Professional Documents
Culture Documents
Cyber Security Risks of CISTAR Facilities - Purdue, Abhijit Talpade
Cyber Security Risks of CISTAR Facilities - Purdue, Abhijit Talpade
Cyber Security Risks of CISTAR Facilities - Purdue, Abhijit Talpade
2
Purpose of this Study – ICS vulnerability
3 1
Moreno et al., Process Saf. Environ. Prot. 2018, 116, 621-631
Purpose of this Study – Increase in Cyber Threat
• Recent data on industrial cyberattacks indicate an increase
in targeted attacks on the energy sector
• Kaspersky Lab ICS CERT report suggests 38% of
computers cyberattacked in 2019 were in the Oil & Gas
sector1
• A March 2018 survey by Siemens and the Ponemon Institute
noted that 50% of all cyber attacks in the Middle East target
the oil and gas sector2
• Research from Hornet Security, a German cloud security
provider, identifies energy as the number one target for
cyberattacks in 2019, 16% of all attacks worldwide 3
• The number of known attack groups targeting the energy
sector increased from 87 in 2015 to 155 in 2019 4
CERT – Cyber Emergency Response Team
1
Threat Landscape for Industrial Automation Systems in H1 2020 Kaspersky Lab ICS CERT 2019
2
https://www.siemens.com/mea/en/home/company/topic-areas/digitalization/cybersecurity.html
3
https://energymonitor.ai/technology/digitalisation/cybersecurity-threats-escalate-in-the-energy-sector
4 4
ISTR 2019: Targeted Attack Groups Increase Despite Growing Risk of Exposure, Symantec 2019
Purpose of this Study – Learning from Past Incidents
Colonial Pipeline Attack (2021)1
On May 7, 2021, hackers attacked the
Colonial pipeline holding them at
ransomware. This forced the pipeline
operators to close down operations and
freeze the IT systems. Colonial pipeline
provides roughly 45% of the fuel supplies
(gasoline, diesel, jet fuel, etc.) for the East
Coast. Expected rise in the gasoline prices
because of this incident.
5
Osborne, C., https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/
1
Purpose of this Study – Learning from Past Incidents
Colonial Pipeline Attack (2021)1 Electronic customer communications
attack (2018) 2
On May 7, 2021, hackers attacked the
Colonial pipeline holding them at In April 2018, a cyber attack targeted the
ransomware. This forced the pipeline electronic customer communications systems
operators to close down operations and at four natural gas pipeline companies,
freeze the IT systems. Colonial pipeline leading to service disruptions and possible
provides roughly 45% of the fuel supplies economic and data losses1
(gasoline, diesel, jet fuel, etc.) for the East
Coast. Expected rise in the gasoline prices Turkish Pipeline Incident (2008)3
because of this incident. In 2008, hackers blew up a section of a
Turkish oil pipeline. The control room console
Triton (2017)3
indicated normal operation, before a phone
Triton was a malware used against a call from the field caused the console
petrochemical plant in Saudi Arabia. It operator to trigger the alarm. The attackers
allowed the hackers to take over the plant's manipulated not just the DCS parameters but
safety systems remotely, though a flaw in the also the CCTV feed to the control room,
code allowed the plant to respond before any covering up the actual situation at the site.
