with the system, then some product is messed up, maybe some workers
get injured, or maybe someone gets killed; but the results are local. For some
manufacturing systems, however, the consequences can be much larger and harder
to control. Some chemical plants and nuclear power generation facilities come
readily to mind.
For these types of automated facilities there is another (additional)
type of control system that stands between normal operations and catastrophe,
the Safety Instrumented System. These generally separate control systems rely
on the fact that at some intermediate point between normal operations and catastrophe
there is a point that, if the proper steps are taken in a timely manner, the
process can be safety shut-down before catastrophe becomes inevitable and
everyone has to run for the hills.
We used to rely on human operators to perform these
emergency shutdowns. But, as processes became more complex and the paths to
catastrophe became more numerous, it quickly became apparent that only
automated control systems could be relied upon to recognize the burgeoning
problem and take the appropriate timely actions necessary, each and every time.
And safety instrumented systems were born.
At its most basic, a SIS consists of a computer, a limited
number of sensor, and a limited number of process actuators (valves and such).
The computer is programed to watch the sensor(s); if they reach certain
value(s) then the actuator(s) are operated, and the process is safely
terminated. The product is almost certainly bad, local equipment may be
damaged, some cleanup and downtime will be required, but catastrophe will have
been averted.
If the SIS fails, there is one final layer of protection
that will help mitigate the resulting catastrophe. These are things like
pressure relief valves, rupture disks, sprinkler systems, and spill control
systems. Unfortunately, if these were truly effective responses to the
catastrophic failure, then a SIS would not probably be employed. The SIS is a pain
to design (each is a custom design), expensive to install and a maintenance
problem. They are typically not employed if the worst-case scenario for a
facility will be contained within the facility.
SIS Security
While industrial control system security has been problematic
at best, SIS security is a slightly different story. Not because anyone was really
concerned about hackers, but because no one wanted human error to get in the
way of proper system operation. So, SIS were generally the last systems to be
connected to any outside networks and most include the need for the operation
of an actual, true-to-life physical key, to program the computer.
The SIS is placed in the program mode where it is programed,
tested, and then placed in the stop mode with the key removed from the system.
Before the hazardous process is started, the key in re-inserted, and the SIS is
placed in the run mode and the key is again removed. The process is reversed
when the hazardous process is over. This should be just about as good as it
gets.
Unfortunately, someone again has proved that what man can
secure, some other man can hack. Again, for details, read the two reports.
Take Away
DO NOT PANIC This is not the end of industrial control
system safety. Who ever attacked this facility went to an awful lot of work.
First to reverse engineer the SIS system involved, second to understand the
process at the facility where this attack was initiated, and third to
compromise the security at the facility to get the hack initiated. A lot of
time, engineering and money (sounds like a nation-state to me) went into this
attack and it failed. It screwed up and apparently unintentionally shutdown the
process (safely) which ended up alerting the system owners to the apparent
hack.
If you want to know how to protect your SIS, read either
(better, both) reports, but there is really nothing new there. Isolate your SIS
from the internet and other networks, secure access (physical and virtual) to
the SIS equipment and follow SIS operations guidelines. And from me, train your
operations personnel so that they fully understand the processes they control
and listen to them when they report anomalous system behaviors.
Posts
No comments:
Post a Comment