[SystemSafety] Saudi Arabia Cyber Attacks - Aimed to Trigger Explosions By Compromising Controllers

W.L. Mostia wlmostia at msn.com
Fri Mar 16 19:04:54 CET 2018 

This article is misleading and a doom and gloom article designed the stir up public fears for the sake of the article's author and paper.  There is no doubt that the attack on the Schneider Electric Triconex safety PLC is serious and potentially represents a shift toward attacking safety systems rather than just attacking ICS control systems.  This system, however, violated several prime tenets of SIS design and operation, e.g. shared control system and safety system engineering terminals (lack of independence), PLC control switch left in "Program" mode (lack of operational discipline), allowing access to the SIS from to the Internet (lack of independence), and failure to control of data flow to the SIS (poor design).  Fortunately, the Triconex detected a program discrepancy and failed safe by shutting down the process as it was designed to.  By itself the SIS should not be able to cause an immediate explosion, which would require compromising the SIS safety function(s) and a safety demand within the timeframe to the next proof test interval as well as a failure of the system relief valves and other IPL's.  This is why the correct design of the process layers of protections is very important.  Having different layers of protection such as instrumented protections systems (SIS, DCS alarms, independent alarms, safety control loops, interlocks, etc.) and physical protection systems (relief valves, rupture disks, mechanical limits, inherently safe process design, dikes, etc.) set ICS systems apart from IT systems.  This does not prevent attacks from occurring but helps prevent a hazardous condition from occurring in the process by a cyber attack.  The engineering design is important and dividing the ICS & IT systems up into zones and conduits and installing firewalls while necessary is not sufficient in protecting ICS systems.

Here are some websites that give a better picture of what happened in this attack.

   https://www.youtube.com/watch?v=f09E75bWvkk
   https://www.youtube.com/watch?v=nAU8X03Eg9c
   https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
    www.securitynewspaper.com/2017/12/15/attackers-deploy-new-ics-attack-framework-triton-cause-operational-disruption-critical-infrastructure/
   https://dragos.com/media/trisis-webinar-20171219.html


William (Bill) L. Mostia, Jr. PE
ISA Fellow, FS Eng. (TUV Rheinland)
WLM Engineering Co.
281-728-3722

-----Original Message-----
From: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de> On Behalf Of Gareth Lock
Sent: Thursday, March 15, 2018 3:50 PM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: [SystemSafety] Saudi Arabia Cyber Attacks - Aimed to Trigger Explosions By Compromising Controllers

Safety and Security?

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nytimes.com%2F2018%2F03%2F15%2Ftechnology%2Fsaudi-arabia-hacks-cyberattacks.html&data=02%7C01%7C%7C5e1c132541e4467b3c5908d58ab65298%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636567438026270627&sdata=ac92nsuxJl15qqE%2FLZRJKfikB5NwxRRiWtUyewn9cBk%3D&reserved=0

Not unsurprising really.


Gareth Lock
Director

M: +44 7966 483832
E: gareth at humaninthesystem.co.uk
W: https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.humaninthesystem.co.uk&data=02%7C01%7C%7C5e1c132541e4467b3c5908d58ab65298%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636567438026270627&sdata=dBU7T8R5s4Ll%2BaTlC5xqsVSbSvrQMEhXSlM%2FTJPOHto%3D&reserved=0
T: @HumaninSystem

Skype: gloc_1002
WhatsApp: +44 7966 483832

International speaker on human factors and non-technical skills Published specialist on non-technical skills -
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.humanfactors.academy%2Fblog%2Fsticky-published-articles&data=02%7C01%7C%7C5e1c132541e4467b3c5908d58ab65298%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636567438026270627&sdata=drSxHW08Kjfj92MGbbInLD5NH66rVngk3GerPX%2BC6UI%3D&reserved=0

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email or telephone. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. 
If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE

More information about the systemsafety mailing list