damage occurred. DCS – Distributed Control System
SIS – Safety Instrumented System
Such incidents demonstrate the importance of designing cyber safe CISTAR facilities
1
Osborne, C., https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/
2
Malik et al., https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-data-
system-shuts
6 3
Hemsley, K. E.; Fisher, R. E. History of Industrial Control System Cyber Incidents; 2018
Cyberattack Threat Statement - Methodology
Steps for development of an overall cyberattack threat statement:
• Conduct a cyber-enhanced HAZOP analysis for all equipment
associated with the CISTAR process
• Identify the critical components in the process (high potential cyber
risk rating with catastrophic consequences employing safeguards with
1-way/2-way communication for control)
• Study previous incidents on these critical components (to guide the
future process designers on the cyber threats associated with these
components)
• Generate an overall cyberattack threat statement for the CISTAR
process (study of the threat history, current cyberattack capabilities,
possible motivation/intent behind the attacks and the potential actions
from these attacks to decide on a cyber threat rating)
7
Cyberattack Threat Statement - Methodology
Steps for development of an overall cyberattack threat statement:
• Conduct a cyber-enhanced HAZOP analysis for all equipment
associated with the CISTAR process
• Identify the critical components in the process (high potential cyber
risk rating with catastrophic consequences employing safeguards with
1-way/2-way communication for control)
• Study previous incidents on these critical components (to guide the
future process designers on the cyber threats associated with these
components)
• Generate an overall cyberattack threat statement for the CISTAR
process (study of the threat history, current cyberattack capabilities,
possible motivation/intent behind the attacks and the potential actions
from these attacks to decide on a cyber threat rating)
8
HAZOP Analysis of CISTAR Process – Process Schematic
• Shale gas withdrawn from the wellheads undergoes a series of
separation, acid gas removal and dehydration steps
• Dry and sweet shale gas proceeds to the CISTAR complex starting
with NGL activation
• Wellheads and the upstream facilities are assumed to be controlled
independently
9
HAZOP Analysis of CISTAR Process – Process Schematic
• The CISTAR facilities are assumed to be controlled by a separate
control room
• The focus of this study will be on the CISTAR facilities and its
associated control room
10
HAZOP Analysis on CISTAR Process - Assumed Controls
• CISTAR Process:
Dehydrogenation – Oligomerization – Liquid Hydrocarbon Recovery
12
Cyber-enhanced HAZOP Analysis – Example 1
Analysis on Expander EXP-1
Potential Cyber Interface Shale Gas Inlet Flow
Operational Deviations High Pressure
Possible Causes Upstream flow variation or
Expander Impeller Failure
Failure Scenarios Higher pressure downstream of
the expander
Possible Incident No
Consequence Operational Issues in the TD-R
Potential Cyber Risk Rating Low
(Unmitigated)
Potential Safeguards High pressure shutdown
interlock (Instrumented) (Two-
way communication)
13
Cyber-enhanced HAZOP Analysis – Example 2
Analysis on Oligomerization Reactors, OLI-R-1, OLI-R-2, OLI-R-3
14
Cyberattack Threat Statement - Methodology
Steps for development of an overall cyberattack threat statement:
• Conduct a cyber-enhanced HAZOP analysis for all equipment
associated with the CISTAR process
• Identify the critical components in the process (high potential cyber
risk rating with catastrophic consequences employing safeguards with
1-way/2-way communication for control)
• Study previous incidents on these critical components (to guide the
future process designers on the cyber threats associated with these
components)
• Generate an overall cyberattack threat statement for the CISTAR
process (study of the threat history, current cyberattack capabilities,
possible motivation/intent behind the attacks and the potential actions
from these attacks to decide on a cyber threat rating)
15
Identification of Critical Components
Three components identified to be critical for the CISTAR process
Potential Cyber 2-way Instrumented
Equipment Consequences
Interface Safeguards
Pressure Indicator at High pressure alarm
Thermal TD-R, temperature with heater shutdown,
Explosion, fire due
Dehydrogenation indicator at TD-R, fuel High temperature
to loss of firebox
Reactor (TD-R) gas inlet flow control alarm with heater
valve shutdown
Loss of
Oligomerization
Temperature sensor High temperature containment, fire,
Reactors (OLI-R-
at OLI-R outlet, fan indicator with alarm explosion due to
1, OLI-R-2, OLI-
RPM control and interlock potential reaction
R-3)
runaway
Explosion, loss of
containment, fire
Liquid level indicator
Product Storage Liquid level sensor, due to tank overfill
with alarm and flow
Tank (TANK – 1) flow control valve and release of
control
light hydrocarbon
liquid
Critical components: high potential cyber risk rating with catastrophic
16 consequences employing safeguards with 1-way/2-way communication for
Cyberattack Threat Statement - Methodology
Steps for development of an overall cyberattack threat statement:
• Conduct a cyber-enhanced HAZOP analysis for all equipment
associated with the CISTAR process
• Identify the critical components in the process (high potential cyber
risk rating with catastrophic consequences employing safeguards with
1-way/2-way communication for control)
• Study previous incidents on these critical components (to guide the
future process designers on the cyber threats associated with these
components)
• Generate an overall cyberattack threat statement for the CISTAR
process (study of the threat history, current cyberattack capabilities,
possible motivation/intent behind the attacks and the potential actions
from these attacks to decide on a cyber threat rating)
17
Critical Component Incident History
Studying previous cyber incidents for the three critical components
Incident Short Description
Flow controller
Florida water treatment The computer system was compromised and used to send
facility1 instructions to the ICS, changing NaOH levels.
