Imagine a scenario in which hackers gain access to the computers that control the mechanical systems on an oil rig. The hackers infiltrate and take control of a programmable logic controller that runs a pumping system and start spraying liquid – while feeding data to the rig operators that says nothing untoward is going on. A series of such cyber-attacks on separate components on one rig could, in theory, provoke an environmental catastrophe and sabotage production for months.
Now experts say that this kind of nightmare scenario is far from being the stuff of science fiction. Energy infrastructure is the main target of industrial-scale cyber attacks carried out by sophisticated groups of hackers who may have anarchic or commercial interests in their results, or strategic or geopolitical goals. According to engineering group Invensys, there are around 10,000 attacks on energy firms globally each month.
“We believe we should consider the fact that these attacks are becoming more prevalent,” says Jay Abdullah, senior cyber security team leader at Invensys.
It’s not just energy firms that need to worry, security specialists say. Discrete manufacturing enjoys an increasing level of connectivity of automation and machinery to the outside world but this has the drawback of exposing equipment to threats passed on via the internet.
That connectivity is only set to increase as manufacturers look to exploit the advantages of cloud computing and make their systems part of the “internet of things”, says Steve Brambley, deputy director of automation and control at trade association Gambica.
“This will increase possibilities for manufacturers, but with regard to automation systems being connected to the internet, an outside network or a corporate network, we need to talk about risk.
“The risk of connecting an automation system to the outside world is far too high and it allows some additional attack vectors to be introduced. Whether it’s drive-by blanket attacks, browser hijacks, malware or trojans, the percentage of attacks is significantly higher when the system is interconnected.”
Of course, it is perhaps less likely that hackers trying to undermine the UK’s infrastructure in the service of strategic goals – or causing chaos – would target small manufacturers, for example. But criminal gangs might, claims Brambley. It is difficult to collate accurate data on firms that have been threatened by hackers that have taken over parts of an IT or production system and held a company to ransom. But Gambica has anecdotal evidence of such attacks taking place in the UK.
Abdullah says the level of automation that has the potential to be exposed to cyber attack is growing all the time.
“We’ve seen a 600% spike in industrial control system and SCADA vulnerabilities just in the past three years.” He says hackers interested in causing maximum disruption can gain bigger rewards from attacking big industrial installations and complexes.
“Home PCs may be exploited with a virus that leads to loss of data or financial loss but taking down a control system could literally cause millions of dollars of damage a day.” Notable recent examples of these large-scale attacks include two major energy companies where a total of 42,000 separate systems were rendered useless by malware, and a targeted attack on an Iranian SCADA system that caused physical damage to a nuclear centrifuge.
Invensys says it is working with clients throughout Europe, the Middle East and Africa on emergency responses to hacking.
“These range from simple infections to groups of computers being attacked; from advanced persistent attacks to persistent targeted attacks.”
The focus has shifted from attacks on perimeter defences to those specific to one particular control system, Abdullah says.
It’s not always the case that systems that exist in isolation cannot be compromised, either. Part of this is down to the increasing use of removable data devices such as memory sticks and CDs by individuals, which risk introducing potential sources of problems from the outside world into an otherwise uncontaminated industrial setting.
“If you put a password on a Post-It note and put it on a panel then security has broken down,” says Brambley. “The risk can be people and behaviour. That’s why we advocate a defence-in-depth approach to security which looks at all aspects of keeping a plant safe.”
Anyone who has spent time in factories knows that the computer systems running automation and machinery can be relatively antiquated. Meanwhile engineers, while expert technically in their own right, may not understand how to set up security systems in the way that the IT department does.
Ironically, an older Windows PC that is not connected to the internet may be unable to access the latest security patches, which in turn can make it more vulnerable to attack. Older versions of Windows, says Abdullah, are less secure than the latest platforms. “When you consider the antiquated stuff that some energy companies are using today and that new vulnerabilities in the operating system will sometimes not be patched, those systems will always be exploitable and vulnerable to attack.”
Invensys is principally working with customers in oil and gas, electricity generation and the petrochemical industry on cyber security. “Part of our message is: it doesn’t have to be connected to the internet, in fact, we recommend it not to be,” says Abdullah.
“What we see in the industry now is that the threat of cyber-attacks is extremely serious. The type of outcome can range drastically, from loss of visibility of one particular section of the plant to unsafe running of systems or complete shutdown; you’ve got to remember that the majority of the software we design is for control.
“We might see anything from loss of control of individual elements of a system right through to shutdown, huge financial loss, or ultimately physical damage or even loss of life.
”Unfortunately we do already have examples of these kinds of eventualities – in fact there are several,” says Abdullah.
He adds that the motivations behind, and sophistication of, cyber-attacks may change.
“In some cases the motivation has simply been destruction: they want to destroy computers, stop the advancement of the energy trade or, in the case of the Iranian centrifuge, stop nuclear proliferation – that is why the cyber-attack happened in Iran.
“We haven’t seen severe loss of life or an advanced persistent war decree on the energy industry, but I feel that, as the economic and political situations change, the motivations of the people writing these viruses will certainly change too,” he says.
Security checklist
Invensys recommends security protection which is:
- Vendor agnostic
- Offers defence-in-depth
- Puts several layers of protection around data right down to host systems
- Segments networks – so separate systems are limited in how they communicate
- Protects perimeters
- Scans whole networks for security threats; this includes intrusion prevention, network anti-virus, and deep packet inspection
- Allows no single failure to affect operation
- Constantly monitors and manages plant health
- Is not just focused on anti-virus
- Protects core of technology with several layers
- Restricts plant communication with corporate IT network
- Offers behaviour-based as well as signature-based virus prevention
- Blocks hardware from being operated by the incorrect employee