How Do Cyberattacks on Pipelines and Other Industrial Installations Work?
It’s no news that many big tech institutions have suffered one cyber attack after another. But a cyberattack against operational technologies of industrial plants like pipelines and power stations?
That’s audacious and humiliating. And it’s no joke when it hits. Such attacks, if successful, stall industrial operations and negatively affect the people that depend on the victimized industry. Worse, it could cripple a nation economically.
But how do cyber attacks on pipelines and other industrial installations work? Let’s dig in.
Why Cyberattacks Happen to Industrial Installations
For most of us, it doesn’t make sense how and why anyone would get the chance to launch a digitally orchestrated cyberattack against a mechanically operated industrial plant.
Well, in reality, we now see artificial intelligence, machine learning, and more digital technologies taking over mechanical and even technical operations in industrial plants. As such, their operational data, logistic information, and more are now on the internet and susceptible to theft and attack.
There are many reasons why cyberattacks are becoming more rampant on industrial installations like pipelines, power stations, water supply stations, food industries, and the likes.
Whatever the motive is, it will likely fall under one of the following categories.
1. Political, Economic, and Business Motives
From a business perspective, attackers sometimes hack an industrial system to obtain information about chemical formulations, branding, market size, technical and business plans, and so on. This could come from a competing company or those intending to start up.
However, politics also play a factor. State-sponsored cyberattacks typically intend to cripple another country’s economic infrastructure to show their country’s strength and capabilities. One of the ways they achieve this is to disrupt processes in industries that drive a victim country’s economy. And there have been reports of a couple of them here and there.
2. Financial Motives
This is one of the most common reasons behind cyberattacks. Attackers may hack into an industrial system for several financial motives, ranging from credit card information retrieval to stealing financial information.
They usually achieve this through malware or trojans, so they can tap into the system undetected. Once inside, they can siphon data relating to technical processes. The hacker can then offer the information they stole on the black market to anyone interested.
Another way they can make money is through ransomware injection, where the attackers encrypt the target’s data and then sell the password for a hefty sum.
There’s also distributed denial of service attacks (DDoS), where several infected computers simultaneously access a target’s website, therefore overwhelming their systems. This prevents customers from reaching out to the said company until they stop the attack.
How Do These Cyberattacks Work? Notable Examples
Now that you’ve seen the salient reasons behind cyberattacks on industrial plants. Let’s draw insight into how it works from these notable examples.
1. The Colonial Pipeline
The Colonial Pipeline moves approximately 3 million barrels of petroleum products daily within the US. It’s the largest fuel pipeline in the US. Of course, one would imagine the difficulty of hacking such a complex system.
But the unthinkable did happen. News of its hack made headlines throughout May 2021, with President Joe Biden declaring a state of emergency due to shortage of jet fuel and panic buying of gasoline and heating oil. This was after the pipeline shut down all operations due to the cyberattack.
How did hackers cripple the Colonial Pipeline operations? Via ransomware. Speculations were the attackers had been within the pipeline’s network for weeks unnoticed.
After accessing the pipeline’s network using a staff’s leaked password and username found on the dark web, the attackers injected malicious software into the pipeline’s IT system, encrypting their billing network and holding them hostage. They then went further to steal about 100 gigabytes of data and asked for a ransom paid in Bitcoin in return for decryption.
How did the said username and password leak on the dark web? No one was sure. But a possible culprit is phishing, targeted at a Colonial Pipeline staff.
While this attack didn’t affect digitally operated mechanical systems, the ransomware’s effect could’ve been more devastating if Colonial Pipeline risked further operations despite the cyberattack.
2. Oldsmar Water Supply System (Florida)
In the case of the Oldsmar water supply system, the hackers took virtual control of the chemical treatment infrastructure through TeamViewer, a screen-sharing software used by the technical team.
Once inside, the attacker went straight into the facility’s treatment control system and increased the level of sodium hydroxide added to the water to a toxic level—precisely from 100 to 11,100 parts per million (ppm).
