Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

How to Damage a Chemical Plant over the Internet

A security researcher has worked out more than a dozen ways to remotely wreck the guts of industrial facilities.

Evidence continues to grow that many important industrial facilities are open to attacks over the Internet.

Jason Larsen must be the only person trailing two waist-high metal drums connected with pipes around the conference rooms of Las Vegas casinos this week. He brought them to the Black Hat computer security conference Thursday. And at the Defcon hacking conference on Friday he planned to make one abruptly crumple like a giant beer can crushed by an invisible hand.

The loud demonstration is intended to underscore how vulnerable the guts of facilities like chemical plants or oil refineries are to expensive and life-threatening damage triggered over the Internet.

In recent years researchers have shown that thousands of industrial control systems are hooked up to the Internet with minimal or weak security (see “What Happened When One Man Pinged the Whole Internet”). Details have also emerged about the Stuxnet malware, which damaged equipment used in Iran’s nuclear program.

Urged on by governments, industrial companies have scrambled to improve the security of the computers that control their facilities, and the networks they are connected to. But Larsen, a researcher who works on industrial security at the company IOActive, says that many refineries and plants are still vulnerable. An attacker who evades the systems that detect and prevent digital incursions would most likely have free rein to tinker with the equipment inside, he says.

Working on behalf of industrial clients, Larsen has spent the last few years hacking into plants to show what an attackers might be able to do. He’s worked in the lab to cause what he calls “unexpected physics” inside pumps, pipes, boilers, and other equipment. So far he’s got a list of just over a dozen attacks, with names like “water hammer” and “bi-phase slug with piston effect,” that could cause significant damage and even kill people if a hacker set them in motion.

A water hammer, for example, involves setting up a flow of liquid and then suddenly closing a valve. When all the moving liquid is suddenly forced to stop, the inertia can cause pipes to blow out (it’s also why turning off a faucet can sometimes trigger thuds from a house’s plumbing). Larsen’s other attacks include tricks like causing chemical reactions to take place in pipes rather than in the reaction vessels designed to hold them. He can also use temperature and pressure changes to fire plugs of liquid at high velocity or crumple vessels like the one he planned to squish in Vegas.

Larsen is convinced that as things stand today, many critical facilities need better protection. They are engineered with safety in mind in case of accidents, but not in case of attacks over the Internet. But the good news is that defending them is not an impossible task. Accessing a plant over the Internet takes a long period of probing and experimental tinkering with its pumps and valves to understand how some unexpected physics might be set off, he says. That should provide plenty of opportunity to detect an intrusion. Adding extra release valves and other physical safety mechanisms on top of existing ones shouldn’t be prohibitively expensive, he adds.

Keep up with the latest in cyber security at EmTech Digital.
Don't be left behind.

March 25-26, 2019
San Francisco, CA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.