The Stuxnet attack against Iran’s nuclear program is universally viewed as a nation-state cyberattack. The Stuxnet malware changed the target system’s control logic to damage the target, in this case uranium centrifuges, and then changed the logic back so the operator would be unaware the damage to the target was caused by the control logic.
Despite the substantial differences in applications, there are direct similarities between Stuxnet and the emission cheating scandals in the automotive industry involving Volkswagen, Fiat-Chrysler, and Daimler-Mercedes. Because the auto manufacturers could not meet the modified emissions requirements, these major international corporations (not quite nation-state), utilized alternate control logic (“cheat devices”) to change the control system logic in fuel and emission controls in their diesel cars and trucks to “pass” the emissions testing. Robert Bosch GmbH is alleged to have provided the technology that facilitated VW’s cheating on U.S. government diesel emissions tests. The parts supplier agreed not to contest the fine. In a statement released by prosecutors in Stuttgart, Bosch "delivered around 17 million motor control and mixture control devices to various domestic and foreign manufacturers, some of whose software contained illegal strategies.” https://www.forbes.com/sites/doronlevin/2019/05/23/german-parts-maker-bosch-gets-off-with-relatively-light-100-million-fine-from-vw-dieselgate/#7b64d3f321f2. The cheat devices allowed vehicles to emit more nitrogen oxides than allowed under regulations. Following the “successful” emissions testing, the control system logic was changed back, so the cars and trucks could get the advertised mileage while damaging the “target” – the environment. Because the alternate control logic (malware) was in the individual vehicle controllers, Internet Protocol (IP) network anomaly detection and threat detection would not be capable of detecting the malware. The cheat scandal also changed the meaning of the terms “insider attack” and “rogue employee”. These cases demonstrate the magnitude of a “supply chain attack” could affect almost 12 million vehicles. This supply chain compromise of the controller logic with alternative logic would be relevant to any industry or manufacturing process especially with the participation of control system domain experts.
Thinking about the cheating scandals is timely. On September 14, 2020, the US DOJ released information regarding a settlement reached with Daimler over the emissions cheating scandal https://www.inquirer.com/wires/ap/daimler-ag-pay-15b-settle-emissions-cheating-probes-20200914.html. The agreement between the two entities resulted in Daimler agreeing to pay $1.5 billion in reparations that affected 250,000 cars and trucks. The deal was proposed between the DOJ, the Environmental Protection Agency, the California Air Resources Board, and Daimler. This will clear Daimler of all accusations of violating the US Clean Air Act. Daimler also faced a regulatory probe in Germany. Around 60,000 vehicles of the Mercedes-Benz GLK 220 CDI models produced between 2012 and 2015 were affected. The KBA had previously ordered Daimler to recall 700,000 vehicles worldwide, including 280,000 in Germany, over the illegal software.
Diesel investigations have been running in Germany and elsewhere since 2015, when automobile giant Volkswagen admitted to building cheat devices into 11 million cars worldwide.
In January 2017, the EPA accused Fiat Chrysler of illegally installing software on about 104,000 pickups and sport-utility vehicles that spewed harmful pollutants while failing to disclose the technology. The allegations involve the 2014, 2015, and 2016 Jeep Grand Cherokee and light-duty Ram 1500 pickup trucks with 3-liter diesel engines. The EPA said the automaker installed eight different undisclosed software programs on the vehicles. Fiat Chrysler paid $945 million in penalties, including civil and otherwise. The automaker was also required to recall and repair all affected Fiat Chrysler diesel vehicles sold with a defective device.
My database counted the Volkswagen, Fiat-Chrysler, and Daimler-Mercedes cases as one incident each, not the almost 12 million cars and trucks that were involved. This is why my database has less than 1,300 actual control system cyber incidents rather than millions if I would have counted each individual case.
A key point is the definition of “insider threat.” It can mean a rogue insider individual, an unwitting accomplice of an outsider, or corporate misconduct. In any case, the insider threat should draw attention to the importance of monitoring processes, process sensors, and process controllers inside an industrial or manufacturing organization. Once an attacker (person or logic) is in place, the attacker can function as a trusted insider.
Joe Weiss
