Imagine this scenario: It’s an ordinary day at a typical chemical plant. The operation is humming along with everything apparently working fine. Suddenly, alarms sound from the facility’s environmental monitoring systems. A chemical spill is occurring, with a hazardous product escaping from one of the process units. Workers are thoroughly trained and immediately take action in keeping with a well-rehearsed response. They cordon off the affected areas and start mitigation steps. However, the release is much larger than anyone imagined possible. Why? A remote valve was opened, allowing product to run out at a very fast rate.
Such an incident shouldn’t be possible. There’s an alarm attached to the valve. Opening the valve, even slightly, should cause an immediate response — except this time it didn’t.
This malicious cyber attack required two very specific actions to happen simultaneously: opening the valve and suppressing the alarm.
This simply wasn’t a case of randomly disrupting a network; the attacker pinpointed two functions to cause the incident. A cyber criminal or hacktivist could pull this off in many ways but here we’ll concentrate on one attack vector: the plant’s wireless networks.
In this example, the hacker exploited an obsolete and ineffective encryption protocol on an old wireless network component still working on the edge of the network to service a low-priority function. It became the weak point in the plant’s cyber architecture and was exploited. Let’s look at how this type of incident could occur, starting from the basics.
What Does Wireless Mean?
Let’s stop to think about the term “wireless” for a moment. It indicates the network communicates without using wires but not how. It would be more correct to say the network communicates by public radio frequencies. Now, consider how radio works.
A transmitter broadcasts a signal on a given frequency within an area; anyone with a receiver tuned to that frequency and within the coverage area can receive the signal. There’s nothing you as the transmitting party can do to stop someone else from receiving your transmission. You can encrypt the content and make the signal unintelligible but you can’t completely control how the transmission propagates.
Similarly, anyone with a transmitter also can broadcast on the same frequency you’re using, interfering with your desired signal. Techniques such as frequency hopping, used in industrial wireless protocols like ISA100, make it more difficult for someone to capture or spoof desired communication. However, radio by its nature is an unsecure, publicly shared medium.
My CP article last year “Watch Out for Wireless Network Attacks,” focused on how consumer devices, such as drones, can and have been used to disrupt wireless networks by carrying transmitters into sensitive areas. It focused on what often is called jamming, where some sort of broadcast on the same frequency as an existing wireless network interferes with desired communications. This may be intentional or inadvertent.
Wireless plant networks, typically Wi-Fi and wireless instrumentation, now are ubiquitous in most chemical manufacturing environments (Figure 1). Your plant probably uses such a network. In all likelihood, the people responsible for your cyber security might even have raised concerns about the wireless deployment when it first was discussed — warning how it would create an additional attack vector for all kinds of bad actors wanting to break into plant networks.
Those in favor of extending wireless into the plant argued for all the wonderful things wireless networks can do, chiefly supporting new ways of communicating and gathering information at a fraction of the costs of adding or extending wired networks. While acknowledging security as a concern, the IT security personnel promised they would keep up with new developments and could tighten the plant network configurations at any time in the future. However, years passed and the first wireless network hasn’t been updated or upgraded. It still uses encryption that was state of the art in the 1990s. Yet, plant network operators continue to believe they are secure against 21st century threats.
The chemical and other industrial plant systems containing computer components like process automation platforms now are termed cyber-physical systems (CPSs). The control, network and communication elements are the cyber side while the instruments, valves and vessels they control are the physical assets. Returning to the opened-valve scenario, the chemical spill was an all too physical reminder of how these systems are connected. The U.S. National Institute of Standards and Technology (NIST) defines CPSs as: “Smart systems that are co-engineered interacting networks of physical and computer components.”
Cyber criminals and nation-state actors usually are trying to steal intellectual property or cause some type of incident. Those interested in the former may believe a plant network isn’t as well protected as corporate IT networks, and therefore use the plant network as a means of entry to local plant networks, and ultimately to corporate networks.
Hacktivists interested in creating an incident will fixate on the plant and how it operates, either to cause embarrassment for the company, extort money or advance an environmental agenda. An effort such as opening the valve in our example requires extensive study of the plant’s equipment and networks, and as such, truly is a CPS attack.
My earlier article considered how wireless networks could be disrupted. However, they also can serve as a means of entry into a larger cyber environment. This involves a more sophisticated effort but can use the same tools.
As already mentioned, radio propagation can’t be precisely controlled. It can be managed to a large extent, though. Clever use of antennas and transmitter locations can reduce a Wi-Fi network’s tendency to spread outside the fence line. A hacker, if unable to pick up a usable signal by sitting in a car in a convenient spot, may resort to using a drone as a relay device, landing it in a strategic spot where it can extend the hacker’s reach.
Network designers may not worry too much about a network spilling into an area considered to be effectively inaccessible. For example, a large chemical plant located on a navigable waterway may allow the coverage to drift over the water. Recent events suggest this isn’t as safe as it may seem.
