Skip to Content

How to Damage a Chemical Plant over the Internet

A security researcher has worked out more than a dozen ways to remotely wreck the guts of industrial facilities.
August 7, 2015

Jason Larsen must be the only person trailing two waist-high metal drums connected with pipes around the conference rooms of Las Vegas casinos this week. He brought them to the Black Hat computer security conference Thursday. And at the Defcon hacking conference on Friday he planned to make one abruptly crumple like a giant beer can crushed by an invisible hand.

The loud demonstration is intended to underscore how vulnerable the guts of facilities like chemical plants or oil refineries are to expensive and life-threatening damage triggered over the Internet.

In recent years researchers have shown that thousands of industrial control systems are hooked up to the Internet with minimal or weak security (see “What Happened When One Man Pinged the Whole Internet”). Details have also emerged about the Stuxnet malware, which damaged equipment used in Iran’s nuclear program.

Urged on by governments, industrial companies have scrambled to improve the security of the computers that control their facilities, and the networks they are connected to. But Larsen, a researcher who works on industrial security at the company IOActive, says that many refineries and plants are still vulnerable. An attacker who evades the systems that detect and prevent digital incursions would most likely have free rein to tinker with the equipment inside, he says.

Working on behalf of industrial clients, Larsen has spent the last few years hacking into plants to show what an attackers might be able to do. He’s worked in the lab to cause what he calls “unexpected physics” inside pumps, pipes, boilers, and other equipment. So far he’s got a list of just over a dozen attacks, with names like “water hammer” and “bi-phase slug with piston effect,” that could cause significant damage and even kill people if a hacker set them in motion.

A water hammer, for example, involves setting up a flow of liquid and then suddenly closing a valve. When all the moving liquid is suddenly forced to stop, the inertia can cause pipes to blow out (it’s also why turning off a faucet can sometimes trigger thuds from a house’s plumbing). Larsen’s other attacks include tricks like causing chemical reactions to take place in pipes rather than in the reaction vessels designed to hold them. He can also use temperature and pressure changes to fire plugs of liquid at high velocity or crumple vessels like the one he planned to squish in Vegas.

Larsen is convinced that as things stand today, many critical facilities need better protection. They are engineered with safety in mind in case of accidents, but not in case of attacks over the Internet. But the good news is that defending them is not an impossible task. Accessing a plant over the Internet takes a long period of probing and experimental tinkering with its pumps and valves to understand how some unexpected physics might be set off, he says. That should provide plenty of opportunity to detect an intrusion. Adding extra release valves and other physical safety mechanisms on top of existing ones shouldn’t be prohibitively expensive, he adds.

Keep Reading

Most Popular

new GPT3 is a good student
new GPT3 is a good student

The new version of GPT-3 is much better behaved (and should be less toxic)

OpenAI has trained its flagship language model to follow instructions, making it spit out less unwanted text—but there's still a way to go.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

A view of clouds illuminated by sunlight
A view of clouds illuminated by sunlight

We can’t afford to stop solar geoengineering research

It is the wrong time to take this strategy for combating climate change off the table.

Death and Jeff Bezos
Death and Jeff Bezos

Meet Altos Labs, Silicon Valley’s latest wild bet on living forever

Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.