Imagine this scenario: It’s an ordinary day at a typical chemical plant. The operation is humming along with everything apparently working fine. Suddenly, alarms sound from the facility’s environmental monitoring systems. A chemical spill is occurring, with a hazardous product escaping from one of the process units. Workers are thoroughly trained and immediately take action in keeping with a well-rehearsed response. They cordon off the affected areas and start mitigation steps. However, the release is much larger than anyone imagined possible. Why? A remote valve was opened, allowing product to run out at a very fast rate.
Such an incident shouldn’t be possible. There’s an alarm attached to the valve. Opening the valve, even slightly, should cause an immediate response — except this time it didn’t.
This malicious cyber attack required two very specific actions to happen simultaneously: opening the valve and suppressing the alarm.
This simply wasn’t a case of randomly disrupting a network; the attacker pinpointed two functions to cause the incident. A cyber criminal or hacktivist could pull this off in many ways but here we’ll concentrate on one attack vector: the plant’s wireless networks.
In this example, the hacker exploited an obsolete and ineffective encryption protocol on an old wireless network component still working on the edge of the network to service a low-priority function. It became the weak point in the plant’s cyber architecture and was exploited. Let’s look at how this type of incident could occur, starting from the basics.
What Does Wireless Mean?
Let’s stop to think about the term “wireless” for a moment. It indicates the network communicates without using wires but not how. It would be more correct to say the network communicates by public radio frequencies. Now, consider how radio works.
A transmitter broadcasts a signal on a given frequency within an area; anyone with a receiver tuned to that frequency and within the coverage area can receive the signal. There’s nothing you as the transmitting party can do to stop someone else from receiving your transmission. You can encrypt the content and make the signal unintelligible but you can’t completely control how the transmission propagates.
Similarly, anyone with a transmitter also can broadcast on the same frequency you’re using, interfering with your desired signal. Techniques such as frequency hopping, used in industrial wireless protocols like ISA100, make it more difficult for someone to capture or spoof desired communication. However, radio by its nature is an unsecure, publicly shared medium.
My CP article last year “Watch Out for Wireless Network Attacks,” focused on how consumer devices, such as drones, can and have been used to disrupt wireless networks by carrying transmitters into sensitive areas. It focused on what often is called jamming, where some sort of broadcast on the same frequency as an existing wireless network interferes with desired communications. This may be intentional or inadvertent.
Wireless plant networks, typically Wi-Fi and wireless instrumentation, now are ubiquitous in most chemical manufacturing environments (Figure 1). Your plant probably uses such a network. In all likelihood, the people responsible for your cyber security might even have raised concerns about the wireless deployment when it first was discussed — warning how it would create an additional attack vector for all kinds of bad actors wanting to break into plant networks.
Those in favor of extending wireless into the plant argued for all the wonderful things wireless networks can do, chiefly supporting new ways of communicating and gathering information at a fraction of the costs of adding or extending wired networks. While acknowledging security as a concern, the IT security personnel promised they would keep up with new developments and could tighten the plant network configurations at any time in the future. However, years passed and the first wireless network hasn’t been updated or upgraded. It still uses encryption that was state of the art in the 1990s. Yet, plant network operators continue to believe they are secure against 21st century threats.