Chemical plants, oil refineries and manufacturing plants are at risk from electronic attacks that could put lives at risk and cause serious environmental damage, an international conference will hear this week.
Utilities across the world are being hit by an estimated 100 to 500 attacks from hackers and malicious worms every year, disrupting the ability of companies to control critical manufacturing plants, with potentially devastating consequences.
The number of attacks will accelerate sharply as more manufacturers link their plant control systems to the internet or wireless networks, according to research by the British Columbia Institute of Technology and PA Consulting.
In one of the most serious incidents, Russian hackers took control of a gas pipeline for 24 hours by penetrating electronic control systems. In another case, in Australia a disgruntled employee released 250 million tonnes of raw sewage by attacking a waste water control system.
"In a worst-case scenario, if a chemical or petroleum plant were to go up, there would be a risk of loss of life. If people hack into electricity distribution and water systems, there could also be a big impact," said Justin Lowe, principal consultant at PA Consulting.
The research, based on an analysis of incidents reported anonymously by process manufacturers, is the first to use hard statistics to assess the risks. It will be published at the VDE Process Industry Congress in Berlin.
The findings have shown that the number of recorded attacks against plant control systems has risen sharply over the past three years as more manufacturers replace specialist control systems with networked Windows-based devices.
Control devices, which can be accessed over the internet through wireless links or dedicated telephone lines, either for programming or to feed back management data, have left plants much more vulnerable to electronic attack, said Lowe.
Manufacturers and control systems suppliers have not been as quick to develop technology such as firewalls, anti-virus systems and intrusion detection systems as other parts of the IT industry, because until now the risks have been less clear, said PA.
Control equipment suppliers have been reluctant to allow their customers to apply patches to control systems without accreditation testing - a process that can take up to nine months. This is understandable because a mistake in a patch could result in serious damage to a plant.
However, Lowe said this is of little help when hackers can create worms to attack new vulnerabilities in a matter of days.
"Patching and anti-virus systems are not supported by suppliers. You have critical control systems connected to corporate networks that do not have anti-virus systems. That is not through negligence of the users - it has never appeared on the radar.
"One of the scary things is the increased use of wireless technology, even at low levels. If you visit trade fairs you see controllers with Bluetooth stickers or small aerials. They offer great cost savings but obviously there are security implications."
The risks have caught the attention of the UK government's National Infrastructure Security Co-ordination Centre, which is running conferences and an awareness campaign to address the issue. They have also caught the attention of hackers, who see control systems, with their lack of firewalls and other defences, as relatively soft targets.
A hackers' conference in Birmingham last year gave a demonstration of how to hack into the radio frequency control systems used by UK water companies. An earlier US hackers' conference published details of attacks on embedded control systems.
The greatest hacking risks come from former employers or contractors with specialist expertise in control equipment, but a hacker without specialist knowledge could place a plant at risk by launching a denial of service attack, said Lowe.
How hackers affect production
- 34 security incidents targetted at process plants were identified between 1995 and 2003
- 50% of incidents caused damage worth more than £556,000
- 41% of the incidents led to loss of production
- 29% of the incidents led to companies losing the ability to monitor or control the plant
- 70% of the attacks after 2001 were from external sources, 5% were internal and 20% accidental
- 36% of external attacks came through the internet, 20% from a remote dial-up modem, 8% from remote wireless, 8% from virtual private networks;and 4% from a trusted third-party connection
- The number of incidents has been increasing sharply since 2000.
Source: BCIT Industrial Security Incident Database
An Australian hacker was sentenced to two years in 2001 after his attack on sewage control computers at a Brisbane council led to the release of one million litres of raw sewage into the grounds of the Hyatt Regency Resort.
Vitek Boden, who worked for the company that installed the computers, launched the attack in revenge after being turned down for a job at the council.
Boden used a laptop, a two-way radio and hacking programs to break into the sewage control computers and reprogram the pumps. He was found guilty of 46 counts of computer hacking.
The process computer in a US nuclear power station was put out of action by an infection of the SQL Slammer worm in 2002.
The worm infected the Davs-Besse nuclear power plant, overloading the site network, and preventing the plant's computers from communicating with each other.
The attack disrupted the plant's safety parameter display systems, which were unavailable for nearly five hours, and the process computer, which was unusable for more than six hours.
An investigation revealed that the worm had entered through a network link that bypassed the firewall, and that engineering staff were unaware of the existence of a Microsoft security patch that could have prevented the incident.