This paper was prepared for PSAA 652 – Protection of the Nation’s Critical Infrastructure at the Bush School of Government and Public Service at Texas A&M University. It was intended to have us as student develop a plausible scenario that would affect a portion of the country’s critical infrastructure. In this particular case I looked at the effects of a cyber attack on the chemical sector.

Cyber attacks are increasingly becoming a part of our day to day discussion in the world. Most of the discussion is, however, centered on the high profile situations that affect each of individually. Situations that include identity theft or credit card theft, viruses on our personal computers, leaking of personal documents and photos to the general public, and the spread of false information through social media. One topic that is just starting to come to the surface of the national (and international) discussion on cybersecurity is the issue of the security of our critical infrastructure sectors where computers are an essential component. While most of us focus on cybersecurity measures for our own personal devices, what kind of measures are being taken to protect our energy, chemical, transportation, and water sectors? Over twenty years ago computers, networks, and the internet promised great things for efficiency both in our personal lives and in the various industrial sectors, especially in terms of being able to communicate and produce more efficiently. While much of this continues to become true as technology advances, it is also increasing the potential for risk not just to our personal systems and our personal security but also the risk to the various critical infrastructure sectors.

Target: SCADA Systems

In my scenario paper earlier this semester I wrote about the potential of a cyber attack on the Supervisory Control and Data Acquisition (SCADA) system for a chemical plant within the chemical sector. SCADA systems have become essential to a number of critical infrastructure sectors including energy, water, and transportation. As industrial plants grew in complexity during the first half of the twentieth century, so did the need for more automation. In the 1960’s new computerized systems were deployed in a number industries including the chemical and energy production sectors. Early models used massive super computers to display information about the current process within the facility and give the operator of that computer the ability to control certain elements of that process (DPS Telecom, 2018).

SCADA systems work essentially like massive command and control systems. In the case of chemical plants, sensors throughout the facility gather a wide variety of data and report it back to the SCADA system through an electronic network. Some of this data includes temperatures, air quality, pressures within pipelines and containers, and other essential statistics. All this information is made available to operators on a computer screen in their control room or office. Additionally, various programmable logic controllers (PLCs) are throughout the plant which can control valves, motor speeds, and other processes. Like the previously mentioned sensors, all of these PLCs are connected to the SCADA system through an electronic network. The PLCs can then be controlled by the operator to control various parts of whatever chemical process is supposed to be performed. So you have both input and output as an operator sitting at the screen of the SCADA system. The input being the various statistics collected by sensors scattered throughout the plant, and the output being the PLCs that can control the chemical process for producing product.

As a result, an individual operator or a team of operators can maintain the production process from a single workstation running the plant’s SCADA software. As information comes in from sensors operators can maximize the efficiency of the process by controlling the flow of different chemicals. Operators can also prevent potential accidents by monitoring the information and taking action. For example if the pressure in a pipeline begins to rise dangerously close to the threshold of what that pipeline can hold the operator can reduce the flow in that pipeline or shut it off entirely for maintenance. While this creates a great deal of convenience and increased efficiency for the entities that own a chemical plant (and other types of industrial facilities), it also can potentially provide a great deal of convenience to a bad actor who wants to cause harm if they were to gain control over the SCADA system for a chemical plant

Protections In Place

While early SCADA systems were massive super computers, modern day versions are physically not that different from the desktop PC that sits in your office or home. As a result they have many of the same available protections such as user authentication (username and password) to only allow access to certain personnel. Occasionally they may have multi factor authentication such as biometrics or one time passwords to further increase the difficulty of gaining access. While these protections are generally effective for the average workstation, more has to be done when that workstation is what gives access to all the processes of a chemical plant. As a result many facilities implement what is known as an “air gap”.

Wired defines an air gap as “computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet” (Wired, 2014). In essence, an air gap is removing the pathway between a potential target system and a potential hacker. The best way to think of it is its like building on an island with no bridges leading to it. Since most modern hacks come in through the internet from across the globe this is considered one of the most effective methods for blocking hackers from gaining access to a sensitive network. The result of this methodology is that it typically requires gaining physical access to the workstation in order to control it.

However, air gaps are not a perfect method of protection as we have seen in two other real world scenarios where SCADA systems were successfully attacked. The first is the STUXNet virus which infected the SCADA system at the Natanz uranium enrichment facility in Iran. It is widely believed in the cybersecurity community that the STUXNet virus breached the air gap by way of a technician’s USB thumb drive. All computers have to have software patches and updates applied from time to time whether it is your smartphone, your laptop, a server, or a SCADA system workstation. When a system is inside an air gap, computer technicians (typically from third party vendors) install the patch by downloading it to a USB drive and then plugging it into the air gapped workstation. It is widely believed that this was the route that STUXNet took to get past the Natanz air gap, infect the SCADA system, and cause significant damage to the uranium enrichment centrifuges (Zero Days, 2016).

