Cyberattacks causing kinetic damage are neither new nor uncommon

July 18, 2022
July 11, 2022, the BBC published an article, “Predatory Sparrow: Who are the hackers who say they started a fire in Iran?” The article states that it's extremely rare for hackers to cause damage in the physical world. But according to the BBC article, a cyberattack on a steel mill in Iran was a kinetic cyberattack meant to cause physical damage. The article goes on to state that the 2010 Stuxnet attack is one of the few - if not the only known - example of a cyber-attack causing physical damage. This statement is often made because of a common view that cyber threats are largely confined to IP network attacks to steal data, cause denial-of-service, or hold data for ransom. However, kinetic attacks are meant to cause physical and/or environmental damage. Kinetic cyberattacks have occurred since at least 2000, and possibly since the early 1980s. The threat actors who conducted these attacks have demonstrated significant knowledge and sophistication about the control systems and what it takes to damage the physical processes. The common threads among these kinetic cyberattacks are they are often identified as equipment malfunctions and can take a substantial amount of time before they are identified as being cyber-related because there are neither cyber forensics at the control system device layer nor training for the engineers to recognize what could be malicious cyberattacks as opposed to equipment malfunctions. Trying to identify or prevent kinetic cyberattacks requires knowledge beyond just OT network security. The lack of cyber security inherent in the control system devices and networks requires expertise in OT network security, domain knowledge of the systems, and control system device security. Discounting kinetic cyberattacks is done at your peril.

July 11, 2022, the BBC published an article, “Predatory Sparrow: Who are the hackers who say they started a fire in Iran?” (https://www-bbc-com.cdn.ampproject.org/c/s/www.bbc.com/news/technology-62072480.amp?mc_cid=d6f2029e31&mc_eid=UNIQID).The article states that it's extremely rare for hackers, who operate in the digital world, to cause damage in the physical world. According to the BBC article, a cyberattack on a steel mill in Iran two weeks ago is being seen as one of those significant and troubling moments. The article goes on to state that "If this does turn out to be a state sponsored cyber-attack causing physical - or in the war studies jargon 'kinetic' damage - this could be hugely significant," says Emily Taylor, Editor of the Cyber Policy Journal. "Historically the Stuxnet attack on Iran's uranium enrichment facilities in 2010, has been highlighted as one of the few - if not the only known - example of a cyber-attack causing physical damage." Since then, there have been very few confirmed cases of physical damage.” These statements are often made because of a common view that cyber threats are largely confined to Internet Protocol (IP) network attacks to steal data, cause denial-of-service, or hold data for ransom such as the Colonial Pipeline ransomware attack. However, kinetic attacks are meant to cause physical damage to boilers, turbines, motors, transformers, kill people, or cause environmental damage using bits and bytes.

Control system cyber incidents are different from IP network attacks and they don’t have to be malicious to cause physical damage or deaths (https://www.controlglobal.com/blogs/unfettered/thousands-of-deaths-from-control-system-cyber-incidents-and-most-did-not-involve-ip-network-issues). My non-public database has identified almost 12 million control system cyber incidents that have directly killed more than 34,000 and caused more than $100BillionUS in direct physical damages. Whether they’re accidents or malicious attacks is almost beside the point as the impacts can be the same. One of the striking things about control system cyberattacks is how difficult they are to distinguish from accidents.

There have been non-nation-state and nation-state kinetic cyberattacks against water and wastewater facilities, paper and pulp, oil and gas, pipelines, powerplants, steel mills, manufacturing, transportation systems, buildings, and even datacenters. Kinetic impacts include massive environmental spills, pipeline ruptures, forced electric outages, fires in datacenters, ships being sent off-course, chiller motors being damaged, power plant turbines destroyed, tilting off-shore oil platforms, steel mill furnace and oxygen systems damaged, and other physical impacts.

These kinetic cyberattacks have occurred since at least 2000, and possibly since the early 1980s. The threat actors who conducted these attacks have demonstrated significant knowledge and sophistication about the control systems and what it takes to damage the physical processes. These kinetic attacks have not been quickly or easily identified as being cyberattacks because there are neither cyber forensics at the control system device layer nor training for the engineers to recognize what could be malicious cyberattacks as opposed to equipment malfunctions.

