A decade of physical risks generated by industrial systems hacking

A decade of physical risks generated by industrial systems hacking is featuring a remarkable and worrisome acceleration.

Indeed, it all started, as far as we know, with the crippling Stuxnex worm attack on the Iranian uranium refining centrifuges.

As the title clearly indicates, we will not discuss here the devastating attacks on administrative systems, data repositories, but focus on industrial systems.

What is going on

Successful hacking on industrial systems seemed to remain “isolated exploits” for a long time. For example, in 2014 hackers struck a steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in reportedly “massive” damage.

Lately an aluminum producer in Norway was brought to the brink of full shut-down.

Then Triton and Trisis, malware targeting the Triconex product line made by Schneider Electric came to light. The targeted systems provide emergency shutdown in critical industrial processes. Thus they are Safety Instrumented Systems (SIS), comprising hardware and software components. Obviously, the impairment of such a safety system leads to unimitigated consequences of a malfunction.

Power plants, gas refineries are among the users of the Triconex product line and SIS.

A look at the risk side of A decade of physical risks generated by industrial systems hacking

If the probability of a system’s malfunction is p₀ and the related consequences (losses) are C₀, then the unmitigated risk of that malfunction is R₀= p_{0 *}C₀.

Say an implemented safety device has the capability to stop the system before the malfunction develops and generates the consequences C₀, equal to a fraction of p₀. As an example, let’s assume the fraction is 1/1000. That means that with the safety system in operational state, the risk would be now R₁=R₀/1000.

What a hacker can do is alter that 1/1000 factor. If the hacker can put out of service the safety system, then R₁=R₀, i.e., in the case of this example, 1000 times the mitigated risk.

Interestingly, no hacker has the power to alter the consequences C₀. They can only act on the probability reduction brought in by the SIS.

The only way to generate larger consequences C₀ is to “play” on long chains of events; alter the probability of failure at several stages in a controlled manner, and create a compound phenomenon with amplified consequences.

However, at this stage, we do not believe any hacker is going to go that way. It is easier and more efficient to throw a stone in the pond and see what happens.

We will discuss way to mitigate those risks at INFONEX next month in Vancouver.

Tagged with: cyber attack, industrial systems hacking

Category: Consequences, Hazard, Risk analysis, Risk management