The second notable attack on a SCADA system is the attack on the Bowman Avenue Dam in Rye Brook, New York just twenty-five miles north of New York City which was discovered in 2013. Individuals associated with the Iranian government were able to gain remote access of the SCADA system for this relatively small dam without ever having to leave the country of Iran. Upon gaining control of the SCADA system, the hacker sent the command to open one of the floodgates of the dam in order to release a great deal of water and flood the nearby communities. The only reason this flooding did not occur was that the motor that was responsible for opening and closing that flood gate had been disconnected for maintenance (Time, 2016). This was made possible by a cellular modem that was connected to the internet and the air gapped network in which the Dam’s SCADA system resided. Unlike STUXNet which went into the Natanz air gap and had to operate on its own within the air gap, this attack created a persistent connection between the attackers and the SCADA system within the air gap creating the potential for even more damage.

The Attack

The devices used in this fictional attack on a chemical facility is based on a combination of the STUXNet and Bowman Avenue Dam as well as my own experience in the penetration testing part of the cybersecurity industry in which my company develops realistic methods used to break past clients’ security measures as a way to test those security measures. While the STUXNet attack was extremely successful, it was also very sophisticated. It’s considered one of the most sophisticated pieces of malware to ever be found “in the wild”. It was highly specialized and developed for a specific purpose. A typical terrorist group will not have the expertise to reverse engineer it and retool it for their own purposes. A more typical piece of malware acquired from the “dark web” (basically a giant online black market where hackers can sell malware) is likely what would be used. However, this would not be sufficient for an effective attack that would inflict maximum damage on a chemical plant and the surrounding community because of the air gap that is protecting the SCADA system. So malware in conjunction with rogue hardware would need to be utilized to give a terrorist effective access to the SCADA system without being present inside the facility’s physical perimeter.

The attack would involve three phases. The first phase is similar to STUXNet in terms of getting malware inside the air gap and onto the SCADA system. Most chemical companies will contract this process out to a third party information technology (IT) company. So the terrorist would target this IT company through malicious emails to get one of their staff to unwittingly download the malware. This malware would then spread to all of the computers in their office and infect all USB drives that connect to the infected machines in their office. As the technician assigned to work on the SCADA system at the target chemical plant downloads the latest software patch onto a USB drive to take to the chemical plant the malware infects the USB drive. The technician then connects that USB drive to one of the SCADA workstations inside the air gap which infects that SCADA system and all devices connected to it. But what does this malware do? It looks through the SCADA system and all workstations connected to it as well as any other devices to it to find any wireless technologies such as WiFi or Bluetooth (which are typically disabled in air gap situations) that came built in by the manufacturer of the hardware and enables them. While there is still no internet connection for these devices they are essentially open wireless ports waiting for a connection. This moves to the second phase of the attack.

In the second phase of the attack the terrorist deploys a hardware package nearby but still outside of the perimeter which is marked at most chemical facilities by nothing more than a fence on the back of the property. The package is a small, ruggedized, waterproof case similar to what Pelican sells for protecting sensitive equipment from the elements while in the field for around $120. Within that case are the following items and estimated costs:

  • Raspberry Pi ($35): a low cost credit card sized computer which is very energy efficient and can be easily programmed using online research materials. These have both WiFi and Bluetooth antennas built in.
  • Two high capacity portable batteries ($300): these are typically used by people who frequently travel to recharge their cell phones and tablets and don’t have access to a wall outlet.
  • A mobile hotspot ($50 for contract free, plus prepaid data for $60): also used frequently by travelers to connect their non-cellular tablet or laptop to the internet.
  • A high gain WiFi/Bluetooth antennae ($60): this can effectively increase the usable distance between a device and its access point up to a mile away depending on physical objects between points.

All of these parts can easily fit inside of a Pelican case that is less than one cubic foot in size. By connecting all of these devices together you would have a homemade, preprogrammed computer with the ability to bridge the gap between the internet and the SCADA system through the mobile hotspot which is connected to the Raspberry Pi computer which will scan the area for wireless devices that were enabled by the malware in the first phase of the attack. When properly setup, the high capacity portable battery is able to provide power to the Raspberry Pi and can work continuously for up to five days according to tests that I have done for a project for my company. The high gain WiFi/Bluetooth antenna is to increase the Raspberry Pi’s effective wireless range to locate wireless devices in the area and connect to them.

It is important to note the total cost of this package is relatively small at about $625. This creates what is effectively a very low cost cyber weapon that can be assembled with parts available at many electronics stores or through online sites that cater to hackers.

After the package has been deployed somewhere outside the perimeter of the chemical plant either hidden in a tree or under some brush where it won’t be easily seen, the third phase of the attack can begin. Because the device is now connected to a workstation inside the air gap that is infected with the malware from phase one, the terrorist now has total access to the SCADA system from over the internet. This is no different than if the terrorist is sitting at the SCADA workstation inside the chemical plant. At this point they can adjust valves and other parts of the process to create a release of toxic chemicals such as sulfur, ammonia, chlorine, and others into the air that would cause death and/or severe medical trauma to not only the personnel at the chemical plant but also the surrounding community. This is effectively the equivalent of chemical warfare on a civilian population.

