New Attacks Against SCADA, ICS, and Industrial Safety Control Systems

This can’t be good.  Klaxons sounding at the chemical plant only meant one thing, that the automatic safety systems were not working and that a dangerous explosion was immanent.  The explosion would release a toxic cloud of hydrogen sulfide gas that would kill everyone at the plant and hundreds of people living nearby.

A movie scene?  A spy novel plot?  Unfortunately not, this is an actual event that took place in Saudi Arabia in the summer of 2017.  Cyber-attackers had installed malware on the network that allowed them to take control of the safety systems in the plant, and override automatic safety control systems.  Fortunately, there were errors in the malware code that tripped network security alerts.  Initially, this activity was attributed to mechanics failure, but on the second incident a forensic investigator was brought in.  Not only was the code discovered, but it because apparent that the cyber-attackers had been in side the network for three years.

This new strain of ICS malware has been named Triton.  Initially, the attack was attributed to Iran, which is an enemy of Saudi Arabia, but further investigation pointed the finger at Russia.

Other examples of  SCADA and ICS attacks include:

  • 2016 – CrashOverride  and 2015 – Black Energy – Two seoarate attacks by Russian on the electric grid of the Ukraine.  Attributed to the Russian Federation, as part of the conventional military campaign in eastern Ukraine by ethnic Russian separatists which support of the Russian army.  The electric utility was first breach in December 2015 cut power to 225,000 people in western Ukraine.  By the following year, December 2016, the cyber attackers had extended their intrusion and increase their control of the power grid, and were able to take over the power distribution system again.
  • 2014 – German Steel Mill – Attributed to an unknown group of experienced hackers.  From the level of skill required, it would seem to be a nation-state sponsored attack.  Target was a steel manufacturing facility in Germany.  This attack was initiated by a spearphishing campaign that gave the attackers access to the business network.  They were able to pivot to the SCADA systems of the factory, and disable controls causing significant damage to a blast furnace.  This an instance where the level of damage was equivalent to a conventional military operation, thus rising to the level of cyber warfare.
  • 2013 Havex – Havex was developed for surveillance on industrial control systems, apparently so that hackers could learn how to attack the systems. The code was a remote access Trojan, or RAT, which is cyber-speak for software that lets hackers take control of computers remotely.  Havex targeted thousands of US, European, and Canadian businesses, and especially ones in the energy and petrochemical industries.
  • 2009-2010 Stuxnet or Olympic Games – Cyber attack attributed to the United States, Israel, Germany, and possibly Great Britain.  Confirmed by General James Cartwright in November 2012.  Target was Iran, particularly the Nuclear Program facility at Natanz.  The excellent documentary Zero Days covers this operation in detail.Since the Natanz facility was not connected to the Internet, the software payload was introduced into the facility using a social engineering exploit called “baiting.”  The bait was USB flash drives that were left in tea, coffee, and hookah bars that Natanz employees were know to frequent.The software payload was a worm that  targeted the PLCs (programmable logic controllers) of Siemens systems running Step7 software.  It also had a built in “kill switch” which was supposed to cause the software to disappear at the certain time.  Modifications to the software cause the kill switch function to fail, and since a certain number of the flash drives were also plugged into Internet connected computers at homes or other office locations, Stuxnet was eventually released into the wild.

These are some of the more notable attacks against industrial systems, most of which have been attributed to Russia.  These sort of attacks could in some cases be easily as physically devastating at and actual military attack. If there is a good reason for creating the cyber-militia we discussed in our last post, this would certainly be a good one.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an information technology and cybersecurity instructor for several training and certification organizations. Bob has worked in corporate, military, government, and workforce development training environments Bob is a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.