Maroochy water services Disgruntled employee used proprietary equipment to mimic a field
breach2 controller and send malicious commands to other controllers over
radio and compromising the system.
Temperature controller
Industrial heating system Heating and fire detection system was compromised as the control
attack3 box was directly connected to the internet.
Heating and fire detection system was compromised as the control
German Steel Mill Attack2 box was connected to the business network. Safe shutdown was
also hampered leading to massive damage.
Pressure controller
Triton, which was named for the Triconex safety controller model
Triton attack (malware that it targeted, malware attack against a petrochemical plant in
targeted for Triconex safety Saudi Arabia. The malware allowed the hackers to take over the
controller)4 plant's safety systems remotely, though a flaw in the code allowed
the plant to respond before any damage occurred.
Turkish oil pipeline5 Hackers manipulated the operating parameters, as well as
prevented the pressure alarm from going off.
1
Henriquez, M. https://www.securitymagazine.com/articles/94552-hacker-breaks-into-florida-water-treatment-facility-changes-chemical-
levels
2
Hemsley and Fisher, History of Industrial Control System Cyber Incidents 2018
3
Goodin, D. https://arstechnica.com/information-technology/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/
18 4
Giles, M. https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malware
5
Bogle, A. https://slate.com/technology/2014/12/bloomberg-reports-a-cyber-attack-may-have-made-a-turkish-oil-pipeline-catch-
Cyberattack Threat Statement - Methodology
Steps for development of an overall cyberattack threat statement:
• Conduct a cyber-enhanced HAZOP analysis for all equipment
associated with the CISTAR process
• Identify the critical components in the process (high potential cyber
risk rating with catastrophic consequences employing safeguards with
1-way/2-way communication for control)
• Study previous incidents on these critical components (to guide the
future process designers on the cyber threats associated with these
components)
• Generate an overall cyberattack threat statement for the CISTAR
process (study of the threat history, current cyberattack capabilities,
possible motivation/intent behind the attacks and the potential actions
from these attacks to decide on a cyber threat rating)
19
Cyber Threat Statement
Threat Cyberattack
General Threat Previous cyberattacks like Triton, Turkish Oil Pipeline incident,
History Maroochy water services breach, etc. have focused on targeting ICS
components to cause significant physical and economic damage.
Specific Threat No history at proposed CISTAR facility
History
Capability Severe physical damage can be inflicted by cyber-attacks on the
pressure controller (across TD-R), temperature controller (across TD-R
and OLI-reactors) and the flow controller (TANK-1)).
Motivation/ Sophistication of cyber criminals is out stripping the ability to effectively
Intent counter the attacks, resulting in increased malicious events, loss of
data and physical damage.
Potential Malicious intent, personal enrichment, political or religious motivation.
Actions
Overall The exposure to these proposed small remotely operated gas
Assessment processing plants assets by cyberattack was evaluated by the team
and determined within the next 10 years that the cyber-attack potential
on these facilities is a ‘Medium’ threat
Threat Ranking Medium
21
Summary
• Past cyber incidents related to these controllers were
studied to understand their cyber-vulnerability and guide
design of additional safeguards
• Temperature control: Triton malware attack, German
steel mill attack1,2
• Pressure control: Triton malware attack, Turkish oil
pipeline breach1,3
• Flow control: Maroochy water services breach2
• Overall cyberattack threat statement generated
• CISTAR process threat ranking: Medium
1
Giles, M. https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-
triton-malware
2
Hemsley and Fisher, History of Industrial Control System Cyber Incidents 2018
3
Bogle, A. https://slate.com/technology/2014/12/bloomberg-reports-a-cyber-attack-may-have-made-a-
22 turkish-oil-pipeline-catch-fire.html#:~:text=In 2008%2C two years before,Baku-Tbilisi-Ceyhan pipeline
Impacts and Future Work
Impacts
• Cyber-enhanced HAZOP study can identify critical
components associated with the process (high cyber risk
components with catastrophic consequences)
• Procedure/methodology outlined for studying the overall
threat assessment can help future CISTAR engineers to
identify cyber threats following final design of the process
or control strategy employed
• Guide the CISTAR design engineers on the choice of
high-risk components (decision on make & type of
controllers based on incident history)
Impacts and Future Work
Future
• Study of individual threat vectors to understand their risk
potential
• Study of communication modes (wired/wireless) and
communication protocols (Modbus, DNP3, IEC 61850) to
identify additional cyber threats and safeguard design
• Study of different control strategies and how they impact
the overall risk
Thank You!
Questions?