CBRN / HazMat Training Blog

The threat of cyber attacks on industrial HazMat safety

Written by Steven Pike on 25 April 2018

hazmat-safety-industrial-incident (1)

Major industrial hazardous material (HazMat) incidents are thankfully rare. 

However, with the many thousands of highly toxic chemicals currently in commercial use worldwide, there is the ever-present risk of release - whether it be due to an accident, or as the result of an intentional act of aggression.

The risks of malware on HazMat safety

One example of a new threat within the world of industrial HazMat safety is the use of malicious software that has been designed to deliberately sabotage the operations of major industrial facilities.

Malicious software (or malware) is the term given to a variety of sophisticated and hostile software programs that are intended to cause disruption, disablement or harm to a company's internal computer systems. 

Common examples include computer viruses (any program that spreads by infecting other programs or files,) Trojan Horses, worms, spyware and ransomware.

Until fairly recently, malware attacks have tended to target IT systems with the purpose of stealing information or embezzling funds. 

But there is also new evidence that hackers are moving their attention to targeting industrial systems and automated processes.

The NTT Security Global Threat Intelligence Center (GTIC) 2017 Q3 Threat Intelligence Report offers insight into the risk of cyber attacks for technology and industry. 

Amongst its findings is the fact there has been an increase in the number of cyber-security events, up 24 percent since Q2. Latest statistics also show that the manufacturing and technology sectors together accounted for 33 percent of all reported cyber-attacks in the last quarter.

Saudi Arabian cyber-attack

The reports of a sophisticated cyber-attack on a major Saudi Arabian oil and gas facility in August 2017 is a stark reminder of the serious damage and disruption that the deliberate disablement of an industrial plant can potentially cause.

In March 2018 the online HazMat publication HazardEx provided new insight into the source of the attack, reporting on the findings of security sites Cyberscoop and CyberArk. 

As the HazardEx article explains, the attack appears to have been designed to shut down safety controllers, which, had it gone to plan, would have caused a major explosion at the plant.

The first signs of a problem at the facility were when items of machinery at the plant began "randomly shutting down" during working hours.  As it transpired, the plant’s own internal security systems detected the anomaly which forced a complete power outage before any damage was caused.

Identifying the cause

The cause of the shutdowns has since been traced to a computer file which contained highly-complex malware, disguised as code from the plant's technology partner Schneider Electric.

The digital weapon of choice has been identified as a rare form of computer virus that researchers have dubbed Triton (or Trisis.)

Triton forms part of a small family of highly complex malicious software programs that are specifically engineered to damage, disrupt or disable the Triconex Safety Instrumented System (SIS) within an industrial plant.

Triconex controllers are currently in use in more than 18,000 industrial facilities worldwide, including oil and gas refineries, chemical factories, nuclear plants and water treatment centers.

The SIS components of the controllers operate independently and are designed to monitor for potentially dangerous conditions and to trigger alerts in the event of an accident or suspected sabotage.

As researchers have now been discovering in the months since the incident, the Saudi Arabian attack ultimately failed due to a flaw in the coding of the malware. However the potential for serious physical and environmental harm cannot be overlooked.

Chemical accidents can happen on a small or large scale anywhere that hazardous materials are used. And effective response to any hazardous substance incident relies on the specialized knowledge, training and expertise of highly trained HazMat teams.

Cyber-attacks on complex industrial and technological systems remain relatively rare occurrences for now.  However a successful future attack could have a wide range of far-reaching impacts which would present HazMat response teams with complex challenges.

New Call-to-action

Topics: Chemical Hazard Training

Steven Pike

Written by Steven Pike

Steven Pike is the Founder and Managing Director of Argon Electronics (UK) Ltd. A graduate of the University of Hertfordshire, Steven has been awarded a number of international patents relating to the field of hazardous material training systems and technology.