While attacks against management or staff systems related to industrial targets are common, attacks against actual plant infrastructure are comparatively rare.
First Published 19th January 2018
Critical infrastructure is still a desirable target.
4 min read | Reflare Research Team
While information is sparse, reports indicate that a petrochemical plant in Saudi Arabia was targeted by unknown attackers at some point during 2017. While attacks against management or staff systems related to industrial targets are common, attacks against the actual plant infrastructure are comparatively rare.
Some sources go as far as claiming that this was the first successful attack against safety controller hardware, but this claim is dubious at best. While the specific emergency system may have seen its first breach (there are no public records on the system in question so we were unable to deny or verify this claim), successful attacks against industrial targets have happened in the past. The most notable prior case may be the Stuxnet worm targeting and disabling Iranian nuclear reagent processing plants.
What are the implications?
If basic control over the emergency shutdown systems of a petrochemical plant was achieved by attackers, they could conceivably shut the plant down by generating a false alert.
If complete control over the emergency shutdown systems and basic control over other plant functionality was achieved by attackers, it might theoretically be possible for them to induce a catastrophic failure. This topic lends itself to sensationalized reporting but at this point, it appears relatively unlikely. Industrial plants are usually designed with several layers of emergency systems some of which are not networked. To induce catastrophic failure, the attackers would likely need inside on-location assistance or rely on poorly designed / misconfigured infrastructure.
Still, as more traditional offline systems are being connected to networks, the risk for such attacks is likely to increase during the medium to long term future.
The problem with industrial systems
As we have pointed out in previous briefings, it is difficult to secure hardware systems that are expensive and rarely upgraded. While a specific version of a software may have a lifetime of a few weeks to a few months, a pacemaker, a warning siren or a crane has a lifecycle measured in years or decades. While the software can be upgraded with relative ease, upgrading these pieces of hardware is both difficult and costly.
Industrial plants face the same dilemma. Machinery and processing equipment are extremely expensive and any new investment must run for many years to be profitable. Thus replacement cycles are long and emergency upgrades expensive.
It is absolutely no rarity to find multi-million dollar equipment that is only compatible with drivers running on Windows NT. Naturally, such systems are virtually impossible to secure from an information security perspective.
Summary
While the news is certainly worrying, we consider the current reporting on the attack to be overblown based on the information available at the time of publishing this briefing.
That said, cyber attacks will play an increasingly large role in the non-destructive and destructive sabotage of industrial installations over the coming decades. While well-managed and funded factories are likely to keep up with the times, badly managed or poorly funded factories may over time develop into serious security risks.