Malware targeting industrial plants: a threat to physical security

Malware targeting industrial plants: a threat to physical security

We live in a world where more and more manufacturing processes are controlled by computers that send instructions to robots. This might sound like a safe and efficient way of work, as it rules out human error, but what happens when a threat actor decides to target production servers?

Consider these other process-killing scenarios: Would ransomware bring a plant to a grinding halt? Could a botnet take control of production processes and instruct robots to build something else entirely? Do emergency plans account for several systems being under attack at the same time?

Yet each of those scenarios only result in damage to a business’ bottom line. What happens when those cyberthreats turn into potential for physical harm? In the manufacturing sector, there’s an increased chance for malware to hurt more than just our data and systems, but our actual workforce.

How does the manufacturing industry feel about this?

In one of their remarks about the industrial sector, Deloitte stated in March 2019 that during security assessments, they often got the following responses:

  • Why would anyone want to hack us? It’s not like we are a nuclear plant.
  • Our operational systems are not connected to the Internet, so why worry?

It should be needless to say that security through obscurity is no longer a valid strategy, but I’ll gladly repeat it. Thankfully, Deloitte also recorded that the security of Operational Technology (OT) systems is starting to get some much-needed attention.

After all, an attack doesn’t have to be targeted to do a lot of damage. And threats can arrive over the internal network; they do not always depend on Internet access.

A recent example that must have scared some security officers of large industrial plants was a LockerGoga ransomware infection that slammed Norwegian aluminum manufacturer Norsk Hydro, forcing some of the company’s aluminum plants to switch to manual operations.

What are the immediate dangers?

If malware breaches a manufacturing organization and gains control of certain processes, there are some immediate threats to the physical security of those inside and around an industrial plant. They include:

  • Extreme heat. High temperatures can be a necessary condition for a production process or a by-product of a process. In both cases, the heat needs to be kept under control and contained to areas that are designed to withstand it. If the controls fail or the heat escapes from the designated part of the plant, extreme heat can cause fires, meltdowns, and severe injuries.
  • Radioactivity. While we are constantly reassured that nuclear power plants are safe and secure, tell that to the people that lived near Fukushima and Chernobyl. In June 2017, the Laka Foundation released a list with reports from almost 1,000 incidents and (near) accidents with nuclear power plants and other nuclear facilities. These reports have been gathered since 1990 by the International Atomic Energy Agency (IAEA).
  • Dangerous chemicals. Chemicals are used in many production processes and usually need to be applied in the exact right amount or ratio to work properly. Applying the wrong amount of one or the other component can lead to uncontrolled and uncontrollable reactions. The dangers usually associated with chemicals are explosion, flames, toxicity, acid, and corrosiveness. But one should also consider the danger of asphyxiation when the presence of another gas does not leave enough oxygen in the air. In addition, oxidizing chemicals can destroy other vital parts of the plant.

The above examples are only the most extreme dangers. If you want to get an idea of exactly how bad things can get, you can have a look at this article about an accident with hazardous chemicals that left a crater in China.

Internet connection

In the past, we have seen many mishaps due to legacy human control interfaces that were connected to the Internet. Whether this was by design or initiated by a bored operator doesn’t matter after the fact. But we should take the risks into account and try to rule them out.

To further complicate matters, the proliferation of Bring Your Own Device (BYOD) can no longer be ignored. Whether people use their own device to connect to the company network or not, their personal devices will be inside the building and could potentially be used as an entry point to gain access to other systems.

Another point of concern might be the use of connected devices under the Industrial Internet of Things (IIoT) for existing industrial control systems. IIoT is defined as a network of a multitude of industrial devices connected by communications technologies that results in systems that can monitor, collect, exchange, analyze, and deliver valuable new insights. That sounds like a juicy target for a threat actor who would love to profit from an organization, or simply just destroy the plant.

Other malware

The malware that is out to disrupt production does not have to be commercial, like the ransomware example we mentioned above. There are many reasons to assume that malware that may have been designed to act in the same way as Stuxnet lies dormant in key plants and factories, waiting to be triggered in cases of foreign attacks.

Malware of this type could have been hidden by a compromised delivery chain or by more common delivery methods. As long as the malware is not activated, it can stay under the radar for a long time. But cybercriminals will have made sure they can activate it at will.

The time is ripe

Now that we have seen a ransomware family that specifically targets industrial plants, the time seems appropriate to go over the possible scenarios that could play out if a threat actor cripples the automated controls of your plant or factory.

Having a backup system is a good start when a controller malfunctions, but when there is a large-scale attack on all your computers, the backup machine may be just as useless as the original. In every stage of the process where this can lead to a physically dangerous situation, there should be a fail-safe to shut down the plant to a state where no dangers can come into play.

Where possible, it might be easier or more prudent to create a manual override for the control of important processes, so that production does not have to come to a halt when the computer systems are no longer under proper control.

And the best option is to prevent malware from intruding and taking over your controllers in the first place. Implement a powerful cybersecurity solution that can block the latest threats and quickly remediate any that get through, and your plant has a much better shot at avoiding dangerous scenarios brought on by threat actors.

Even though there is no 100 percent guarantee of safety in cybersecurity, staying one step ahead of the criminals is the best chance you have at keeping these threats at bay.

Stay safe everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.