There are multiple motives for compromising the security of an industrial control system, some of which overlap motives for attacking IT systems, and some of which are unique to the industrial world. This section details some of the reasons why people might wish to attack an industrial control system.
33.2.1 Technical challenge
Computer experts tend to be a demographic of people motivated by technical challenges and problem-solving. To this type of person, the challenge of breaking in to a computer system designed to foil intruders may be too tempting to resist.
To the person interested in compromising a digital system just for the sake of seeing whether it can be done, the reward is in achieving access, not necessarily inflicting any damage. These people are generally not a direct threat, but may pose an indirect threat if they share their expertise with others harboring sinister motives.
Other individuals motivated by the technical challenge of accessing a digital system are interested in seeing just how much havoc they can wreak once they gain access. Such individuals are analogous to digital arsonists, interested in starting the biggest fire that they can simply for the sake of the fire’s size.
The major motive driving IT cyber-attacks today is profit: the theft of credit card and other sensitive digital information which may be sold on the black market. Criminal organizations benefit from this style of digital attack, with many attackers becoming millionaires by way of their digital exploits.
Another form of profit-driven attack is commonly called ransomware, where an attacker inserts malicious software on the victim’s computer(s) preventing access to the system or encrypting files such that they become unusable. This malware then presents a message to the victim asking for monetary payment in exchange for normal system access.
Neither of these attacks is novel to industrial systems, and in fact are commonplace in the IT world. What is novel in industrial systems is the severity of the repercussions. One might imagine the response from an oil drilling rig’s management team to ransomware preventing startup-up of a new oil well, where downtime may be in the range of millions of US dollars per day of production. Not only is the imperative to get back online stronger than it would be for a private individual whose home computer was being held ransom, but the ability for an oil company to immediately pay the attacker is much greater than any private individual.
Another potential application of the profit motive in industrial system attacks is commodities trading. Traders who profit from the purchase and sale of commodities produced by industrial manufacturers might stand to gain by knowing the day-to-day operational status of those manufacturers. If such people were to access the production and inventory logs residing in a facility’s digital control system, for example, they may be able to make more profitable trading decisions based on this privileged information. Eavesdropping on industrial control system data therefore poses another mode of insider trading.
Aside from gathering data from industrial systems for the direct purpose of profit, less direct motives for attacking industrial control systems exist. One such motive is the theft of proprietary process data, for example recipes and formulae for producing chemical products such as craft foods and drinks, as well as pharmaceuticals.
Special control strategies and process designs critical to the manufacture of certain products are valuable to competing organizations as well. A chemical company eager to discover how to control a temperamental new chemical reaction process might wish to sample the controller algorithms and instrument configurations used by a successful competitor. Even if these design details were not stolen outright, the attacker may gather valuable test data and learn from the developmental mistakes of their competitor, thereby saving time and money pursuing their own design.
Militaries also stand to gain from espionage of industrial measurement and control systems, since the military capabilities of other nations are founded on industrial-scale operations. A country interested in tracking the development of an adversary’s nuclear weapons potential, for example, would have a motive to perform digital espionage via the control systems of those foreign nuclear facilities.
Here, at least in my view, is where cyber-security as it relates to industrial control systems becomes really interesting. The major factor distinguishing digital control system security from IT system security is the former’s supervision of a real physical process. This means a control system cyber-attack has far more direct potential for harm than any IT cyber-attack.
Corporations and nation-states both have an interest in industrial sabotage if it means they may diminish the economic productivity of a competitor. A country, for example, whose export market is dominated by a single product may be tempted to launch cyber-attacks against facilities producing that same product in other countries, as a means to either maintain or elevate their power in the world economy. Corporations have the exact same interest, just at a different level within the global economy.
Certain activists may also have an interest in sabotaging an industrial facility. Shutting down production of a facility they deem dangerous or unethical, or perhaps just causing the company financial loss through poor product quality and/or non-compliance, are potential motivators for activists to target specific industrial processes.
Military interest in industrial sabotage is practically a “given” assumption, as such a cyber-attack merely constitutes a new type of weapon to add to their existing arsenals. Unlike conventional weapons, cyber-weapons are relatively inexpensive.
Another category of sabotage relevant to cyber-attacks is that perpetrated by malicious insiders. This last category is especially troubling, as it involves personnel with in-depth knowledge of the digital systems in question. This simple fact makes defense against such attacks extremely challenging, because these are people normally authorized to access the system and therefore are able to bypass most (if not all) security measures. A few notable examples of internal sabotage are listed here:
- Secret agents of foreign nations
- Recently discharged (former) employees
- Disgruntled employees within a corporation
The destructive potential of a government operative with access to critical systems needs no further explanation. Employees, however, do. An employee who gets laid off or fired may still have access to their former employer’s critical systems if their system account is not promptly closed. The same is true if the company maintains a lax password policy, such as multiple people sharing a common user account. Even current employees may be motivated to sabotage their employer’s systems, especially where there might be an economic advantage11 to doing so.
This last motive is especially troubling when one considers the proliferation of digital technology and the disconcerting rise of terror-related attacks around the world. The goal of terrorists is quite simply to instill terror as a means of manipulating and/or punishing perceived enemies. Driven by ideology, terrorists tend not to discriminate when selecting their targets. Like arsonists previously mentioned, success is measured by the magnitude of terror and carnage instilled by the event. Common concerns of ethics are trumped by the dictates of the ideology.
The attacks of September 11, 2001 taught the world how ordinary technologies and systems (in that case, fully-fueled jet passenger aircraft) may be exploited as weapons capable of killing and injuring thousands of people. Industrial process designers would do well to think in similar terms, examining their systems not just from the perspective of their intended purpose but also as potential weapons wielded by terrorists.