A cybersecurity expert says he has found an all-too-easy way that hackers can get into plants and factories and cause trouble.

You need steam in a gas plant—no steam equals no energy. And you can’t get the water in to make that steam without water pumps.

Now a cybersecurity researcher says he has discovered that hackers can get in to mess with pumps like those, as well as other motors that keep our world moving.

The attack path, says Reid Wightman with Digital Bond, is simpler than you might think.

“Pretty darned easy,” he told Archer News.

The attacker “doesn’t need a big brain, just a medium-sized brain,” he explained to the audience at S4x16, a cybersecurity conference in Miami.

Critical speed

Wightman said some believe it is hard to damage equipment through cyber means, in part, because you would need knowledge about the equipment and the laws of physics to be able to make an effective attack.

“I think it’s the kind of perception that the industrial world has lulled itself into,” he said.

Wightman’s research focuses on the “critical speed” of a motor, the speed at which it starts to vibrate and could do damage. It is often not the highest speed of the motor, he said.

He found that he could break into the equipment that controls the motor and change the speed. On top of that, the same equipment showed him the motor’s critical speed, without any sort of cyber protection on the data. That means a cyber intruder could get inside each machine, quickly learn the critical speed, and set the attack in motion.

“The controller gives you the recipe for damaging the equipment,” he explained. “That definitely popped out at me. That’s the sort of setting that should be protected.”

Do not push this button

Other cybersecurity experts say this unprotected “recipe” is a security problem.

“It’s a big red button saying, ‘Do not push this button. Here it is,’” said Monta Elkins with FoxGuard Solutions.

“He was answering the charge that you can’t attack these systems because they are too complicated and poorly documented,” said Elkins. But, he added, “The knowledge you need is included in the thing.”

“It demonstrated how ubiquitous it is, how easy it is,” said Daniel Lance with Archer Security Group. “He was just showing the rampant, widespread ability to do this.”

What can this kind of attack do?

The attacker can set the motor at a speed that will cause “bad vibrations,” Wightman said. But he does not think the result would be catastrophe.

“No explosion. It’s not like the Second Coming or something like that,” he said. “I doubt that anybody’s going to get hurt by it. I don’t think it’s going to be a life safety issue.” 

It could, however, slow down operations and cost money.

“It can cause damage to motor and surrounding equipment.  It’s going to prematurely wear out the motor and it may cause vibration damage to the motor. It may cause vibration damage to nearby equipment,” he said. “If there are pipes nearby, it could begin making the pipes spring leaks.”

This kind of attack might be slow, Wightman said, but it could also fly under the radar.

“It takes a bit of time to do damage,” he said. “But it’s also pretty hard to diagnose.”

Under the radar

If the motor is vibrating in a destructive way, you might think someone at the gas plant, or water plant, or mining operation or manufacturing company would be able to spot the problem and stop it.

“You’re changing the motor speed. Isn’t somebody going to notice?” asked Wightman.

But he said diagnosing motor vibration issues can be difficult.

The motor may adjust to account for the vibrations, he explained.

“You can kind of trick operators into thinking their motors are running at the right speed,” he said. “You’re causing the motor to slow down, but the operator thinks it’s operating at the same speed.”

“There currently aren’t a lot of solid, reliable, high-integrity means to be able to detect this attack,” said Lance. “The existing ability to prevent or detect is currently quite low.”

Finding normal

The key, according to experts, is keeping track of the data from your motors, which many companies do not do.

“Is anybody logging these settings? Are you monitoring? Are you logging it somewhere?” asked Wightman.

If you are not keeping track of the data, you may not know what is “normal,” and what is “not normal” for running the motors, experts say.

“You need to understand what is the proper operational data,” said David Foose with Emerson Process Management.

He said plant workers often rely on each other to know what is “normal,” as opposed to tracking data that can show them a clearer picture.

“A lot of times, there are only a few guys who understand the plant as a whole. Plant operators rely on the guy on the shift before them to tell them what’s going on,” he said. “They’ve been trained that way.”

“Operators rely on the system graphics [control system information] along with the previous shift for situational awareness. They must trust the data they are given due to the speed and fragile nature of the tuning/process [of equipment],” Foose added.

Defeating the medium-sized brain attacker

Some companies with large electric motors connected to the internet need to make this security vulnerability a high-priority issue, Wightman said.

Vibration monitoring tools may help, experts say, along with the basic security defenses that plants should be using to stay safe from cyber attacks.

“Don’t trust your [automatic motor] controllers. You might think about instrumenting them with vibration sensors, and try to collect more data for your equipment,” said Wightman.

“It’s raising the bar. Our whole job is making it harder on people [attackers],” said Foose.