Nick Denbow’s European report: Process plants as weapons of war
February 2018, This Week's Editor's Pick, News
Malware over the Internet has replaced the large gunboat that was dispatched in previous times – say 200 years ago – to send a message to the heart of a rival nation, indicating that relationships were becoming a little frosty. Then submarines and ICBMs were introduced, as less vulnerable to counter-attack, and providing hidden strength to be activated when necessary. The same applies to malware, in that once it is in place the weapon can be hidden and remain dormant until required. However, with any new missile system or weapon, the routing, targeting and performance of the latest versions have to be tested, and often this testing can be observed and monitored.
For any nation or group with an evil intent against another, this gives a major opportunity to cause chaos or damage to the infrastructure or manufacturing operations of a target country. This was seen in 2010 with Stuxnet, the Malware targeted at Siemens controllers in Iranian nuclear centrifuge installations. The source of the virus (officially) was never traced, but it was thought to have been from Israel, possibly with support from the USA. So Iran saw the effectiveness of this approach, and then developed the Shamoon virus, which caused major damage to all networked PCs at Aramco in Saudi Arabia in 2012. A further variant of Shamoon was unleashed in 2016/17, targeting ordinary computer systems around the Persian Gulf, as well as in Saudi Arabia.
Malware at dawn the new weapon of choice
Following these events, many cybersecurity service businesses and departments appeared, in addition to those which were developing anti-virus systems to protect computers from hacking by fraudsters and criminals. Both of these types of company monitor any new attacks and intrusions, and normally report that state sponsored hacking is known to have originated from Israel, Iran, Russia, USA, and North Korea. Indeed some of the most active hacking has been from a Russian group known as Sandworm, particularly disrupting networks and systems in the Ukraine starting in 2014. Malware called ‘Industroyer’ was used in 2016 to cause a power blackout in Kiev, by modifying the ABB configuration files in the electricity supply grid network systems.
Two such cybersecurity service businesses are FireEye and Dragos, based in the USA. In December 2017 they reported on a new attack (actually seen several months before) delivering malware into an unnamed petrochemical plant control system in the Middle East. Others have reported this malware was most likely to have been developed in Iran and targeted at a Saudi Arabian installation. The FireEye investigation team from their Mandiant subsidiary found that the plant safety system, a Triconex SIS, had caused an unexpected safety shutdown. Triconex is a company within Schneider Electric, following their acquisition of the Invensys Group: their triple-redundant safety systems protect major hazardous installations such as petrochemical plants. They also are the ultimate shutdown safety system for many nuclear power plants around the world, including most of those in China.
Safety systems could become the prime target
FireEye called the malware they found Triton, also known as Trisis. The implication of their report was that the Triton attack framework gained remote access to an SIS engineering workstation, sought out the Triconex controllers, and tried to inject new commands into their operations. It seems that the workstation (on site) was in program mode at this time, hence opening a potential window. There was no indication that the malware used any vulnerability in the Triconex system or its program code. In fact the triple redundant safety system reacted properly: the new single instruction did not pass the built-in validity checks, and so Triconex shut down the plant operations safely, as is the requirement of such a safety system.
FireEye interprets that this attack, which shows persistence, the lack of any clear monetary goal, and the technical resources necessary to create such an attack framework, as suggesting the origin is a well-resourced ‘nation-state’ actor. Either this current attack is reconnaissance development testing of part of what would need to be a significantly expanded multi-point approach to penetrate and control Triconex, or at a minimum, it is designed to be economically disruptive to the target plant. Other commentators have suggested that Triton could prevent the Triconex SIS from carrying out its safety function, and drive the plant to destruction. Whilst this is unlikely, and not supported by current knowledge, the malware is undoubtedly aimed at the safety system, and Triconex is the omnipresent safety system used in most of the hazardous plants across all countries, whatever the origin of the plant control system.
