Plant managers used to be kept awake at night by the fear of unintended incidents. But their new nightmares are much worse.
Imagine that you are working at an industrial plant and walking past a pipe. Suddenly you smell gas. However, the screens in the control room are indicating that nothing is wrong.
You have no idea that hackers have changed the threshold value that has to be exceeded to trigger the alarm and shut down the plant.
After a while you press the manual emergency stop button, but to your amazement nothing happens – because this system too has been infiltrated and manipulated by unwanted intruders.
The ‘wall’ has fallen
The episode above is just a story. But malicious digital attacks against security systems do happen. There is the example of a hostile attack carried out on a Saudi Arabian petrochemical facility using ‘Triton’ malware.
The malware was created to manipulate so-called Operational Technology (OT) systems designed to monitor, control and protect equipment components. OT systems are distinct from the IT networks that are used by enterprises to support their administrative activities.
In the past, ‘walls’ were established to separate OT systems from the IT networks in such a way that an enterprise’s security systems were isolated from their surroundings. OT systems were built using components and protocols that made access difficult, but this is no longer the case.
Demands for optimisation now mean that OT systems can be made accessible via the internet, giving hackers the opportunity not only to exploit the dependencies between different security systems, but also to interfere with multiple independent systems, such as plant shutdown mechanisms and manual stop buttons, all at the same time. Many knives can thus be twisted all at once.
Traditional assumptions are no longer valid
In the past, system dependencies were analysed on the basis of a company’s need to protect itself from unintended incidents. The risk that several such incidents might occur at the same time was always regarded as very low.
But this assumption is no longer valid – for the very reason that hacking involves intentional actions. At the same time, the fusion of OT with IT systems has provided opportunities for hackers to gain access to the ‘holy of holies’. Series of concurrent incidents that were assumed in the past to be highly improbable have now become very possible.
Technical systems may exhibit a number of different forms of dependency, including the following:
- Functional dependency: Communications systems require an electricity supply in order for them to work.
- Cascading failure: The tsunami that impacted on Japan in 2011 resulted in a reactor accident involving explosions at the Fukushima nuclear power plant, which in turn caused the spread of radioactive material.
- Shared components: A golden rule is that control systems and safety systems must never share the same shut-off valve. If this rule is not adhered to, the security system can no longer be regarded as independent of the control system.
- Co-localisation: A classic error involves the running of cables from different systems in the same conduit, making both systems equally vulnerable to fire damage.
Need for greater awareness
It is crucial that the industrial sector becomes more aware of system dependencies that have now become accessible points of weakness vulnerable to attacks by hackers, and that so-called independent systems are no longer independent in the context of the risk of intentional incidents.
As researchers in the field of cyber security, we are acquiring know-how on how specialists working with these issues should approach the new threat.
Such approaches should include prevention (follow-up and updating), cyber threat hunting, exposure management, the administration of vulnerabilities and weaknesses, the handling of intrusion and repair.
SINTEF has assisted the Norwegian Offshore Industry Authority (formerly the PSA) by pointing out how their regulations should be adapted to meet the new threat picture.
As part of a major project funded by the Research Council of Norway (RCN), we are currently looking into how cyber security barrier management can be based on lessons learned in this field from other security systems.
Intentional attacks that threaten industrial plants may appear as coincidental system failures of accidents. However, these are in fact incidents triggered either by persons who are aware of system dependencies or which impact on independent security systems to which hackers have obtained access.
Not a free-for-all
Fortunately, hackers looking to misuse OT systems are not enjoying a free-for-all. A long list of security measures (barriers) is being introduced to prevent or manage incidents of system intrusion. These include system zoning and network segmentation, firewalls, antivirus software, access controls and intrusion detection systems.
Comprehensive cyber security standards have been prepared to protect operational technologies linked to automation and control systems. However, these do not represent the ultimate solutions. Instead they serve as challenges to the most advanced, resourceful and persistent cyber security threats.
SINTEF’s Maria Bartnes has recently described the background to the aforementioned RCN-funded project in an interview with the financial daily Dagens Næringsliv: “If we are to protect a system and guarantee its secure operation, we have to obtain an overview of all its potential vulnerabilities. The hackers, on the other hand, need only to identify a single point of weakness that they can exploit”.
We need a lot of smart people
Does increased vulnerability due to system dependency mean that we should live in fear of the increased levels of digitalisation we are seeing in the industrial sector?
Well, we ought at least to be worried enough to take the challenges presented by digitalisation seriously. This will include a realisation that the development of effective protection against concurrent cyber-attacks directed at system dependencies or multiple independent security systems/barriers will require a lot of very smart people.
We also need an improved understanding of our roles and a better clarification of ‘who should be doing what”. Here, we include IT personnel, managers and OT operators, as well as external actors such as system contractors and sub-suppliers, including those offering security surveillance systems.
This article was first published in the technology magazine Teknisk Ukeblad on 4 September 2023, and is reproduced here with the permission of the magazine.