Digital controls are vital to the operation of modern industrial infrastructure. They are also gateways to computer viruses, malware, and especially cyberattacks that can bring down facilities, whose operations depend on the accurate monitoring and control of valves, pumps, and other equipment.
The results of successful cyberattacks on utilities, pipelines, refineries, tank farms, manufacturers, and other sites can be serious — even catastrophic. The ability of hackers to reset or otherwise sabotage valves and pumps could cause massive failures that result in extensive damage, injuries or loss of life to personnel, and hundreds of millions of dollars in repair costs.
Most industrial cyberattacks are data-gathering operations generated by criminals and, sometimes, unscrupulous competitors. Many, however, are state-run enterprises — using viruses, malware, and cyberattacks to gather intelligence about an adversary’s capabilities and, in a conflict, disable vital systems — and they are a growing threat.
Cyberattacks even take the place of traditional espionage. In the United States and Western Europe, it’s been suspected, though never publicly acknowledged or proven, that China has hacked into some classified defense programs and stolen developmental data about aircraft and weapon systems.
The threat of cyberattacks on infrastructure and other industrial operations is thus very real. While companies usually do not publicize such incidents, so as not to alarm the public or regulators — or generate news that could adversely affect their valuation — security experts say hackers probe most operations on a regular basis.
In 2013, the U.S. Department of Homeland Security compiled a report that revealed 23 gas pipeline companies had been targets of cyberattacks from late 2011 to mid-2012. According to an article on Feb. 28, 2013, in Oilprice.com, independent security experts traced the digital signatures of these attacks to an espionage group with connections to the Chinese military. Data stolen from the companies reportedly included the information necessary to blow up thousands of gas compressor stations simultaneously.
Such a disruption could benefit hackers in many ways, chief among them being extortion, manipulation of a company’s stock price, and a conflict tactic. (The first state-sponsored cyberattack may have been in 2007, when Russia launched denial-of-service attacks on Estonia.) Software developer SAP, for one, has said that at least 80 million barrels of oil a day are processed through IT systems. Bringing these computer transactions down would shock global oil markets and spike up prices.
Companies are working to counter these threats, though for most it’s still a game of catch-up. Infrastructure companies, especially, realize that the type of protection needed to guard against malware and cyberattack is different in scope and capabilities than conventional IT safeguards. Some equipment and services vendors are beginning to supply their own cyber-security systems to counter infrastructure and industrial threats.
One such is Metso, a global supplier of equipment and automation for oil and gas, waste-to-energy, pulp and paper, and other industries. The company has formed a security business that provides anti-virus software, software patches, firewalls, private networks, and other capabilities to prevent or minimize disruptions from cyberattacks.
Metso officials say that most industrial operations rely on networked capabilities in software, sensing, monitoring, and diagnostics and are consequently vulnerable to cyberattacks. The digital systems that make the most sense in terms of applications and investment are generally among the easiest to hack if adequate security precautions haven’t been enacted.
Metso says that its cybersecurity service routinely conducts audits of the automation installations to identify vulnerabilities and potential points of penetration by hackers. The company also keeps customers updated on new and evolving threats. And if a system is compromised, Metso provides back-up services and hardware to minimize data loss and disruptions and aid in a rapid recovery.
Other companies perform similar functions. Nevertheless, indications are that there are too few sources of industrial-strength digital safeguards available.
Cyberattacks are not a problem that will be eliminated — there are way too many benefits for the attackers. But it can be deterred if truly effective security measures are in place. Any company that links valves and pumps to a digital network needs to be aware of its vulnerability to hackers and work with experts to preserve operational integrity.