Marina Krotofil's presentation on how to hack a chemical plant and it's implication to actual issues at a nuclear plant

There have a number of very interesting presentations at this year's ICS Cyber Security Conference. I will provide some observations on selected presentations over the next few days. I wanted to start with Marina Krotofil's presentation on hacking a chemical plant. It was a very interesting presentation because it was about how to cause physical damage to a chemical plant by focusing on the vulnerabilities of the process and control design not the traditional cyber pathways. One of Martina's slides caught my attention. It was about compromising operator displays by addressing sensor signal processing filters. Many years ago (long before I was working on cyber security), I was working on a flow-induced vibration monitoring problem affecting an entire product line of nuclear plants. The vibration had caused a physical problem - significant damage to the nuclear fuel system at a plant. The indicator of this physical problem was a vibration resonance indicated by the plant's in-core instrumentation recorders. Consequently, the recorder information was important as it was the only indication of the problem and the plants' would reduce power to avoid operating in this regime. Two “identical” nuclear plants reported to the plant vendor that one plant had the vibration problem and was operating accordingly while the other “identical” plant did not have the problem and was operating at full power.  What I discovered was that BOTH plants had the flow-induced vibration issue. However, one chart recorder had indicated the problem while the chart recorder on the other plant had the chart filter altered to eliminate the higher frequency noise in the signal that was indicative of the flow vibration. This resulted in the “filtered” plant operating in an “unsafe” condition and the operators were unaware.

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • It is without doubt that compromising plant operability can have very serious consequence. The vibration filter being one example, but certainly not the only one. I encountered situations where it was possible to change the ESD trip point by modifying a sensor range (or characterization) from a L3 (ISA 99 level) asset management node. One of the biggest problems today is that systems under go security assessments without recognizing the many trust relations within a system. The focus is very much on IT settings, forgetting the applications and therfore not addressing ICS specific vulnerabilities. ICS being a system of systems has many transitive trusts build in bypassing access controls between security zones and often allowing a much wider trust scope than intended. For this purpose I have started building a library of cyber failure scenarios identifying how the ICS can be compromised, with a background in plant commisioning and process engineering it is not difficult to translate the engineering mistakes of the past into a cyber failure scenario of the future. Your vibration example is an excellent new scenario. I am convinced that cyber failure scenarios are essential for a thorough cyber security assessment, the problem is that there are very few people that combine the knowledge of how ICS automate process control and IT security. This has led to a situation where many systems have under gone cyber security assessments without addressing the ICS component, leading to a false sense of security.


RSS feed for comments on this page | RSS feed for all comments