Some history of computers in chemical plant
Computers have been used in chemical plant since basically the point at which computers* existed as a meaningful thing, which is to say, roughly post-WW2. Like most technology, war was one of the main drivers - firstly to brute-force ciphers, then to make better ciphers, then to guide missiles carrying thermonuclear warheads and work out how big a boom they’d make. I still use the language designed to answer that last question. I’d also, though I’m far from expert in this field, like to mention at least the design philosophy of the F-16 Falcon fighter jet, whereby instead of designing a plane a human flies, they thought of it as something a human commands, and the lower-level details are abstracted into a control system. You might say an Industrial one.
Anyway. If you talk about ICS a common meme comes around, which basically amounts to “this stuff is old, and doesn’t get updates, so vulnerable”.
Here’s a rough timeline:
1930-40s: if you have a Bombe life is pretty good, you can read some Nazi codes. But you probably don’t have a Bombe.
1950s-60s: You can whistle into phone lines and get free long distance calls.
1987: You can, with a powerful transmitter, push a lo-fi version of Max Headroom over Doctor Who. At least one person noticed, which is surprising.
1988: You can, if you understand C in particular, write a computer worm by exploiting buffer overflows.
1990s: Hackers, WarGames, and Jurassic Park are all released. A golden age, and Terminator 2 references neural nets, so clearly these concepts are making the mainstream.
2000: You can, if you understand how Windows displays file extensions, write high-level Visual Basic code and deploy some extreme viral marketing.
2003: Remember buffer overflows? IF you understand Microsoft SQL Sever and the advantages of UDP, now you can take down the whole internet with them.
1999: if you are a disgruntled contractor in Maroochy Shire, Australia, who still has access keys to a sewage plant, you can use them to play merry hell, releasing 250 kgal of nasty stuff released into the environment.
2008: If you have an IR remote, looks like you can derail some trams in Poland.
2008-10: If you understand Siemens PLCs and can develop multiple Windows 0-days, you can… frustrate, but not destroy, an Iranian enrichment program. You probably don’t.
2010s: If you understand the potential for Office macros, and can write firmware for serial-to-ethernet converters, then you can mess with the Ukrainian power grid. I, of course, recommend Sandworm (what is it with computer geeks and high-concept sci-fi?)
2016-17: If you
2021: If you understand how to use Shodan to find Windows RDP connections and can guess a password, you can alter lye concentrations in drinking water in Oldsmar, Florida. Though probably not to 11,000 ppm, and, you know, the human operator managed to over-rule you anyway.
Also 2021: If you have a Windows-based ransomware toolkit, you can take down a major US gas pipeline. No explosions, no product.
So, what are we noticing, and what are we not?
Firstly: almost none of this malware is PLC-specific or needs to know about these crusty old ICS protocols.
It’s mostly Windows-based, and don’t worry this isn’t an anti-Microsoft screed. Rather I think this backs up the obvious market-based hypothesis: most companies relies on Windows, in some manner to function. So threat actors target that, even though at this point Windows has several decades of development focused on security.
Secondly: even with the might of nation-state actors, the most common MITRE-type effect is Denial of Service. Oldsmar lost a layer of defense (and is excellent testimony of the value of human operators), and Natanz was frustrated but again, not destroyed. This might just be because safety inspectors aren’t complete morons, and won’t take “we put a computer on it” as a vouchsafe. But, for the same reasons, we’ve seen a lot of Denial of Service, but you shut down a plant that isn’t provably safe.
Secondly: if hacktivists could take offline a fossil- or nuclear- power plant by cyber means, they, well, don’t seem to have bothered.
- I’m excluding human computers here, who were of course frequently women, and certainly used by big organisations up until the point where Marvin takes over.