A decade of physical risks generated by industrial systems hacking

A decade of physical risks generated by industrial systems hacking

Apr 24th, 2019

A decade of physical risks generated by industrial systems hacking is featuring a remarkable and worrisome acceleration.

A decade of physical risks generated by industrial systems hacking

Indeed, it all started, as far as we know, with the crippling Stuxnex worm attack on the Iranian uranium refining centrifuges.

As the title clearly indicates, we will not discuss here the devastating attacks on administrative systems, data repositories, but focus on industrial systems.

What is going on

Successful hacking on industrial systems seemed to remain “isolated exploits” for a long time. For example, in 2014 hackers struck a steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in reportedly “massive” damage.

Lately an aluminum producer in Norway was brought to the brink of full shut-down.

Then Triton and Trisis, malware targeting the Triconex product line made by Schneider Electric came to light. The targeted systems provide emergency shutdown in critical industrial processes. Thus they are Safety Instrumented Systems (SIS), comprising hardware and software components. Obviously, the impairment of such a safety system leads to unimitigated consequences of a malfunction.

Power plants, gas refineries are among the users of the Triconex product line and SIS.

A look at the risk side of A decade of physical risks generated by industrial systems hacking

If the probability of a system’s malfunction is p0 and the related consequences (losses) are C0, then the unmitigated risk of that malfunction is R0= p0 *C0.

Say an implemented safety device has the capability to stop the system before the malfunction develops and generates the consequences C0, equal to a fraction of p0. As an example, let’s assume the fraction is 1/1000. That means that with the safety system in operational state, the risk would be now R1=R0/1000.

What a hacker can do is alter that 1/1000 factor. If the hacker can put out of service the safety system, then R1=R0, i.e., in the case of this example, 1000 times the mitigated risk.

Interestingly, no hacker has the power to alter the consequences C0. They can only act on the probability reduction brought in by the SIS.

The only way to generate larger consequences C0 is to “play” on long chains of events; alter the probability of failure at several stages in a controlled manner, and create a compound phenomenon with amplified consequences.

However, at this stage, we do not believe any hacker is going to go that way. It is easier and more efficient to throw a stone in the pond and see what happens.

We will discuss way to mitigate those risks at INFONEX next month in Vancouver.

Tagged with: ,

Category: Consequences, Hazard, Risk analysis, Risk management

Leave a Reply

Your email address will not be published. Required fields are marked *

Riskope Blog latests posts

  • Prefeasibility hazard adjusted NPV
  • 25-01-2023
  • A mining company asked us to perform a Prefeasibility hazard adjusted NPV evaluation. Our action first focused on bringing clarity…
  • Read More
  • OpenAI’s ChatGPT applied to tailings dams and associated risks
  • 11-01-2023
  • As everyone else, we got excited about the new ChatGPT so we tried OpenAI’s ChatGPT applied to tailings dams and…
  • Read More
  • ORE2_Tailings and ALARP
  • 4-01-2023
  • A colleague recently engaged a discussion on ORE2_Tailings and ALARP. He presented various refences on the subject then asked us…
  • Read More
  • Get in Touch
  • Learn more about our services by contacting us today
  • t +1 604-341-4485
  • +39 347-700-7420

Hosted and powered by WR London.