Contact a Yokogawa Expert to learn how we can help you solve your challenges.
By Jeff Melrose, Principal Technology Strategist for Cyber Security, Yokogawa Corporation of America
During a night bombing raid in the summer of 1940, a German Luftwaffe Junker Ju88 bomber seeks its way to a target over a blacked-out British landscape. The navigator doesn’t rely on the stars to guide the plane but instead follows a radio beam transmitted from occupied France. When the plane reaches its target, he will hear another signal from a second beam transmitted on a different vector. The point of intersection is where the bombs are released. The navigator doesn’t realize it but the second signal he receives is a hack coming from a British transmitter. He releases the bomb load too early; the payload falls harmlessly in the countryside.
Any student of World War II history knows the Battle of Britain was a months-long air engagement. A less-well-known element was the “Battle of the Beams,” where British intelligence sought to disrupt the radio navigational systems used to guide German bombers. Throughout the campaign, the sophistication on both sides ratcheted up as improvements in guidance systems were matched with new countermeasures. Radio was a very effective way to lead aircraft to targets but could be jammed or spoofed, deliberately sending navigators on a bogus course or simply rendering radio systems useless. Electronic warfare quickly became its own front in the larger conflict of World War II.
This “History Channel” moment has lessons for us today. The situation is not as dramatic but a similar war is being waged now. Wireless networks deployed in chemical manufacturing facilities are growing in size and sophistication. Most plants now have Wi-Fi networks, either set up specifically to cover the plant or spilling over from office locations. Networks for wireless field devices are user friendly and can extend sensing into difficult applications with lower costs.
Harbor Havoc Figure 1. A military training exercise inadvertently disrupted wireless communications in a wide area around San Diego harbor.
These networks all offer security mechanisms using encryption and protected access management. When applied well, such safeguards are very effective, with the most sophisticated versions virtually impossible to break. Their potential downfall is dependence on an inherently insecure medium: radio.
Some of the most spectacular incidents disrupting wireless communication involved military-grade equipment. Consider these examples:
San Diego, 2007 — In January of that year, global positioning system (GPS) and other wireless services were significantly disrupted throughout San Diego harbor (Figure 1). Naval Medical Center emergency pagers stopped working, the harbor traffic-management system used for guiding ships failed, and airport traffic control had to switch to backup systems to maintain air traffic flow. Even cell phones users found they had no signal, and bank customers couldn’t withdraw cash from automated teller machines. It took three days but investigators finally found an explanation for this mysterious event: two Navy ships in the harbor had been conducting a training exercise where technicians jammed radio signals. Unwittingly, they also blocked GPS signals and much of the wireless communication across a broad swath of the city.
San Diego, 1999 — A U.S. Navy radar test in the harbor created electromagnetic interference that affected 928.5-MHz wireless communication from supervisory control and data acquisition (SCADA) systems of the San Diego Water Authority and San Diego Gas and Electric. The companies lost the ability to control valves connected to the system.
Den Helder, The Netherlands, late 1980s — A 36-in. valve in a gas-pipeline control system, located near a naval base, opened and closed at the same frequency as the scanning of an L-band radar system in the harbor; shock waves induced by the rapid valve movements caused the pipeline to rupture.
These problems were unintentional and involved high-powered systems. They also disrupted wide geographical areas by projecting problems over significant distances. For a criminal with more modest intentions, other approaches are far less expensive and much easier to implement.
An individual or group wanting to engage in cyber crime has a wide variety of weapons available within the huge world of consumer electronics. Technologies once reserved for the military now are easy to purchase and inexpensive. Some can be used to attack wireless networks. If the objective is disrupting a single plant, a weapon with the power of a naval radar system isn’t necessary. Consider this example:
Newark, N.J., 2013 — The U.S. Federal Communications Commission (FCC) fined a Readington, N.J., man nearly $32,000 after it traced a problem with Newark Liberty International Airport’s satellite-based tracking system to his truck. The man had purchased an illegal GPS jamming device for about $100 and installed it in his company-owned pickup truck so his boss couldn’t monitor his movements. Unfortunately, he was working near the airport and the device disrupted the ground-based augmentation system (GBAS) that uses GPS signals to monitor the locations of aircraft in and near the airport. The Federal Aviation Administration enlisted help from the FCC; investigators traced the jamming signals to the truck. When the device was turned off, the problem stopped.
This was a deliberate act but with unanticipated consequences. The GBAS manufacturer now has modified its system to decrease sensitivity to this type of jamming, even though these types of jamming devices are illegal.
Cyber criminals have been known to study accidents and safety incidents in search of ideas. If a control system malfunctions and something blows up, a hacker can examine the chain of events and look for a way to make the same thing happen deliberately. While the Newark airport problems were unintended, how hard would it be to do the same thing or something similar on purpose?
Most chemical plants don’t directly depend on GPS technology except in cases of remote time synchronization. However, the same concepts can apply to other wireless systems. Wi-Fi networks have become common at plants because of their many uses (Figure 2). For instance, they enable a technician to access plant systems from any location in the facility, a huge advantage when troubleshooting problems. Some individual field devices or clusters of devices send their information to the control system via wireless networks.
Plant Vulnerability Figure 2. As wireless devices such as this router and instruments proliferate at facilities, the impact of signal disruption becomes more worrisome.
The variety and application of sensors designed as native wireless devices continues to grow. If radio communication is disrupted, operators lose their view of these sensors. Some facilities even use wireless devices in real-time control applications, where a loss of signals potentially could wreak havoc. The greater the number of ways in which wireless networks serve a plant, the greater the ensuing disruption if electronic warfare — or even unintentional accidents — halt these communications.
