Security experts warn chemical plants are vulnerable to cyber-attacks

Security experts are warning that the computers controlling machinery in chemical plants, power stations and other critical infrastructure are vulnerable to attacks from hackers, and that more work is needed to prevent control of critical equipment falling into the wrong hands.

Last week, the UK government unveiled the results of a survey that showed the average cost of a serious cybersecurity breach has more than doubled since last year – rising from £600,000 to £1.46 million. And the UK Office of Cyber Security and Information Assurance – the UK government body organising cybersecurity policy – recently estimated that cybercrime costs the UK £27 billion every year. But in the industrial sector – where computer-controlled equipment is commonplace – the threats go beyond financial ruin.

‘Virtually all chemical plants have some sort of computer-based automated control system,’ says Eric Cosman, who has advised the chemical industry on cybersecurity. ‘If you somehow compromise [that system] bad things could happen depending on the nature of the plant – that could range from spills of material, to some sort of overpressure or venting, or in the worst case even some sort of explosion.’

The Stuxnet effect

The prospect of sabotaging industrial control systems has been on the radar since 2010 when the news broke that Stuxnet, the infamous cyber-weapon thought to have been developed by US and Israeli software engineers, had brought uranium enrichment to a standstill at a nuclear facility in Iran during a sustained two year attack.

Attacks on US industrial targets climbed from 41 in 2010 to 198 in 2011, the year after Stuxnet, according to US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The number of attacks had reached 245 by 2014.

But according to Andrew Ginter, vice president of industrial security at US-based technology supplier Waterfall Security, the threat has only just begun to ‘trickle down from experts’, and some of the safety and security standards that industries operate under are outdated. ‘Most of these targeted attack capabilities have only arisen in the last few years … anything based on old best practice is vulnerable,’ he says.

Lack of motive

When it comes to chemical plants, severe incidents appear to be rare. Chemistry World spoke to several security experts, none of whom knew for certain whether a chemical plant had ever been the subject of a targeted attack. There were just four chemical industry cybersecurity incidents reported to ICS-CERT in 2014, although it is possible that the real number of attacks may be higher, as companies rarely choose to publicise information on security breaches.

And although attacks are rare, companies shouldn’t be lulled into thinking they’re impossible, says Ginter. But at the moment, most professional hackers goal is to make money from their activities so they have no motive to cause a chemical spill, for example, because it wouldn’t benefit them financially. Those who target chemical companies are more likely to attack corporate networks and try to steal intellectual property.

‘But motives can change in a heartbeat,’ he warns. ‘We must design defences based on capability. And the capability is there.’

Remote access

Ginter explains that control systems that are connected to the internet, or to other machines through remote networks, may be vulnerable to targeted attacks because of the porous nature of the firewalls used to protect them. ‘Any professional attacker can buy a copy of the system … find attacks that will work and the firewall won’t discover,’ he says. He recalls speaking to someone who employed a tester to try hack into their system. When allowed to gain control of the receptionist’s PC, the specialist took just five minutes to hack into their process control system to the point where they would be able to ‘stir the pot’ in the plant.

If you blow up a cracker you can’t restore it from back up!

Companies can also unknowingly take risks by giving system access to suppliers or maintenance contractors to allow them to connect remotely – a measure that can help cut costs but increases vulnerability to hacking. ‘If they do not have the experience or sophistication necessary to ensure that that connection is secure then that could represent a possible path of attack,’ says Cosman. In one case, he says, hackers managed to access a retail firm’s systems using credentials they stole from a heating contractor. ‘They didn’t have to break into the target system, they logged in using perfectly valid credentials.’

And if the control system is not kept sufficiently isolated from the business network, damage to process equipment can also occur as ‘collateral damage’ from attacks to the corporate network. Indeed, when incidents such as shutdowns or malfunctions do occur, it can be difficult to determine the cause. In the case of Stuxnet, puzzled engineers spent years replacing what they thought was faulty equipment before the real problem was uncovered. And even if a cyber-attack is confirmed, as was the case last year at an unnamed steel mill in Germany where operators lost control of a blast furnace, it can be difficult to tell whether the damage is deliberate or accidental.

Designing defences

For those who design cyber-defences, industrial facilities such as chemical plants pose particular challenges. Some of the strategies which are effective for traditional IT systems can’t be used by industry.

The systems that are built to control plant equipment may be designed and built to last decades, which makes them difficult to update regularly in response to constantly evolving threats. And in many cases they need to run 24 hours a day, so cannot be taken down to install security updates.

The current situation is a bunch of accidents waiting to happen

A lot of the software used to protect IT systems such as firewalls are ‘leaky’ by nature, as they have to be able to allow internet access and communication within the network. Anti-virus software detects and removes known threats by scanning for malware which has slipped through the net, and it can take days or weeks to detect and remove threats – an unacceptable timescale to lose control of any industrial system.

Even the ultimate safety response of ‘shut everything down’ that is commonplace in IT systems can be problematic in an industrial setting, as shutting down a reaction vessel mid-process could leave an unholy mess to clean up. ‘In a chemical plant if you blow up a cracker you can’t restore it from back up!’ Ginter points out.

There are technology solutions that address some of these issues. Ginter explains the kind of hardware tools Waterfall makes – unidirectional gateways – are ‘stronger than firewalls’ as they create a non-porous perimeter that allows information to be sent out of process control systems, while preventing anything being sent in.

Other tools can tighten security using ‘whitelisting’ – only allowing previously approved software to access the system – instead of the ‘blacklisting’ approach found in traditional firewalls, which prevents the entry of known threats.

Identifying dangers

In most places the chemical industry self-regulates and the owners of plants take responsibility for their own security. By and large, big international companies recognise that the stakes are high and have in-house teams working on cybersecurity. But for smaller companies, the expense makes this unfeasible.

Many are arguing that the regulations set by governments are in need of an overhaul to bring them in line with current threats. The UK government has started to recognise the potential dangers, and its overall cybersecurity strategy was published in 2011. At the end of 2014 it announced a £2.5 million investment in a project that will focus on identifying and fighting cyber threats to the UK’s industrial control systems, including power stations, national rail infrastructure and manufacturing plants.

‘The government has put quite a lot of effort into getting companies to understand the sort of risks that they face to their enterprise IT systems. But there’s been very little work done on raising awareness of the risks they face in terms of their industrial control systems,’ says Chris Hankin, director of the research institute in trustworthy industrial control systems at Imperial College London, UK.

Over the next three years, Hankin’s group will join with several universities and partner companies to measure the risks of cyber threats and explore how they might translate into infrastructure damage and lost revenue for businesses, as well as developing better defences. ‘It’s about getting an understanding of what is applicable and adding to the set of defences that we can deploy,’ says Hankin. ‘The aim is to make [systems] better protected and less vulnerable to the sorts of attacks that we’re fearing that we might begin to see.’

In the meantime the industry will have to hope no hacker with the capability to break through existing defences has an appetite for destruction. As one expert put it, it seems the current situation is ‘a bunch of accidents waiting to happen’.