According to a rather “clickbait”-suspicious title of a reference in the July 27 topICS, cyber-attackers could even use OTs as weapons (!) against humans by 2025.
Given the evolution of cyber-attacks, it would be hard to argue that this threat is without foundation.
Even the legendary Stuxnet attack of 2009-10, if one thinks about it, did not completely rule out the possibility that the ‘tampering’ of uranium centrifuges could result in human injury or death as a ‘collateral damage’ of their destruction. Indeed, few outside the narrowest professional circles know that the possibility of physical damage by cyber-attack had been established years earlier (in 2006) by an experiment carried out at Idaho National Labs in the USA, which had been kept secret for years. During this experiment, the dynamic effects of some asynchronous – i.e. non-synchronous – grid connections made by “tweaking” the control system of a 2.25 MW diesel generator caused severe physical damage to the machine unit, effectively destroying it.
Then, after the Stuxnet attack, in 2016, one of the objectives of the attack on the Pivnichna substation in Ukraine was to take out the SIEMENS SIPROTEC defences in operation there. The purpose of the electrical protections, which have a safety (!) function as well as a securitiy function, is to prevent and avert abnormal operating conditions of electrical equipment, which could be dangerous for the equipment and its environment (including the operating personnel or even the general public). If the attack on the protections had been successful, in extreme cases it could have resulted in damage to transmission and distribution network equipment and even serious danger to people. Due to a coding error made by the attacker, this did not happen in the end, but the attacker’s intent is still worrying.
The 2017 attack on the Saudi Arabian oil refinery should be seen as another warning. Malware was discovered in Schneider Electric’s Triconex SIS (Safety Instrumented System!). According to the analysis, attackers exploited a zero-day vulnerability to inject a RAT (Remote Access Trojan) malware into the SIS system. This was the first successful attack specifically targeting a “safety” system. The response of the operating staff eventually prevented the tragedy, but it is not difficult to imagine the threat that the disabled security system could have posed to at least the refinery staff.
If the risk of human injury could not have been ruled out more than 10 years ago, it is no wonder that the reality of this option is growing in the now rather rough cyberspace.
In extreme cases, the huge amounts of energy transported by the electricity system, or the equipment that transmits and distributes it – sometimes containing up to 10 tonnes (!) of oil – can release energy that can cause serious physical damage, including loss of life.
It could also help to prevent such incidents if the owners and operators of electricity grids do not give the attacker the opportunity to extract from the partial information available to anyone on the Internet, through OSINT (Open Source Intelligence), processed information forming a closed logical chain, such as that which may have facilitated the Pivnichna attack in 2016. You can read about OSINT and some of the possible OSINT aspects of the 2016 attack here.
In the light of the above,
power system stakeholders have a role to play, among other things, in ensuring that, in addition to security systems, the complex conditions necessary to strengthen the cyber security of safety systems are in place to the extent necessary.
The topICS Gartner press release linked at the beginning of this post is available here.
We welcome messages either agreeing or disagreeing with the above. For example, a new post could respond to them and even lead to a substantive exchange of views.