Wireless networks operating in industrial facilities communicate at specific frequencies. Wi-Fi and the 802.15.4 radios common to WirelessHART and ISA100.11a networks all work within very tight frequency ranges. Users must consider some strategic questions:
• What kind of device might be able to disrupt communication within these bands?
• How difficult is it to buy or make such a device?
• What is its range?
• Must the device be within the plant for maximum effectiveness?
• How can we protect our wireless systems from these disruptions?
Some of the hottest toys of the last year or two have been radio-controlled drones (Figure 3). These small battery-powered quad- and hex-copters are easy to fly and can do interesting things. Many are no more than toys but some larger and more-sophisticated models can carry quite a payload over significant distances. Amazon has been experimenting with using them to deliver small packages; their ability to carry video cameras has made drones the topic of many privacy discussions. Legal issues related to where and how they can be used still are being formed but such details won’t deter criminals.
Plant owners should be concerned about their proliferation. Drones can function as “spy satellites,” flying over an operating plant to gather information. A sophisticated unit in the hands of a skilled operator could be used to photograph sensitive areas within a facility.
Airborn Threat Figure 3. Drones now are easy to obtain and come in amazingly sophisticated versions; they are inexpensive enough to be expendable when used as weapons
A drone also could deliver a payload. For instance, a drone is an excellent platform to deploy a jamming device. To be effective, the device must be within a certain distance of its target; the power of its transmission increases the nearer it gets (see Distance Matters). If a plant’s fencing and other physical security measures prevent the jamming device from being close enough, the attacker could use a drone to deliver the nefarious payload, dropping it at the point where it can have best access and, thus, inflict the greatest damage. When investigators determine what has happened, the attacker can position a new device in a different location. This cat-and-mouse game can continue until the drone is captured or disabled.
Most plants provide some built-in defenses against drones. The complex radio-frequency environment around most facilities creates reflections and interference that can make a drone difficult to control (Figure 4).
Other far-less-sophisticated forms of electronic attack also can be very effective; for instance, placing a metallic object or shield to prevent wireless network transmission from a critical field sensor or even deploying an infected USB thumb drive.
A facility can use available legal procedures to create a no-fly zone in its immediate vicinity. Chemical plants can cite critical processes and potential dangers caused by aerial invaders. Of course, a criminal might ignore such restrictions, so a more direct approach may be necessary.
Jammers capable of disrupting the control telemetry between a drone and its controller are available but also are illegal. Still, it doesn’t hurt to know the frequencies involved.
Radio-controlled devices have been available for a long time and have operated at a variety of frequencies over the decades as technologies have improved. In the U.S., old equipment may work at 72 MHz or 900–915 MHz. Most current designs operate at 2.4 GHz for controlling a device, with 1.3 or 5.8 GHz used for transmitting video.
These frequencies are close to those used for other wireless communication, so in areas with much activity, interference can be a problem; trying to jam the control frequency can affect a plant’s equipment in undesired ways.
Drones can be detected when they violate a facility’s airspace. Monitoring their presence and tracking their activity is different than jamming. Because most control is relatively short range, it might be possible to determine the location of the individual operating the drone. Commercially available detection systems employ a variety of techniques. Some spot drones with radar while others detect and identify their radio control signals. Other systems listen for their characteristic sounds or locate them optically. Different designs and situations call for different techniques.
Military agencies have more options available. Some anti-drone countermeasures use radio-frequency anti-aircraft, a jamming mechanism capable of sending a very narrow but powerful pulse capable of disrupting communications.
Like the Battle of the Beams in 1940, process manufacturers are engaged in electronic warfare; this conflict is constantly changing and escalating. Criminals may attack using conventional hacking methods through the Internet or other means. Those vectors are understood and suitable defensive strategies exist. New approaches with drones and other mechanisms to disrupt networks have opened new fronts, which also must be defended.
Built-in Defense Figure 4. Tall vessels and large structural components at plants create radio-frequency reflections and interference that can make a drone difficult to control.
Chemical makers have the unavoidable disadvantage of not knowing the direction from which an attack may come. So, a company designing a defensive strategy must characterize the risk potential and act accordingly. A plant with few wireless networks carrying little critical data has a low risk profile for this type of attack and, thus, can deal with the danger differently than one with large wireless deployments critical to plant operation.
Regardless of the specific situation, every chemical manufacturer must accept the new reality and realize that traditional perimeter defenses such as fences and guardhouses no longer may suffice.
Perhaps you recall the following equation from college physics:
S = Pt /4πd2
where S is the power per unit area or power special density in W/m2, at distance d in meters, and Pt is the equivalent isotropically radiated power in W. This is not a frequency-dependent effect.
The equation makes a critical point about radio propagation and signal strength: distance is a factor. The closer a jammer can get to the target network, the more effective the jamming becomes — hence the desire to use a drone to move the jammer close to the target.
At the same time, the ability to control a drone diminishes the farther it is from its controller. Control signals are line-of-sight and strength falls off quickly when obstructions are placed in their path. A drone operator trying to fly into a typical chemical plant could quickly lose control if a distillation tower or a support structure gets between the device and operator. Trying to fly in too close could easily result in a drone-down situation. However, if the objective is delivering a payload, sacrificing a drone might not be a concern.
Yokogawa is the best co-innovating partner for customers to minimize security risks and maximize corporate values.
Contact a Yokogawa Expert to learn how we can help you solve your challenges.