Probing For Vulnerabilities
Consider the strange case of the oil tanker Chem Hydra. This 114-m-long Marshall Islands-flagged vessel traveled up the St. Lawrence River and through the Great Lakes to the port of Green Bay, Wisc. In September 2013, U.S. Coast Guard agents boarded the ship and found equipment installed and an antenna deployed to look for Wi-Fi networks. The computer running the system was using WEPCRACKGUI, an automated software tool designed to break into inadequately protected networks.
Because the ship could be equipped with sophisticated antennas, it had the ability to interact with networks at longer distances than most land-based equipment, which needs to remain less conspicuous. Reports following the incident suggest the equipment was under the control of several Ukrainian or Russian crewmembers; whether the effort was directly state-sponsored wasn’t proven conclusively.
Following this incident, the state of Louisiana worked with the Coast Guard to perform its own vulnerability assessment of the large cluster of chemical and petroleum facilities located along the lower Mississippi River, primarily between Baton Rouge and New Orleans. “Operation Watersnake” discovered that nearly one-third of the networks tested showed high vulnerabilities due to weak or nonexistent encryption. This testing was performed from a vessel in the river communicating with operating Wi-Fi networks. The Coast Guard is concerned about this kind of activity and has received multiple reports of foreign-flagged vessels probing for vulnerabilities in networks near waterways (Figure 2).
The hackers on the Chem Hydra employed a tool designed to find Wi-Fi networks using WEP encryption as the primary security mechanism. WEP was first introduced for Wi-Fi networks in 1999 and was effectively supplanted by WPA with EKIP or AES by 2003. WEP is very easy to break with common software tools, and even WPA was considered ineffective more than 10 years ago.
Unfortunately, numerous sites still have some hardware using these obsolete protocols. Many routers made before the introduction of WPA2 with AES and CCMP in 2006 continue to be used. They work and are thought to be secure because they require a password but in reality offer little or no protection to wireless intrusion. Hackers only need to find that one piece of old equipment to gain an entry point.
Strategies For Protection
The first consideration when planning defenses is realizing that attacks can come from a variety of directions. A hacker probing your Wi-Fi networks may be:
• network sniffing via drone;
• sitting outside the fence line in a secluded spot or tree line;
• employing distance-extending antenna equipment;
• using equipment on a passing ship or smaller watercraft; or
• waiting near a rail entry point or other areas around the facility perimeter.
Wireless networks invariably grow in many directions, which aren’t always visible. So, it’s crucial to cyber map a site. Cyber mapping will help a facility:
• Determine where the access points are along with the topology of networked systems and assets. You must understand how your cyber assets and networks are interconnected because a persistent hacker will certainly make the same effort.
• Map signal strength throughout the facility, measuring at various levels, at high and low elevations. A drone hovering above a router mounted on top of a tall structure may have a very strong signal.
• Find dead areas caused by large pieces of equipment blocking the signal.
• Identify areas where corporate IT networks spill into the plant from offices.
• Establish baseline patterns using a tool like NetStumbler to monitor normal Wi-Fi communication. Anything outside of these patterns may signal network surveillance, internal misuse or attack.
• Scan all frequencies in use, usually at least 2.4 GHz and 5 GHz bands.
While these larger-scale efforts are going on, you can do three things immediately:
1. Get rid of old Wi-Fi routers and switches. Replace any network device not new enough to use WPA2 with AES and CCMP encryption. The older encryption protocols are far too easy to penetrate.
2. Train your people how to respond if a drone is spotted. Your employees need to be vigilant. A drone (Figure 3) may be there to take photos or video, probe networks, or look for people on the ground. Staff should inform plant security personnel so they can alert local authorities. Few drone owners have legitimate licensing, and flying in close proximity to or within the fence line of a chemical plant is almost certainly prohibited.
3. Have a backup plan for loss of your Wi-Fi networks. Even if hackers can’t decrypt your communication, they can jam your wireless networks to the point of shutting them down. As mentioned earlier, radio is insecure and easy to disrupt. Can you continue operating without it? If you’re not sure, it’s best to find out now before an attack.
If there’s any lesson that can be learned from recent CPS attacks, like the Ukrainian electrical grid attacks, it’s that CPS operators always should have physical means to regain direct control of their systems. Plant personnel should be trained in those manual recovery and manual operating techniques where possible.
Wireless networks are certainly here to stay. Even with the known security issues they have become indispensable in many chemical plants and other industrial facilities. The technologies to secure industrial wireless networks have improved but so have the weapons used to attack them. Of course, this cat-and-mouse battle is going on within the larger world of cyber security, so carry out any efforts to improve your wireless networks as part of a larger overall cyber-security strategy.
JEFF MELROSE is principal cyber security manager for Yokogawa Corporation, Carrollton, Texas. E-mail him at Jeff.Melrose@us.yokogawa.com.