The imaginary hacker | Hydrocarbon Processing | April 2012

Page 1 of 2

COPYING AND DISTRIBUTING ARE PROHIBITED WITHOUT PERMISSION OF THE PUBLISHER

The imaginary hacker

04.01.2012 | Goble, W., exida LLC, Sellersville, Pennsylvania

Keywords: [cyber attacks] [control systems] [process control] [cyber security] [hackers] [automation] [software] [virus]
Under recent economic conditions, it is understandable that a control-system cyber-security audit is not the top priority for many plant operators. Less staff due to layoffs and deferred
maintenance can present a clear, tangible threat to operations. Too often, the imaginary hacker, discussed in many papers and blogs, is often considered as a non-credible threat. No matter how
many blogs, magazine articles and white papers are written, a real credible threat to a refinery or petrochemical facility from some vague person or organization seems imaginary to those
controlling plant budgets.

StuxnetThe structure of cyber-attacks.

Some believed that control-system cyber-security threats would be clearly credible after the 2010 Stuxnet incident. Stuxnet is rogue software; it was created to penetrate and breech Siemens
programmable logic controllers (PLCs) in Iran. The rogue software actually infiltrated the system. Stuxnet reached the controllers and modified the programmed control logic. This code was very
specific and targeted nuclear-fuel processing. The allegations are that a well-financed organization was responsible for the attack. I recall first reading about this event and thinking this is no real
problem for anyone not making nuclear fuel. The real threat to the hydrocarbon processing industry (HPI) is negligible.
Later, I learned that the Stuxnet code was completely reverse engineered and, more importantly, posted on hackers websites. Now, these techniques, created with all that engineering effort and
funding, were available to every individual or organization that had a web browser. The true problem is that this software/code can now provide evil groups the tools to facilitate attacks on any
manufacturers control/automation products for any applicationnot just nuclear-fuel processing. All HPI facilities are vulnerable, and it is time to worry.

Control systemsThe new market for security researchers.

Again, control-system cyber-attack risk levels have increased. I read articles describing how many individuals, and even companies, are working to discover the vulnerabilities present in industrial
controllers. Since Stuxnet, these researchers have realized that there is a whole new category of potential customers. Some researchers publish, and even present, this information at hackers
conferences. Others contact the compromized controller manufacturer and offer to sell the vulnerability information. If no sale is made, then they publish and/or present it to the world. In
conversations with my IT friends, I understand that this is a normal practice in the personal computer/server world. Finding the attack points within systems is the latest path to fame and glory in
the hacker community. Something about this business model is most unethical.
All this news means that the industrial control community is now a target. Gone are the days of flying below the radar of the imaginary hacker. Although the Repository of Industrial Security
Incidents (www.risi.org) has recorded hundreds of incidents, few were caused by deliberate malicious hackers. Its too bad that things have changed. Today, tremendous volumes of information
are being published addressing how to cause trouble in process control/automation systems.

Defensive actions.
Fortunately, a number of very practical defense techniques have also been published. The ISA SP99 zone and conduit concepts, combined with a systems-level audit, is a simple and effective
technique that provides some protection. Some control-system vendors are upgrading their software to meet requirements of the ISA Security Compliance Institute for embedded systems. That
will provide more layers of protection.
Although we have much to learn about cyber-security protection, I believe that some protection is a whole lot better than none. I am reminded about an old story. Two hikers were out in the
woods when they suddenly encountered a grizzly bear. The bear spots them and rises up on its hind legs and roars. The first hiker yelled, Im sure glad I wore my running shoes today. The
second hiker replied, It doesnt matter what kind of shoes youre wearing; you are not going to outrun that bear. I dont have to outrun the bear, I just have to outrun YOU, the first hiker
answers back.
I can imagine a hacker trolling the Internet looking for vulnerable control systems. Systems that are easier to hack are the most likely targets. So, I am thinking that the basic, cost-effective cyber
security measures are good prevention options, at least for now. The best policy is to outrun other control systems and, hopefully, avoid being cyber attacked. HP
The author
William Goble is a principal partner of exida.com, a company that does consulting, training and support for safety-critical and high-availability process automation. He has over 25 years of
experience in automation systems, doing analog and digital circuit design, software development, engineering management and marketing. Dr. Goble is the author of the ISA book Control
Systems Safety Evaluation and Reliability. He is a fellow member of ISA and a member of ISAs SP84 committee on safety systems. Dr. Goble can be reached by e-mail at: wgoble@exida.com.

Please read our Term and Conditions and Privacy Policy before using the site. All material subject to strictly enforced copyright laws.
2011 Hydrocarbon Processing. 2011 Gulf Publishing Company.

http://www.hydrocarbonprocessing.com/Article/3005012/Search/The-imaginary-hacker.ht...

1/27/2013

The imaginary hacker | Hydrocarbon Processing | April 2012

http://www.hydrocarbonprocessing.com/Article/3005012/Search/The-imaginary-hacker.ht...

Page 2 of 2

1/27/2013