Monday, April 15, 2019

Well, this is a scary article

As an experienced cyber first responder, Julian Gutmanis had been called plenty of times before to help companies deal with the fallout from cyberattacks. But when the Australian security consultant was summoned to a petrochemical plant in Saudi Arabia in the summer of 2017, what he found made his blood run cold. 
The hackers had deployed malicious software, or malware, that let them take over the plant’s safety instrumented systems. These physical controllers and their associated software are the last line of defense against life-threatening disasters. They are supposed to kick in if they detect dangerous conditions, returning processes to safe levels or shutting them down altogether by triggering things like shutoff valves and pressure-release mechanisms. 
The malware made it possible to take over these systems remotely. Had the intruders disabled or tampered with them, and then used other software to make equipment at the plant malfunction, the consequences could have been catastrophic. Fortunately, a flaw in the code gave the hackers away before they could do any harm. It triggered a response from a safety system in June 2017, which brought the plant to a halt. Then in August, several more systems were tripped, causing another shutdown...
I presume that we all knew these days were coming, once we heard about Stuxnet. It's still surprising to me that people figure out ways to connect their physical plant to the internet when there doesn't seem to be necessary, although sufficiently determined people can figure out how to jump air gaps. (At some point, does cybersecurity become a EH&S issue at large enough plants?)

Here's hoping that some kind of global treaty convinces people to take a step back from these situations... 


  1. CJ, I think the people most interested in taking down a petrochemical plant are likely to be activists, i.e. non-state actors unlikely to feel bound by treaties... I think competitors are both more likely to see channels like OPEC as a viable dispute resolution medium, and more likely to see a mutually assured destruction rationale for not going the malware route.

    1. OK, I was wrong... the article quotes people who think Badguy.RU is the perp. (Not that it's definitive, but they're the most likely suspect.)

  2. I see potential for a chemical plant disaster to happen when some malware happens to take control of a process control computer rather than a computer controlling a company's payroll.

    There aren't that many people out there who both want to blow up a chemical plant and have the skills to do so via a cyber attack, but there are plenty of malware authors out there, and plenty of cases of malware causing collateral damage.