Cyber Warfare

The Colonial Pipeline Running Through North Carolina

On Friday (May 7) a Russian hacker group named Darkside penetrated the business computers of the Colonial Pipeline. They encrypted the firm’s files and data and demanded a $5 million ransom to unlock the files. Colonial Pipeline moves 45% of the East Coast gasoline, oil, and jet fuel. Here’s a map of the pipeline’s service areas.

States Served by the Colonial Pipeline System

It’s important to understand that the Darkside hackers made no attempt to tamper with the pipeline’s pumping stations, to cause a spill, for example. But in an abundance of caution, Colonial Pipeline stopped pumping for a week, paid the ransom, and just last Thursday brought their system back online.

Unfortunately, news of the incident caused many people to panic and rush the gas stations to fill up their cars and gasoline cans. This created an unnecessary shortage at many east coast gasoline dealers.

Panic Hoarding of Gasoline Created Shortages

As of today (May 15), Darkside announced that it is shutting down because they lost access to the Internet server that held their ransom money (in Bitcoins). While that sounds like the FBI and CIA may have retaliated, it could be just a bogus claim allowing them to abscond with the money and reappear later with a new moniker. The Darkside digital blackmail is a twenty-first century form of piracy. Is the Russian Government involved? Hmmmm, probably!

This digital looting, which you and I will pay for with increased gas prices, is not what really worries me. I’m concerned that one day one of these hacker operations will intentionally cause massive loss of life or property damage by tampering with the control systems of power plants, chemical plants, pipelines, water treatment facilities, and so forth.

We all remember the human cost of runaway power and chemical plants. Examples are Bhopal, India (3787 killed, 558,125 injured) when a Union Carbide pesticide plant accidentally released poisonous methyl isocyanate gas and the 1986 Chernobyl nuclear plant meltdown (4000 dead) in the Ukraine, and so on.

While there was no loss of life, an interesting example in the United States was the Merrimac Valley gas explosions north of Boston. A monumental screwup by Columbia Gas of Massachusetts on September 18, 2018 caused the natural gas pipelines to the towns of Andover, North Andover, and Lawrence to overpressure from 0.5 psi (normal) to 75 psi (very bad). The gas company’s pipes and valves handled it, but the little valves and flexible pipes in people’s furnaces popped open – filling the houses with natural gas. Forty homes caught fire or exploded.

Can a hacker intentionally cause disasters like Bhopal, Chernobyl, and Merrimac Valley? Yes, they can.

Plants, be they electric, chemical, or water treatment, are typically operated by industrial PCs running SCADA software. SCADA (Supervisory Control And Data Acquisition) is a fancy software package that presents factory controls as a computer screen with digital buttons and knobs, graphs, meter readouts, and so on. An example of SCADA displays is shown below.

SCADA Systems allow you to control the factory with a keyboard and a mouse.

Programmable Logic Controllers (PLCs) have connections to the process’s valves, motors, and sensors and a set of instructions as to how to sequence the factory’s controls properly. A big factory might have many of these PLCs. The point is that all the PLCs are connected to the SCADA package via private industrial networks with names like ModBus, ControlBus, and so on. Here’s a typical PLC with screw terminals for sensors, motors, and electric valves.

Typical Schneider Electric PLC (note screw terminals for sensors and actuators)

The point of all this is that if you can break into the factory’s industrial computer (PC) running a SCADA system, you can command the PLCs to do dangerous things, like over-pressure a tank of poisonous gas, or shut off the Northeast power grid.

So you might say, “Just disconnect the factory and its SCADA system from the Internet.”

The problem is that companies like Colonial Pipeline prefer to control their factories from their Headquarters. In the case of the Colonial Pipeline, there are over 27 pumping stations with a Headquarters in Alpharetta, Georgia.

Is there a solution that might work?

In an article “The Connected Factory” by Jim Pinto, he provided a nice summary of how modern factories are designed. https://www.intel.com/content/dam/doc/solution-brief/connected-factory-solution-brief.pdf

Typical Factory Organization

If we disconnect the Internet from the Industrial PC above, we thwart potential hackers from triggering disaster. So, how do we provide the Home Office with at least the SCADA display data?

Provide a “mirror” industrial PC that runs the SCADA software, but it gets it’s data from a continual one-way data stream from the “real” industrial PC. Since the data streams one-way, the “real” industrial PC is isolated from the Internet. The factory now looks like this.

Isolating the Industrial PC from the Internet

Management can still see everything in the home office, but they must call or email the desired change (e.g. reduce pump speed by 10%) to the Pumping Station manager, who will make the adjustments at his SCADA screen.

If we don’t disconnect our critical factory control systems from the Internet , it’s just a matter of time before some hacker from Russia, North Korea, or Iran will intentionally cause a disaster. People like Maksim Viktorovich Yakubet are patiently waiting to teach us a lesson, and he has lots of friends.

That is all for today, CLASS DISMISSED!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s