How to Damage a Chemical Plant over the Internet

Jason Larsen must be the only person trailing two waist-high metal drums connected with pipes around the conference rooms of Las Vegas casinos this week. He brought them to the Black Hat computer security conference Thursday. And at the Defcon hacking conference on Friday he planned to make one abruptly crumple like a giant beer can crushed by an invisible hand.

The loud demonstration is intended to underscore how vulnerable the guts of facilities like chemical plants or oil refineries are to expensive and life-threatening damage triggered over the Internet.

In recent years researchers have shown that thousands of industrial control systems are hooked up to the Internet with minimal or weak security (see “What Happened When One Man Pinged the Whole Internet”). Details have also emerged about the Stuxnet malware, which damaged equipment used in Iran’s nuclear program.

Urged on by governments, industrial companies have scrambled to improve the security of the computers that control their facilities, and the networks they are connected to. But Larsen, a researcher who works on industrial security at the company IOActive, says that many refineries and plants are still vulnerable. An attacker who evades the systems that detect and prevent digital incursions would most likely have free rein to tinker with the equipment inside, he says.

Working on behalf of industrial clients, Larsen has spent the last few years hacking into plants to show what an attackers might be able to do. He’s worked in the lab to cause what he calls “unexpected physics” inside pumps, pipes, boilers, and other equipment. So far he’s got a list of just over a dozen attacks, with names like “water hammer” and “bi-phase slug with piston effect,” that could cause significant damage and even kill people if a hacker set them in motion.

A water hammer, for example, involves setting up a flow of liquid and then suddenly closing a valve. When all the moving liquid is suddenly forced to stop, the inertia can cause pipes to blow out (it’s also why turning off a faucet can sometimes trigger thuds from a house’s plumbing). Larsen’s other attacks include tricks like causing chemical reactions to take place in pipes rather than in the reaction vessels designed to hold them. He can also use temperature and pressure changes to fire plugs of liquid at high velocity or crumple vessels like the one he planned to squish in Vegas.

Larsen is convinced that as things stand today, many critical facilities need better protection. They are engineered with safety in mind in case of accidents, but not in case of attacks over the Internet. But the good news is that defending them is not an impossible task. Accessing a plant over the Internet takes a long period of probing and experimental tinkering with its pumps and valves to understand how some unexpected physics might be set off, he says. That should provide plenty of opportunity to detect an intrusion. Adding extra release valves and other physical safety mechanisms on top of existing ones shouldn’t be prohibitively expensive, he adds.