none

ANATOMY OF AN ATTACK: HOW CYBER VULNERABILITIES ON A SIMPLE SENSOR CAN MEAN DISASTER

10-09-2018
by 
in 

We like to think that cyber attacks are all about getting lists of credit card numbers and that attackers know little about control systems. That’s just wishful thinking.

Let’s look at how a knowledgeable outsider can shut down a process using a published sensor vulnerability, in a way that will be very difficult for a company to figure out. So difficult, that the attacker may be able to do it multiple times.

In December 2015, ICS-CERT published vulnerability # ICSA-15-309-02 on Honeywell Midas ambient gas detectors. According to ICS-CERT, the vulnerability “could allow a remote attacker (with ‘low skill’) to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes.”

These devices detect ambient release of small amounts of toxic or flammable gas. It is common to locate many such detectors in a processing area, and to configure both alarms and automatic process shutdowns on multiple simultaneous detection signals.

Imagine yourself as the attacker. Having at least the ‘low skill’ mentioned by ICS-CERT, you have gained access and are looking at a dozen such devices. You can see their configuration, IDs, and detection ranges. You can alter these and even generate calibration or scale checks.

In other words, you can generate alarms at will. You don’t want to make them all alarm at once – instead you select four or five that seem associated by their names (West Side First Level, West Side Second Level), and initiate a 4-20mA scale check. Alarms will result. Note that several other options involving sensitivity and other settings can be used to create false alarms.

The operator sees these alarms. It looks like a serious leak. The response could vary, but a lowering of production rate, pressure, or even shutdown of that part of the process may be their quite reasonable response.

Evacuation of operations or maintenance personnel in that area will be ordered. Responders may have to suit up and verify the signals using handheld gas detectors. Of course, they will find nothing. But the physical process examination will be thorough and time consuming. After all, this was a simultaneous set of alarms from different detectors, not some single-sensor failure.

In the meantime, the hacker covers his tracks, restoring any detector to their prior values. By the time the investigation gets around to looking at the configuration of the detectors, there is nothing amiss.

After a thorough yet futile leak search, the process is restarted, but perhaps with additional personnel stationed with leak detectors, and likely with extra operator coverage at first – both expensive and disruptive.

But the hacker is patient. Two weeks later, the attack is repeated, choosing different sensors. The attacker might even be smart enough to coordinate the attack and the detectors chosen with wind direction – easy to determine from weatherzone.com.au – this time on the South side.

The response to a second such incident might involve a much more detailed plant inspection, involving hundreds of man-hours and a significant process outage – all to find a leak that isn’t there. This costs a lot of money, and even more in lost production.

How do you protect against an attack like this? The ICS-CERT advisory says that a patch via firmware upgrade to the device is needed to remediate the vulnerability. Do you monitor all such vulnerability notifications? Do you have an inventory of ICS-level devices (not just your level-2 ‘PC’ devices) to match them against? And hopefully an inventory that was created with automated means not involving hundreds of man-hours of manual effort?

Do you have an automated patch management and reporting system that keeps track of progress on all relevant vulnerabilities? Do you have saved configuration baselines against which your devices are periodically and automatically checked for unauthorised change?

If these questions make us uneasy, we are not alone. In our industry, the endpoints that really matter are the elements deep in our control systems, elements that are neither detected nor tracked in most cyber security solutions. They are the ones where unauthorised change can have the worst outcomes. A true ICS cyber security solution is one that has a deep understanding of the inner workings and configurations of the many different control systems we use.

Sleep well!

Bill Hollifield is Principal Consultant at PAS.

Related news & editorials

  1. Labour Senator Kim Carr
    06.04.2021
    06.04.2021
    by      In
    When the pandemic forced the Morrison Government to accept the importance of manufacturing, we began to hear a lot about the need to build sovereign capabilities in Australian industry.
    The Government still uses that rhetoric. The problem is that it doesn’t seem to be happening.
    One of the most... Read More
  2. Karen Andrews, Minister for Industry, Science and Technology
    02.03.2021
    02.03.2021
    by      In , In
    We make great things in Australia and we make them well. 
    And as the Prime Minister and I have been saying, we want to continue to make great things here. 
    That belief is central to our Modern Manufacturing Strategy, and indeed all of the policy decisions we make to support our manufacturers.
    When ... Read More
  3. Brendan O'Connor, Shadow Minister for Defence and former Shadow Minister for Industry and Innovation.
    01.03.2021
    01.03.2021
    by      In , In
    Since I last wrote for Industry Update Manufacturing Magazine there have been some significant changes to my role within the Federal Labor Party. 
    In January I changed portfolios to become the Shadow Minister for Defence and Ed Husic has now become the Shadow Minister for Industry and Innovation. ... Read More
  4. Kim Carr, former Minister for Innovation, Industry, Science and Research
    01.03.2021
    01.03.2021
    by      In , In
    As Australian industry clicks back into gear after the lockdowns and disruption of 2020, it is important to reflect on the way the pandemic has changed the way we are governed.
    Governments have played a vital role in suppressing community transmission of Covid-19, thereby making a safe return to... Read More
Products
Suppliers