Feedback September 2008

Sept. 5, 2008
Control System Cyberthreats: Another Y2K or the Real Deal?

[Editor’s note: On Aug. 10, Editor in Chief Walt Boyes wrote a SoundOff! blog post called, “Security and Safety with Blood and Guts.” In it, he recommends the monograph, “Weapons of Mass Casualties and Terrorism Response Handbook” by Charles Stewart, M.D., FACEP. The monograph, says Walt, “is an absolutely terrifying look at what might happen if a terrorist attack on the control systems of critical infrastructure industries, or, God forbid, more than one attack, might succeed.” The post generated quite a dialog. We’re reproducing some of the best here.]

Francis L: When you say things like “blow up a refinery,” it suggests some software fault (caused by some hacker) might be able to do it. But, as you know, the ultimate protection (and a great deal of effort goes into it) is at the lowest physical level possible—relief valves, for example, and hardwired logic, high-integrity safety systems, etc. I had this argument over Y2K many years ago. Don’t you think you may be feeding the trolls?

Walt: No, I’m not feeding trolls. Francis, I saw a live demonstration of a hack against a SIS system last week. It took 26 seconds to cause the valves to fail open. The danger is, in fact, real.

Francis: More details please, Walt. My mind boggles that anyone could engineer an SIS to permit such a hack, and how such an SIS could be called a safety system. Doesn’t this situation imply  a failure in the SIS (hacked or not) could open the valves? So how can it be called an SIS?

Walt: Your guess is as good as mine. Fact remains, this product is being sold as a SIS. I don’t know the vendor. Anytime a SIS is connected to the plant network, it becomes open to an attack. Nearly all PLCs, including safety PLCs are vulnerable to DoS attacks unless properly firewalled.

Francis: Walt, I’d like to briefly explain what I’d expect to find in an SIS, and indeed what I thought they did. They used to have: 1) A physical switch, in fact, a key switch. Only when the key is inserted and turned to the “Allow Program Change” setting should it be possible to change the software that can open valves, etc. 2) The control logic must run independent of the network it’s connected to. Yes, the controller should expose the values of its variables and I/O to the network, but read-only mostly. The network should only write to the SIS values that can’t override the safety. I really thought this sort of protection, and much more, were defined as paramount aspects of SIS design. It’s impractical for PCs, but nobody would use a PC for an SIS, would they? As I said earlier, I worked on Y2K. I found that the people selling the disaster scenario had no idea  what a process controller is.

Comment by ab3a: Francis, I was there too. The demonstration PLC was in a black box because the security firm was working with the vendor to correct these problems. This wasn’t some esoteric or fancy programming hack. In fact, it was so simple that most of us who understood what it was were shaking our heads in amazement. You need to understand that SIS doesn’t deal with security. It’s focused almost entirely on reliability. This is one reason why my skin crawls every time I see someone marketing an SIS controller that sits on a network. 

For more of this thread, go to Security and Safety with blood and guts. Then scroll to August 10 entry.