The chemical and other industrial plant systems containing computer components like process automation platforms now are termed cyber-physical systems (CPSs). The control, network and communication elements are the cyber side while the instruments, valves and vessels they control are the physical assets. Returning to the opened-valve scenario, the chemical spill was an all too physical reminder of how these systems are connected. The U.S. National Institute of Standards and Technology (NIST) defines CPSs as: “Smart systems that are co-engineered interacting networks of physical and computer components.”
Cyber criminals and nation-state actors usually are trying to steal intellectual property or cause some type of incident. Those interested in the former may believe a plant network isn’t as well protected as corporate IT networks, and therefore use the plant network as a means of entry to local plant networks, and ultimately to corporate networks.
Hacktivists interested in creating an incident will fixate on the plant and how it operates, either to cause embarrassment for the company, extort money or advance an environmental agenda. An effort such as opening the valve in our example requires extensive study of the plant’s equipment and networks, and as such, truly is a CPS attack.
My earlier article considered how wireless networks could be disrupted. However, they also can serve as a means of entry into a larger cyber environment. This involves a more sophisticated effort but can use the same tools.
As already mentioned, radio propagation can’t be precisely controlled. It can be managed to a large extent, though. Clever use of antennas and transmitter locations can reduce a Wi-Fi network’s tendency to spread outside the fence line. A hacker, if unable to pick up a usable signal by sitting in a car in a convenient spot, may resort to using a drone as a relay device, landing it in a strategic spot where it can extend the hacker’s reach.
Network designers may not worry too much about a network spilling into an area considered to be effectively inaccessible. For example, a large chemical plant located on a navigable waterway may allow the coverage to drift over the water. Recent events suggest this isn’t as safe as it may seem.
Probing For Vulnerabilities
Consider the strange case of the oil tanker Chem Hydra. This 114-m-long Marshall Islands-flagged vessel traveled up the St. Lawrence River and through the Great Lakes to the port of Green Bay, Wisc. In September 2013, U.S. Coast Guard agents boarded the ship and found equipment installed and an antenna deployed to look for Wi-Fi networks. The computer running the system was using WEPCRACKGUI, an automated software tool designed to break into inadequately protected networks.
Because the ship could be equipped with sophisticated antennas, it had the ability to interact with networks at longer distances than most land-based equipment, which needs to remain less conspicuous. Reports following the incident suggest the equipment was under the control of several Ukrainian or Russian crewmembers; whether the effort was directly state-sponsored wasn’t proven conclusively.
Following this incident, the state of Louisiana worked with the Coast Guard to perform its own vulnerability assessment of the large cluster of chemical and petroleum facilities located along the lower Mississippi River, primarily between Baton Rouge and New Orleans. “Operation Watersnake” discovered that nearly one-third of the networks tested showed high vulnerabilities due to weak or nonexistent encryption. This testing was performed from a vessel in the river communicating with operating Wi-Fi networks. The Coast Guard is concerned about this kind of activity and has received multiple reports of foreign-flagged vessels probing for vulnerabilities in networks near waterways (Figure 2).
The hackers on the Chem Hydra employed a tool designed to find Wi-Fi networks using WEP encryption as the primary security mechanism. WEP was first introduced for Wi-Fi networks in 1999 and was effectively supplanted by WPA with EKIP or AES by 2003. WEP is very easy to break with common software tools, and even WPA was considered ineffective more than 10 years ago.
Unfortunately, numerous sites still have some hardware using these obsolete protocols. Many routers made before the introduction of WPA2 with AES and CCMP in 2006 continue to be used. They work and are thought to be secure because they require a password but in reality offer little or no protection to wireless intrusion. Hackers only need to find that one piece of old equipment to gain an entry point.
Strategies For Protection
The first consideration when planning defenses is realizing that attacks can come from a variety of directions. A hacker probing your Wi-Fi networks may be:
• network sniffing via drone;
• sitting outside the fence line in a secluded spot or tree line;
• employing distance-extending antenna equipment;
• using equipment on a passing ship or smaller watercraft; or
• waiting near a rail entry point or other areas around the facility perimeter.