Had the staff on duty not noticed this ridiculous increase in the chemical level and brought it down to normal, the hackers meant to commit mass murder.
How did these attackers obtain TeamViewer credentials to access the human-machine interface remotely?
They must’ve exploited two vulnerabilities within Oldsmar’s control system. First, all staff used the same TeamViewer ID and password to access the hacked system. Secondly, the system’s software was outdated as it operated on Windows 7, which Microsoft said is more vulnerable to malware attacks due to discontinued support.
The hackers must’ve either brute-forced their way in or sniffed the outdated system using malware.
3. Ukrainian Power Substations
Approximately 225,000 people were thrown into darkness after the Ukrainian power grid system suffered from a cyberattack in December 2015. This time, the attackers used BlackEnergy, a versatile system control malware, to achieve their goal.
But how did they find a way to inject this malware into such a large industrial installation?
The hackers had earlier launched a massive phishing campaign before the attack. The phishing email deceived employees into clicking a link that prompted them to install a malicious plugin disguised as Macros.
The said plugin allowed the BlackEnergy bot to infect the grid system successfully through backdoor access. The hackers then obtained VPN credentials that permit staff to control the grid system remotely.
Once inside, the hackers took time to monitor the processes. And when ready, they logged the staff out of all systems, took control of the supervisory control and data acquisition (SCADA) processor. They then deactivated backup power, shut down 30 power substations, and used denial of service attacks to prevent outage reports.
4. The Triton Attack
Triton is a malware script that primarily targets industrial control systems. Its potency was felt when, in 2017, a group of hackers injected it into what experts believed to be a petrochemical power plant in Saudi Arabia.
This attack also followed the pattern of phishing and probable brute-forcing of passwords to gain initial backdoor access into control systems before injecting the malware.
Following this, the hackers gained remote control access into the safety instrumented system (SIS) workstation to prevent them from reporting faults correctly.
However, it seemed the attackers were only learning how the system works before launching an actual attack. While the hackers moved around and tweaked the control system, the entire plant shut down, thanks to some safety systems that activated a fail-safe.
5. The Stuxnet Attack
Stuxnet is a computer worm primarily targeted at programmable logic controllers (PLCs) in nuclear facilities. The worm, developed by the joint US and Israeli team, travels via USB flash with an affinity for the Windows OS.
Stuxnet works by taking over control systems and tweaking existing programs to induce damage in PLCs. In 2010, it was used as a cyberweapon against a Uranium enrichment facility in Iran.
After infecting over 200,000 computers within the facility, the worm reprogrammed the spinning instructions on the Uranium centrifuge. This caused them to spin abruptly and self-destruct in the process.
6. JBS Meat Processing Plant
Since profit is imminent, hackers won’t exempt food processing industries from their expeditions. Financial motive drove hackers into hijacking operations at JBS, the world’s largest meat processing plant, in June 2021.
Consequently, the company shut down all operations across North America and Australia. This happened a few weeks after the Colonial Pipeline’s attack.
How did the attack on the JBS industrial plant work?
Like the Colonial Pipeline’s case, the attackers infected the JBS meat processing system with ransomware. They then threatened to delete high-profile information should the company fail to pay a ransom in cryptocurrency.
Industrial Cyberattacks Follow a Pattern
While each of these attacks has an action plan, a pattern we can deduce is the hackers had to breach authentication protocols to gain initial entry. They achieve this via brute-forcing, phishing, or sniffing.
They then install whatever malware or virus into the target industrial system to help them achieve their goals.
Cyberattacks on Industrial Installations Are Devastating
Cyberattack is increasing and becoming scaringly lucrative on the internet. As you’ve seen, it not only affects the targeted organization but spreads to the people benefitting from its products as well. Mechanical operations themselves are not vulnerable to cyberattacks per see, but the controlling digital technologies behind them make them vulnerable.
That said, the influence of digital control systems on technical processes is valuable. Industries can only strengthen their firewalls and follow strict security rules, checks, and balances to prevent cyberattacks.
Preventing cyberattacks is crucial, and being smart while using web apps will help you protect yourself online.
About The Author