The recent WannaCry ransomware attack, which affected hundreds of thousands of computers and caused disruption to major infrastructure including the UK’s National Health Service, has highlighted the vulnerability of outdated industrial control systems used in energy production and chemical manufacturing.

Experts have warned in the past that the computers controlling chemical plants, factories and power stations all have the potential to be compromised. And now there is some indication that cyber criminals are increasingly viewing them as a target. James Scott from the Institute for Critical Infrastructure Technology in the US says over 350 incidents targeting energy company critical infrastructure were reported to the US Department of Homeland Security between 2011 and 2015. Furthermore, in 2016, 108 cyber-espionage attacks were reported against manufacturing facilities.

‘As the antiquated legacy technology supporting chemical and petrochemical systems ages, the networks become exponentially more vulnerable to the hyper-evolving cyber-threat landscape,’ he tells Chemistry World.

Alan Woodward from the University of Surrey, UK, who advises the government on cybersecurity, says the risks, or at least awareness of the risks, have increased in recent months. ‘What WannaCry showed was that ransomware does not just hit a computer on which some unsuspecting person opens a booby-trapped attachment, but is able to “worm” its way around an internal network to affect any vulnerable, attached device.’

Even in plants and factories whose control systems are separated from the internet, Woodward says, this ‘air gap’ can easily be inadvertently bridged by plugging in an infected USB stick, for example.

As the antiquated legacy technology ages, the networks become exponentially more vulnerable

‘The networks rely on outdated technology that is “Frankensteined” with modern Internet of Things devices,’ says Scott. This can provide a route for hackers to exploit vulnerabilities in the system. In June, for example, ransomware infected a European petrochemical plant’s network via a coffee machine connected to the internet.

Potential catastrophe

The consequences of such attacks could range from ‘minor disruption of a process to a major catastrophe’, says Raheem Beyah, a computer scientist at the Georgia Institute of Technology, US. Recent examples of cyberwarfare have shown that malware can be used to target energy infrastructure and damage equipment. The infamous Stuxnet worm – developed by the US military in the early 2000s to attack an Iranian nuclear power plant – disrupted uranium enrichment by tampering with centrifuges.

And a recent attack on Ukraine’s power grid at the end of 2016 is believed to have used a sophisticated piece of software called Industroyer/Crash Override that Beyah explains is ‘designed in a modular fashion and has the ability to send legitimate industrial control system commands’.

There’s no reason why similar approaches couldn’t be used to target other types of control systems. For example, Beyah’s research group recently used simulations to show how malware could theoretically be used to poison water supplies with chlorine by hijacking a water treatment plant. Although this was just a proof of concept, it highlights the potential consequences if cyber defences fall short.

Updating defences

One issue the WannaCry attack drew attention to is the danger of using outdated operating systems, as the ransomware was designed to attack vulnerabilities in historic versions of Windows. The use of outdated systems is rife in industrial control systems, Scott says. ‘Many chemical and petrochemical facilities still rely on Windows XP or earlier versions, which have publically known vulnerabilities and are no longer supported by Microsoft or security applications. These companies lack the technology and skilled Information security personnel to secure systems, detect incidents, or mitigate or remediate breaches.’

Woodward explains that industrial control systems have a particular problem in that they are sometimes not set up to be upgraded. ‘Some manufacturers do not enable embedded systems (even those running standard operating systems like Windows) to be upgraded by end users, [and] the company that built the control systems can take some time to respond,’ he says. To address this, and ensure they are protected against attacks, companies need to invest in modernised systems and make sure they have a strategy to keep them updated.

These companies lack the technology and skilled Information security personnel to secure systems

Close monitoring of their network is also crucial, Beyah says, so that any hint of an attack can be stopped in its tracks. ‘If the networks are monitored, then malicious activity can be detected before a system is compromised or before a catastrophic even is imminent.’