- February 17, 2017
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Hacking, Industrial Control System Security, Posts with image
In the old days, you might need a forklift or a load of TNT to do big damage at the factory where you worked.
Not any more.
The former IT specialist for a Georgia Pacific paper mill in Louisiana just received a 34-month prison sentence for hacking into his company’s computer system, messing with the mill’s control systems and causing $1.1 million dollars worth of losses, the U.S. Department of Justice announced today.
Georgia Pacific fired Brian P. Johnson from his job at the Port Hudson plant near a historic Civil War site on the Mississippi River on Valentine’s Day 2014, and even had people escort him out of the mill.
Within hours, somebody attacked the plant by computer, causing multiple system failures and slowing the production of the company’s Brawny paper towels, according to the Department of Justice. The attacks continued for almost two weeks.
Investigators eventually checked Johnson’s home and found that he was not only still connected, but also manipulating plant controls on his own, prosecutors said.
Johnson plead guilty to the crime on February 4, 2016, almost two years after parts of the mill shuddered to a halt.
He was sentenced this week.
“Insider threats can cause the most damage to a system, because they know it and have access to it every day,” said Chris Sistrunk, an industrial security expert with Mandiant, a FireEye company.
Johnson had deep knowledge of the plant’s systems, reported The Advocate newspaper in Baton Rouge.
He worked at the mill for almost 15 years and helped write code for some of the paper machines, according to the plant’s public affairs manager in The Advocate.
The mill produced as many as 7,000 cases of paper towels per day at one point, running 24 hours a day and seven days a week.
“All industrial control system asset owners have ‘trusted insiders’ with administrative levels of privilege and expertise in the industrial process,” said Brian Proctor, a cybersecurity expert in utilities and business development manager for SecurityMatters.
That access and expertise allowed him to wreak havoc after he was fired.
“Those two things combined with intent to cause damage or harm to the equipment, personnel, or industrial process can result in varying levels of impact to a plant’s operations ranging from minor operator alarm to catastrophic plant or process failure,” Proctor told Archer News.
What could an attacker do?
In the case of the Port Hudson plant, Johnson took over the distributed control system and quality control system for the paper towel-making equipment, according to The Advocate.
It would be hard to tell what else a malicious hacker could do to mill equipment without more information about the plant, said Proctor.
“But in general terms, they could tell the equipment to stop—thus shutting plant down or slowing it costing money,” he explained. “They could manipulate the manufacturing process which could result in a variety of impacts such as: bad product, equipment breakdown/failure, or other hazardous conditions from an environmental or physical standpoint.”
Your average evil hacker couldn’t do it, according to Proctor, unless he or she had “expert knowledge in the equipment and the industrial process—in this case manufacturing paper products—as well as deep computer/equipment access on the operational technology side.”
Paper mill in Finland. Hacking into a paper mill & causing damage requires knowledge & expertise, according to cybersecurity experts.
Companies need to make sure they shut off access to people who no longer work for them, Sistrunk advised.
“Yes. Any access, period,” he said. “This is a textbook case of the importance of identity and access management and how important it is, especially to industrial control systems.”
That means factories need to make sure they know exactly who has access to their computer systems, how and when.
They can set limits on when people can login, and take away access from everyone except critical employees.
The enemy inside
The judge ordered Johnson to pay back $1,134,828 in damages.
Georgia Pacific has not yet responded to Archer News’ request for information.
The company told The Advocate it would not say why Johnson was originally fired from the plant that also makes Quilted Northern toilet paper.
But the case shows that people running mills and factories have to look out for cyber enemies outside the walls—and sitting right next to them at the cubicle nearby.
“A malicious insider is the most dangerous threat a business can face,” said Travis Smith, senior security research engineer at Tripwire. “Not only do they know the internal workings of the system, they have prior knowledge of where defenses are placed, or worse, how to bypass them.”
You can prepare for the worst, with backup operation plans like the Ukrainian power companies used in the cyber blackout that shut off power for more than 200,000 people in Ukraine in December 2015, Smith said.
“In the case of an industrial control setting, the malicious user could bring the entire operation offline, if only for a period of hours,” he added. “In the case of the Ukrainian outage, it’s important to have manual controls to restore operations where a malicious digital actor cannot operate.”