Contact Us |
Info for students | Our Courses | About Us  
 
The Cyber Sabotage Case

This case study is a simplified version of a case successfully investigated by the Computer Emergency Response Team of Asian School of Cyber Laws.

The names of people, Case Numbers, email IDs and IP addresses etc have been changed in order to protect the privacy of the individuals concerned. All names, case numbers, IP addresses, email IDs are fictitious and any resemblance to any person living or dead or any organization is purely coincidental.

Note: Neither this case study nor any part thereof may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from Asian School of Cyber Laws.

  1. MegaOil Corporation is one of the world’s largest oil companies. It has been using Distributed Control Systems (DCS) since the mid 1970s as the means for monitoring, and automatically controlling its industrial processes.

  2. In the early years, the architecture of its DCS consisted of a set of distributed computer units that were interfaced with the field-based process equipment and which communicated with plant operators, at computer workstations, via a high-speed local area network.

  3. The only “external” connections were the local-area network circuits that were run around the plant and used to communicate between and among the process controllers and the operator workstations.

  4. The communications technologies used for this local area networking were vendor proprietary. Communications over these circuits was managed using specialized, proprietary, vendor-specific, communication protocols. These protocols included basic error detection and correction capabilities, but nothing that guaranteed “secure” communications.

  5. Over time, the need for higher performance, plus the cost of supporting proprietary hardware and software, forced MegaOil Corporation to procure a DCS that adopted vendor neutral technologies.

  6. Since the DCS systems collected a lot of data and generated a lot of reports, MegaOil decided that the DCS systems would be connected to the business systems for an automatic exchange of this data using the TCP/IP networking and standardized IP applications like “FTP”.

  7. The Board of Directors was apprehensive that cyber terrorists would launch a cyber attack on their systems and this could cripple the company. To periodically ascertain the security of the systems, they approved a regular penetration test on the DCS.

  8. ClubHack Technologies Pvt Ltd, a subsidiary of Asian School of Cyber Laws was contracted to launch ethical hacking attacks on the DCS. The reports submitted by ClubHack subsequent to the attacks were used to bolster the security systems.

  9. The most recent penetration test proved that someone with a laptop computer running IP packet capture/generation software and a compatible Ethernet NIC could connect to the plant LAN and send out control commands that would be accepted by the process control computers as coming from the operator workstations.

    This attack totally bypassed the operator access mechanisms and went directly to the computer equipment where control and monitoring is actually being performed.

    The report prepared by ClubHack also said that:

    “A similar attack could be made by connecting directly to the “console/diagnostic” port of the process control computer.

    This would require physical access to the controller unit and knowledge of the vendors diagnostic tools. DCS systems, by their nature, support the downloading of control logic into the process control computers via the LAN.

    This opens up the possibility of a terrorist “reprogramming” a process controller via this same mechanism. But, in reality, to accomplish any of these attacks this would require exact and detailed knowledge of the DCS system software, data structures and the site-specific configuration information”.

  10. Alarmed by the findings of this report, the Board of Directors ordered a complete revamp of the DCS systems. A competent team of MegaOil employees worked for 6 months to complete the system revamp. The system revamp was concluded on 10th October, 2003.

  11. On 13th November, 2003 a major explosion took place at MegaOil. 18 people were seriously injured and the company lost crores of rupees worth of machinery and stock.

  12. A full scale investigation was launched into the issue. The report of the internal investigation carried out by MegaOil was as under:

    1. The explosion took place because the temperature in chamber 1104 had risen to 128 degrees Celsius.

    2. The DCS Control Manager is the software application that controls several parts of the MegaOil plant including chamber 1104. The DCS Control Manager was programmed to read the following files to ascertain the levels at which warnings need to be sent to the Plant Managers:

      File Name: temp.megaoil

      This is a file containing two numbers (default value is 70:110). The system treats the numbers as the temperature values in degrees Celsius.

      If the temperature in any chamber exceeds the first number (70 degrees Celsius) the system generates a warning to the operators to take definitive action.

      If the temperature in any chamber exceeds the second number (110 degrees Celsius) the system automatically shuts down all processes in that chamber so as to bring the temperature down to an acceptable level.

      File Name: press.megaoil

      This is a file containing two numbers (default value is 0.75:0.92). The system treats the numbers as the pressure values in mega pascal.

      If the pressure in any chamber exceeds the first number (0.75 mega pascal) the system generates a warning to the operators to take definitive action.

      If the pressure in any chamber exceeds the second number (0.92 mega pascal) the system automatically shuts down all processes in that chamber so as to bring the pressure down to an acceptable level.

  13. Subsequent to the explosions, these files were examined and found to be unchanged. Despite this the system had not generated any warnings or initiated any automatic shutdown.

  14. Kindly investigate the matter and submit a detailed investigation report to info@asclmail.com

  15. Ensure that you comply with the requirements of the Assignment Submission Guidelines
 


  Press Room | Information Security | Info for students | Our Courses | About Us | Contact Us
  © 2005 Asian School of Cyber Laws. All rights reserved.
  Reprint Permission | Privacy Policy | Disclaimer