The Weekly Reflektion 47/2023

Cyber safety is in vogue and rightly so. There are many examples of cyber attacks where IT systems have been hacked and the victims have been defrauded of millions and/or threatened with destruction of important information unless a ransom is paid. Cyber attacks on Operational Technology (OT) systems, for example, PLCs (programmable logic controllers) that are the basis for control systems and emergency shutdown systems may also be vulnerable to attack. In these cases, the objective for the attacker may not be cash, it may be to cause an accident or even a Major Accident.

Are your Operational Technology (OT) systems secure?

In 2007 at the Idaho National Laboratory a test was carried out on a diesel generator that was later named ‘The Aurora Generator Test’. The test was an experiment to demonstrate the vulnerability of power generation systems to a cyberattack. The generator had a rating of 2.25 MW. A computer program was used to rapidly open and close the generators’ circuit breakers out of phase with the grid. The breaker was controlled by a programmable digital relay and access to the relay was through a digital interface fairly typical for this type of system. The generator was destroyed in about three minutes. The coupling between the diesel engine and the electrical alternator was sheared, the diesel engine was ripped apart and some parts landed about 25 meters from the wreckand the alternator showed signs of severe overheating.

Stuxnet, malicious computer software, was used to attack Siemens PLCs that controlled centrifuges used to enrich uranium as part of Iran’s nuclear program. Stuxnet was uncovered in 2010 and had most likely been in development since 2005. The malicious software carried out three distinct functions. The first was to cause the centrifuges to spin at high speed to cause damage. The second was to override the safety and alarm system that would have registered the high speed, given an alarm and shutdown the centrifuges. The third was to hide the ‘high-speed’ operation from the operators monitoring the centrifuges so that they were unaware of the attacks. The malicious software was designed to only attack the specific Siemens systems used for the centrifuges. The Stuxnet attack was an eye-opener for the manufactures and users of Operational Technology (OT) systems and has led to significant advances in cyber security for these systems. Warnings that a cyberattack could happen and that OT systems were particularly vulnerable were being made before 2010 and were generally being ignored by the industry. As often happens the naïve security of ‘it’s never happened before’ is enough to convince people that it will never ever happen. 

Our main objective with our Weekly Reflektions is learning and our ambition when we started was, and still is, to use the detailed information on Major Accidents to prevent more Major Accidents. This learning can unfortunately be turned on its head and be used to cause Major Accidents. With so many industries using PLCs to control and monitor their processes and with these PLCs often connected to a network and to the cloud, they are vulnerable to a targeted cyberattack. The attacker could use actual incidents on for example, power generation and distribution system, rail systems, hydroelectric systems etc, to create a scenario with significant consequences and then design malicious software to replicate the scenario in real time. This is the terrorism of today and tomorrow, and we need to be prepared.  

Reflekt AS