The Response

What is unique about this attack is the covert nature of it. A traditional attack on a chemical plant would be very obvious either through explosions, attacks at the secure entrance to the facility, and/or gunfire to take over the facility. Since this is all done electronically the initial assumption will be that it is either a mechanical failure or some kind of software failure causing the release of these chemicals into the air. While it is potentially a “Pearl Harbor moment” or a “September 11th moment” from a cybersecurity perspective in the scope and impact of the attack, it is not as obvious as Japanese attack aircraft dive bombing naval vessels or multiple highjacked civilian aircraft crashing into major buildings.

The initial response by the chemical plant personnel will be to regain control of the equipment that appears to be malfunctioning to stop the release of the toxic chemicals. This will be of paramount importance to the personnel at the chemical plant. The chemical plant will have to work with local authorities to inform them on the type of chemical that was released so that the appropriate shelter in place orders can be given to the population and so first responders can respond quickly and effectively and safely since they could be exposed to the chemical while responding to the injured.

First responders such as fire departments and EMS will be responsible for responding directly to the effects of the chemical on the personnel in the chemical plant and in the surrounding population. Because of the size of the release, first responders as well as hospitals could be potentially overloaded with people suffering from chemical burns and internal organ damage depending on the type of chemical released. Additional help from surrounding communities not directly impacted by the release as well as from the state’s department of public safety will likely have to be called upon to assist in the response.

Federal authorities, in particular the Department of Homeland Security’s Federal Emergency Management Agency (FEMA), will respond with additional personnel and resources for the surrounding community both in the immediate aftermath and in the long term recovery for the community. Those who do survive the initial exposure to the chemicals that are released will likely have long term medical effects to deal with just as we have seen with volunteers who helped with response to the September 11th attacks in New York (LA Times, 2017) and veterans who were exposed to Agent Orange during the Vietnam War (VA, 2015).

It will only be much later after the immediate threat to health and safety has been brought under control that an investigation can begin which would identify the cause of the incident as a cyber attack. For this reason it is important to identify threats and reduce risks before an attack. The average time it takes to actually discover a cyber attack of any type is around 200 days (XPrise, 2015). While the battery power on the package that made this attack possible is only good for around five days, that means the the overall attack will be implemented and completed well before it is even discovered through a process of investigation into the SCADA system and all connected equipment.

Current Regulations and Lessons Learned

As was discussed in the scenario paper, this is still a cyber attack at its core. While the effects on the chemical sector and on the communities that surround assets in that sector are pretty much identical to a traditional kinetic attack, the implementation of that attack was ultimately through the use of technology. In that sense, this attack is utilizing weaknesses both in the chemical and information technology sectors. This could also have a cascading effect and create an impact on the water and waste water treatment sector as well if these chemicals were to settle over a community’s water supplies. There is no doubt that the potential cost of this scenario is extremely high in terms of impact on the health and safety of people as well as the impact on critical infrastructure. So the question becomes how do policy makers defend against such a destructive attack.

Currently there is very little in the way of regulation and policy that could prevent this attack. The DHS’s Chemical Sector Specific Plan from the National Infrastructure Protection Plan says “while chemical facilities ultimately manage cybersecurity risks at a company and facility level, developing sector-wide risk reduction tools and capabilities can provide major long-term benefits” (DHS NIPP, 2015). Put another way, given that the Chemical Sector is predominantly owned and operated by private entities it is ultimately up to the owners to secure their internal cyber infrastructure including their SCADA systems. That being said, sector wide efforts to identify threats and to share that information between these private entities and relevant public agencies including the Sector Specific Agency, DHS, as identified in Presidential Policy Directive 21. The Chemical Sector Specific Plan identifies the use of training, workshops, trade associations, and various programs to promote cybersecurity awareness within the industry and increase the Chemical Sector’s cybersecurity and knowledge to increase resilience against cyber attack. These same issues exist within the information technology sector in that it is primarily left to the private sector to implement effective methods of protection.

While training, education, and cybersecurity policies are encouraged by current regulation there is no clear definition of what that should include. In other words, the industry has the strategy for defending against cyber attacks, but not the tactics. We know that education and cybersecurity policies are needed, what we don’t know is what is the most effective way to train personnel or the most effective policies. Along with this there is no objective minimum standards for education and policies. As a result every company will have their own internal standards for cybersecurity training as well as for cybersecurity policies.

Going forward it will be essential to standardize training and internal policies across the chemical sector and in the various supporting sectors such as the information technology sector. While additional regulations may be the typical reaction, I believe that better clarity on what education and internal policies may be the better way to go. The threat from cyber attacks is still a relatively new one, and both the chemical and information technology sectors are predominantly operated and developed by those in the private sector. Therefore, standardization of training as well as increasing information sharing between private and public entities within the chemical sector and other related sectors would be the best way to go.

References

Charles Teel is an experienced Cyber and Information Security Professional and founder of SR2 Solutions with a demonstrated history of working in the the business world including in a variety of sectors. Skilled in Secure Software Development, Team Building, Leadership, and Management Consulting. Graduated from Lamar University MBA Program. Currently an Executive Masters Student at the Bush School of Government and Public Service at Texas A&M University with a concentration in Homeland Security and Critical Infrastructure Protection.