I’ve been working in OT as a supplier to utility companies now for nearly twenty years. OT stands for “Operational Technology” – distinct, but a sister to, the more familiar IT – Information Technology. OT shares much of the characteristics of IT – it’s about hardware and software – but focuses on managing assets in the field, rather than, say, helping users in offices.
Security is such an essential part of the IT picture these days – we are all aware of firewalls and anti-virus apps in the corporate environment. In OT it’s just as big an issue, and the impact of a breach can be enormous.
List of successful attacks
Here I list a selection of cyber attacks on utilities that have caught my attention over the years. This list is definitely nowhere near exhaustive, even for incidents which have made it into the public arena. And, like an iceberg, there will be many more incidents which the utilities are aware of but don’t want to publicise, and even more that have gone undetected but perhaps haven’t had significant consequences. So I’ve just tried to pick out a handful of noteworthy incidents to give a flavour of what security problems an OT department can face.
Maroochy Shire, Australia
An employee of the supplier of a SCADA system used by a water utility became disgruntled after a failed job application and operated that system to release millions of litres of untreated sewage into the environment in Queensland, Australia.
This one is interesting for a number of reasons:
- It happened in the year 2000, and was a bit of a wake-up call to many utility companies.
- It was an “insider attack” because the attacker was a disgruntled contractor who had worked on the system previously which had given him access and know-how
- He made a large number of attempts to cause the sewage spill before he was successful. No-one detected the failed attempts – he was free to continue with trial and error before he was successful.
Probably the most infamous hack on a utility so far was discovered in 2010. An unknown hacker developed some malware which found its way into the control systems of an Iranian nuclear power facility. The believed target was the part of that facility which operated the Uranium enrichment program. Although the identity of the hacker has not been confirmed, there is much speculation that it was a nation state such as the USA or Israel.
The malware, once it infected the SCADA system, controlled many of the centrifuges which were performing the enrichment in an undesirable way, operating them beyond their safe “envelope” and causing them to break. This is thought to have set the Iranian nuclear program back a number of months, if not years.
Ukrainian power grid
In December 2015, a hack on the Ukranian power grid caused a power cut to 700,000 homes for up to 6 hours. The attack method seems to have been the good-old IT issue of stolen login credentials. Once into the system, the attackers commanded 30 substations and 2 power distribution centres to go offline; they also disabled backup systems to the operation centres.
Several Iranian nationals were charged in the spring of 2016 with committing a series of cyber attacks in the US, including hacking the control system for the Bowman Avenue Dam in New York state. The hacker didn’t actually execute any operations, but did have access to be able to change the floodgate which, if opened in a storm, could have caused significant flooding.
Just like in the IT world, OT systems are vulnerable to hacking and cyber-attacks. Almost all utilities rely on OT systems for their day-to-day operation, and, without careful design and constant diligence, successful attacks on their OT systems will continue to be a reality. OT systems control real-world assets, and if their control falls into unauthorised hands then the consequences can be far-reaching.
If you think I’ve missed any important ones then please let me know and I’ll consider adding them to the list.
Neil Tubman, Terzo Digital, August 2016.