Industrial control systems – for petro-chemical plants, nuclear and other power stations, water treatment plants, power grids – are standardised across the world, so that they can accept inputs from equipment from many manufacturers: this is good, because there are no monopolies. It is also bad, because anyone can learn how to access these systems.
While there are maybe 10 major DCS suppliers worldwide, the SIS supplier base is much smaller – there are two or three suppliers. Of these, Triconex is by far the largest supplier, making them a very tempting target for anyone intent on world domination!
Nick Denbow spent 30 years as a UK-based process instrumentation marketing manager, and then changed sides – becoming a freelance editor and starting Processingtalk.com. Avoiding retirement, he published the INSIDER automation newsletter for five years, and then acted as their European correspondent. He is now a freelance Automation and Control reporter and newsletter publisher, with a blog on www.nickdenbow.com
- Case History 158: Report on temperature control of an autoclave
January 2018, Michael Brown Control Engineering, This Week's Editor's Pick, Motion Control & Drives
I was recently asked to help with a client who treats a product in an autoclave and was complaining that they always got overshoot on a step setpoint change to holding temperature. The following is taken ...
- Nick Denbow’s European report: Benefiting from technology transfer between modern industries
January 2018, This Week's Editor's Pick
This month, I take a different look at how technology can be transferred between industries, and used to solve heart-wrenching problems. Always touted as the birthplace of new technology applications, ...
- Trends in process safety systems
January 2018, This Week's Editor's Pick
Market is changing
The global process safety systems market is changing in a rapid and dramatic way. Less industrialised countries continue efforts to grow their economies and build mega plants. These ...
- Innovating in the process industry with PLM
December 2017, Absolute Perspectives, This Week's Editor's Pick, IT in Manufacturing
There might be an opportunity for you to adopt a proven technique from another industry in a new way and thereby gain a competitive edge for your business in its own niche.
- Nick Denbow’s European report: Bürkert’s investment in SAW technology now paying off
December 2017, This Week's Editor's Pick, News
The SAW (surface acoustic wave) technique offers fascinating opportunities for many different styles of monitoring sensor. The first example seen many years ago really impressed me: it was called TorqSense, ...
- Will OPC UA TSN prevail over industrial Ethernet?
December 2017, This Week's Editor's Pick, IT in Manufacturing
OPC UA is a vendor-independent communication protocol designed for industrial use. TSN (time-sensitive networking) is a further development of the IEEE Ethernet standards. Together, they aim to offer ...
- Case History 157: Positive lead integrator tuning ‘party trick’.
November 2017, Michael Brown Control Engineering, This Week's Editor's Pick
Control loop optimisation has always fascinated me. In most cases when I am called into a plant to sort out a problem, it is something that they have been trying to fix for a long time without success. ...
- Nick Denbow’s European report: Modern trends in long distance power links
November 2017, This Week's Editor's Pick
Many of the changes in the way the world works lead to new opportunities for different technologies. This has led to a new approach to electricity distribution using HVDC – High Voltage Direct Current ...
- Compact drive technology from Beckhoff used in Synlight radiator
November 2017, Beckhoff Automation, This Week's Editor's Pick
The DLR Institute of Solar Research in Jülich, Germany, recently put the Synlight high-flux solar simulator into operation. This high-power radiator – the only one of its kind in the world so far – consists ...
- The potential value of manufacturing analytics
October 2017, Absolute Perspectives, This Week's Editor's Pick, IT in Manufacturing
Mature analytics organisations understand the value of using digital technology to tap into data to achieve better business performance.
- Nick Denbow’s European report: The market for solar power
October 2017, This Week's Editor's Pick
Most of the time, developments in industrial technology are a success or failure as a result of the benefits provided to the customer – often in terms of cost, but also factors like accuracy, reliability, ...
- Next-gen MES Technology
October 2017, This Week's Editor's Pick, IT in Manufacturing
Manufacturing execution systems (MES) can help manufacturers and other industrial organisations reduce costs while improving operations, collaboration, asset management, workflow and safety.