Chemical plant hacking

The safety of industrial plants is often invoked, but the practice leaves much to be desired. When CCC Congress in Hamburg showed hackers how to paralyze industrial facilities and can cause millions of damage.

scada chemical plant

A manipulated steelworks in Germany, an exploded pipeline in Turkey – more and more cases of targeted manipulation of industrial plants are known. On the CCC conference, Hacker showed industrial control systems (SCADA) used in industrial IT security is weak as before. But to hack a chemical plant is harder than it seems.

The first safety rule does not make industrial control systems accessible from the Internet is always ignored criminally. So scans the research group SCADA Strangelove for two years – and on the ICSMap thousands of industrial plants are listed.

In her lecture in Hamburg located Sergey Gordeychik and Aleksandr Timorin engaged in distributed energy systems in the network. They found more than simple scans nearly one million solar and wind systems; their Web interfaces were even indexed by Google. Worse: Although the control interfaces were password-protected, no one knew the exact URLs, could also download without a password, the backup files of the system and there read the credentials.

In other systems, the researchers found an entire chamber of horrors of vulnerabilities: Simply rewritable firmware hardgecodete Developer passwords, Web servers that were vulnerable to more than ten years old exploits. Even indications to the manufacturers do not always improved the situation: So updatete a manufacturer to a version of OpenSSL that was prone to heartbleed. Another replaced a hardgecodedetes password simply by another, which could be just as easily read. The update cycles are enormously long: The specialist on switches Hacker Eireann Leverett praised Siemens for having solved a problem in just three months – an average of required manufacturers 18 months.

More than just IT security

Although such research and subsequent shenanigans reveal vulnerabilities that would hardly be tolerated in other areas – that does not automatically mean that any hacker can cause great damage. “To gain access does not mean to automatically take control,” said the SCADA hacker and researcher Marina Krotofil.

In her presentation, Krotofil played a sophisticated attack by a chemical plant. It showed that the complex systems could be manipulated in many ways. But if by chance sabotaged a vulnerable switch, has little chance to achieve any tangible effect. “SCADA hackers have a very specific goal,” said Krotofil. Attackers it often get to it, to inflict maximum economic damage.

To do so, the attacker would have to win but an accurate picture of the processes in the plant. No chemical plant is exactly like another; the operators keep details of their production secret. Did the attackers gained through observation and acquisition of ever new control systems an accurate picture, but it can cause damage in many ways.

A failed on the right site cooling system can ensure that pipes clog irreparably. More subtle manipulations are driving up costs for the operator. An intervention that affects the production quality can be disastrous for the revenue: The market price for pure acetaminophen amounts to 640,000 euros per kilogram. With a purity of 98 percent of the price decline to 78 euros.

How often such attacks occur in practice is unclear. Krotofil lamented the secrecy of the industry – rarely such incidents would be made public. On the other hand have hackers who have taken control, and an opportunity to correct their tracks and disguise their attacks as a normal malfunction. So the operators of a pipeline in Turkey had experienced only 14 minutes after an explosion of the problems when someone reported a fire, reported Krotofil – manipulated the monitoring sensors had reported nothing unusual.

To give a more precise understanding of the problems in production of the hacker community, Krotofil and colleagues have asked the simulation of a chemical plant on Github available – including GUI to simulate possible attacks.