Kinetic cyberattack examples

The incident in the Farewell Dossier occurred in the early 1980s after the US government denied the USSR’s request to buy software to automate their new trans-Siberian pipeline. Consequently, a KGB agent was covertly sent to a Canadian company to steal the pipeline control software. The Soviets tested their complete pipeline automation system with the stolen software, and everything seemed to work properly. However, some weeks after going online in the summer of 1982, the clandestine code, disguised as an automated system test, instructed a series of control system devices to increase the pipeline’s pressure far beyond its capacity, resulting in a massive explosion.

Three decades later, Stuxnet followed a similar path by compromising pressure sensor data to cause an overpressure event and prevent pressure relief damaging the centrifuges. 

The out-of-phase condition that arises by starting Alternating Current equipment out-of-phase with the electric grid has been known to be a threat for more than fifty years. The threat was the generation of large torques and current spikes that could physically damage equipment. It was thought these out-of-phase events were only unintentional accidents. However, the 2007 Aurora test at the Idaho National Laboratory (INL) demonstrated that malicious cyberattacks could cause systems to operate in the out-of-phase condition causing physical damage without deploying any malware (Power, September 2013, “What you need to know (and don’t) about the Aurora vulnerability). In the INL demonstration, the out-of-phase condition destroyed a 27-ton generator. There have been numerous out-of-phase incidents since the INL test; at least one appears to be malicious.

Triton was the 2017 Russian attempt to destroy a large petrochemical plant in Saudi Arabia by compromising the Triconex safety system. The plant had a forced shutdown in June 2017 because of the Triton malware that was installed in the Triconex safety system workstation. However, because the shutdown was not identified as a cyberattack, the plant was restarted with the malware still installed. The cyberattack was not identified until the plant experienced another forced shut down in August 2017.

Other incidents show the ambiguity associated with events of this kind, although their root causes remain unknown. The June 8, 2022 explosion of an over-pressurized pipeline at the Freeport Liquified Natural Gas (LNG) facility in Texas raised the question why the Freeport LNG process safety system didn’t prevent the explosion from the over-pressurized pipeline (https://www.controlglobal.com/blogs/unfettered/was-the-freeport-liquified-natural-gas-lng-explosion-that-forced-europe-to-keep-buying-russian-natural-gas-a-control-system-cyberattack/). The pressure sensors should have been monitoring the pipeline pressure and alerting the operators when the pressure was increasing. When the pressure reached a high-pressure setpoint, the pressure sensor readings should have initiated alarms and safety systems to relieve the pressure. As there are currently no cyber security forensics at the field device level (in this case the process sensor level), Freeport LNG would not know whether the pipeline explosion was due to unintentional issues (like poor maintenance) or a cyberattack because this risk is not an Operational Technology (OT) network issue.

Freeport LNG wasn’t the only US gas facility to explode this year. Another explosion occurred July 9, 2022, at the OneOk natural gas plant in Medford, Oklahoma. As of July 12, 2022, no details have been released as to the cause other than it’s having been labeled an “incident” by OneOk. February 21, 2022, the Marathon refinery in Garyville, Louisiana exploded (the same day the US imposed sanctions on Russia). There have been other oil, gas, and chemical plant explosions and fires in 2022.  

There have been 34 food process plant fires since April 30, 2021. According to https://www.usnews.com/news/us/articles/2022-05-03/fact-focus-food-plant-fires-fuel-conspiracy-theory, a series of fires hit U.S. food processing facilities earlier this year, raising concerns that the attacks could be arson intended to hurt U.S. food supply amid global food insecurity caused by Russia’s invasion of Ukraine. However, the Fact-checkers site has dismissed such concerns as conspiracy theories. As an example, Fact-checkers stated that the fire at a Perdue Farms soybean facility in Virginia was an accidental fire attributing it to an equipment malfunction. However, control system cyber security is about compromising equipment, not networks. As a result, an apparent equipment malfunction would be what a kinetic cyberattack would be expected to cause.

Trying to identify or prevent kinetic cyberattacks requires knowledge beyond just network security. The lack of cyber security inherent in the control system devices and networks requires OT network security, domain knowledge of the systems, and control system device security. Discounting kinetic cyberattacks is done at your peril.

Joe Weiss