Consider the Consequences of a Cyberattack

April 6, 2008
When Evaluating the Likelihood of an Attack, It Could Be Worthwhile to Consider How Attractive You Are as a Target

By John Rezabek, Process Control Specialist, ISP Corp., Lima, Ohio.

While many consultants and purveyors of security enhancements emphasize the risks of cyberattack, the likely consequences has been discussed relatively little. In any HAZOP or what-if review, we normally look at risks along with consequences and then categorize the hazard systematically, with both severity and likelihood in mind. Safeguards—independent layers of protection—then are identified and evaluated to see if they sufficiently mitigate the identified risk.

Why don’t we look at cyber threats the same way?

Based on information in the trade press, both for IT and controls professionals, the risk of cyber attack is practically 100%. One only can assume that fear of bad press must keep most victims from publicizing or revealing any successful cyberattack. Reports of serious breaches in industry still seem to be few and far between.

That we are vulnerable is hard to deny. One chemical plant was particularly lax in securing its process control network and suffered a worm attack that rendered every operator interface console dead in the water for hours. The Code Red worm, as it was called, breached the business network firewall and shortly thereafter found its way to the directly connected DCS consoles. Fortunately, a lone interface for model-predictive control was totally isolated, which allowed operations to see a few key variables and take some comfort that the process was not headed to some dangerous state. After running nearly blind for several hours, the operator consoles were cleaned and restored, and life returned to normal. This case was made less onerous by the fact that the process control network was a non-Ethernet, proprietary design and that the controllers used a Windows-independent operating system. Had conditions been otherwise, the consequences could have been much more catastrophic.

This plant was processing hydrocarbons, and one could imagine a scenario in which fires and explosions conceivably could lead to total loss of control. If this is the case in your plant, a layer of protection analysis would show where a totally independent, isolated system of safeguards was necessary. Even when the basic controls go berserk, some independent mechanism should exist to ensure the process gets parked in a safe state. Depending on the likelihood and severity, multiple layers of protection might be needed. If one or more of these layers involve COTS microprocessor-based automation, we are obliged to make sure that no part of that network has any potential to be breached from the outside.

In the large process industries, we give these systems a safety integrity level (SIL). If you think you need remote access from outside the plant to your SIL-rated system, then you need to do a little self-examination. If operations personnel call you on weekends and in the middle of the night to defeat interlocks or change trip settings, can your safety system be reliable? Your trips are set too conservatively, your plant is running in a dangerous mode more often than not, or perhaps your interlocks are not truly safety interlocks. Your SIL-rated system should be reliable enough to run months or years without routine tuning or other intervention, shouldn’t it?

If your site isn’t processing or storing extremely hazardous or toxic substances, perhaps the consequences of a breach aren’t quite as dire. Will an intruder possibly ruin a batch of beer? While deplorable and a potential large economic loss, one could take some comfort that there’s no imminent danger to workers or the surrounding population. On the other hand, senior management’s loathing of any blemish to its brand could be a sufficiently dire consequence in itself.

When evaluating the likelihood of an attack, it could be worthwhile to consider how attractive you are as a target. Money, notoriety, vengeance and crusades of one kind or another perhaps will motivate an intruder. A plant that heats corn mash in the prairie will be a less-satisfying target than one that provides a chance to shut down a pipeline that encroaches on defenseless, mating caribou. A treasured brand might serve as a motivation for hackers eager to see their exploits in the national news, as well as giving your management the incentive for adequate security.

Because of their importance as well as their appeal to potential attackers, critical and non-redundant infrastructure such as power, water, pipelines and their ilk merit the best security our industry can deliver. Along with good system-backup discipline, a clear evaluation of the real likelihood and its consequences, ensuring our safety systems are totally isolated and capable of acting, despite any network intrusion, can be beneficial to us all.

Sponsored Recommendations

2024 State of Technology Report: PLCs and PACs

Programmable logic controllers (PLCs) and programmable automation controllers (PACs) are the brains of the machine in many regards. They have evolved over the years.This new State...

2024 State of Technology Report: Packaging Equipment

Special considerations and requirements make packaging equipment an interesting vertical market unto itself. This new State of Technology Report from the editors of ...

High Sensitivity Accelerometers to Monitor Traffic and Railroad Vibration for Semiconductor Manufacturing

This paper examines highly sensitive piezoelectric sensors for precise vibration measurement which is critical in semiconductor production to prevent quality and yield issues....

Simulation for Automation Guide

How digital twin solutions are expanding the capabilities of plant engineers.