SCADA Hacking

Michael Toecker started an interesting, if slightly disingenuous, thread on He asks for approaches to the following problem:

You’ve been experiencing periodic failures of equipment that is important in the reliable and successful completion of your process/product. You’ve traced the failures down to 3 or 4 components that seem to be failing on the equipment on a pretty regular basis. … <explanation of what he has tried> … Management is breathing down your neck, these component failures that can’t be attributed to anything you can detect, observe, or theorize on your own are costing your company millions in lost product and busted equipment each month it goes on.

Four people bite on this before James Ingraham figures out that Michael is using the question to make a point that a Stuxnet-like compromise could be responsible. This would especially be true if the data from the PLC’s you are relying on was in fact false data provided by the compromised PLC in a man-in-the-middle attack.

Perhaps the created question was based on a Wired article with this tidbit from IAEA information on Natanz centrifuge failures.

Normally Iran replaced up to 10 percent of its centrifuges a year, due to material defects and other issues. With about 8,700 centrifuges installed at Natanz at the time, it would have been normal to decommission about 800 over the course of the year.

But when the IAEA later reviewed footage from surveillance cameras …  The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months.

So the Iranian engineers had to be working furiously trying to find out the cause, and the likely physical cause of the failure would not have been identified due to false, Stuxnet-inserted data.

The question is how seriously should a successful cyber attack be considered in troubleshooting a tough problem today? It is all based on your analysis of threat. How likely is an attacker to want to compromise your control system and process? The more critical the process, the more weight should be given to a cyber attack as the cause. It is still not even close to the most likely cause, but at some point owner/operators should be looking at the integrity of the information received and the correct action for given commands.

Image by Eric Kilby