Analysis of Cybersecurity Risks for Proposed Remote CISTAR

Analysis of Cybersecurity Risks for Proposed Remote CISTAR Facilities Abhijit Talpade1, Suddhadeep Sarkar1, H. M. Leith2, Alexis de Alvarez2, Colin Armstrong2, David Moore2, Fabio H. Ribeiro1 and Ray A. Mentzer1,3 1 Charles D. Davidson School of Chemical Engineering, Purdue University 2 AcuTech Consulting Group 3 Purdue Process Safety Assurance Center (P2SAC), Purdue University May 14, 2021

Presentation Outline Purpose of this study Overall cyber-threat analysis for CISTAR process Overview of CISTAR process (with assumed controls) Cyber-enhanced HAZOP study Critical component analysis Overall threat statement Summary, Impacts and Future work 2

Purpose of this Study – ICS vulnerability Goal of CISTAR: Design local, modular and highly networked light hydrocarbon processing facilities, operating remotely Remote operations involve the use of Industrial Control Systems (ICS) to enable control over the operations ICS components could be subject to attack by a variety of threat vectors: Cyber, Sabotage, Disgruntled Employee, Terrorism, Vandalism, Theft1 3 1 Moreno et al., Process Saf. Environ. Prot. 2018, 116, 621-631

Purpose of this Study – Increase in Cyber Threat Recent data on industrial cyberattacks indicate an increase in targeted attacks on the energy sector Kaspersky Lab ICS CERT report suggests 38% of computers cyberattacked in 2019 were in the Oil & Gas sector1 A March 2018 survey by Siemens and the Ponemon Institute noted that 50% of all cyber attacks in the Middle East target the oil and gas sector2 Research from Hornet Security, a German cloud security provider, identifies energy as the number one target for cyberattacks in 2019, 16% of all attacks worldwide3 The number of known attack groups targeting the energy sector increased from 87 in 2015 to 155 in 20194 CERT – Cyber Emergency Response Team Threat Landscape for Industrial Automation Systems in H1 2020 Kaspersky Lab ICS CERT 2019 https://www.siemens.com/mea/en/home/company/topic-areas/digitalization/cybersecurity.html 3 https://energymonitor.ai/technology/digitalisation/cybersecurity-threats-escalate-in-the-energy-sector 4 ISTR 2019: Targeted Attack Groups Increase Despite Growing Risk of Exposure, Symantec 2019 1 2 4

Purpose of this Study – Learning Colonial Pipeline AttackPast (2021) from Incidents 1 On May 7, 2021, hackers attacked the Colonial pipeline holding them at ransomware. This forced the pipeline operators to close down operations and freeze the IT systems. Colonial pipeline provides roughly 45% of the fuel supplies (gasoline, diesel, jet fuel, etc.) for the East Coast. Expected rise in the gasoline prices because of this incident. 5 1 Osborne, C., https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/

Purpose of this Study – Learning Colonial Pipeline AttackPast (2021) Electronic customer communications from Incidents attack (2018) 1 On May 7, 2021, hackers attacked the Colonial pipeline holding them at ransomware. This forced the pipeline operators to close down operations and freeze the IT systems. Colonial pipeline provides roughly 45% of the fuel supplies (gasoline, diesel, jet fuel, etc.) for the East Coast. Expected rise in the gasoline prices because of this incident. Triton (2017)3 Triton was a malware used against a petrochemical plant in Saudi Arabia. It allowed the hackers to take over the plant's safety systems remotely, though a flaw in the code allowed the plant to respond before any damage occurred. 2 In April 2018, a cyber attack targeted the electronic customer communications systems at four natural gas pipeline companies, leading to service disruptions and possible economic and data losses1 Turkish Pipeline Incident (2008)3 In 2008, hackers blew up a section of a Turkish oil pipeline. The control room console indicated normal operation, before a phone call from the field caused the console operator to trigger the alarm. The attackers manipulated not just the DCS parameters but also the CCTV feed to the control room, covering up the actual situation at the site. DCS – Distributed Control System SIS – Safety Instrumented System Such incidents demonstrate the importance of designing cyber safe CISTAR facilities Osborne, C., https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/ Malik et al., https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-datasystem-shuts 3 Hemsley, K. E.; Fisher, R. E. History of Industrial Control System Cyber Incidents; 2018 1 2 6

Cyberattack Threat Statement Methodology Steps for development of an overall cyberattack threat statement: Conduct a cyber-enhanced HAZOP analysis for all equipment associated with the CISTAR process Identify the critical components in the process (high potential cyber risk rating with catastrophic consequences employing safeguards with 1-way/2-way communication for control) Study previous incidents on these critical components (to guide the future process designers on the cyber threats associated with these components) Generate an overall cyberattack threat statement for the CISTAR process (study of the threat history, current cyberattack capabilities, possible motivation/intent behind the attacks and the potential actions from these attacks to decide on a cyber threat rating) 7

Cyberattack Threat Statement Methodology Steps for development of an overall cyberattack threat statement: Conduct a cyber-enhanced HAZOP analysis for all equipment associated with the CISTAR process Identify the critical components in the process (high potential cyber risk rating with catastrophic consequences employing safeguards with 1-way/2-way communication for control) Study previous incidents on these critical components (to guide the future process designers on the cyber threats associated with these components) Generate an overall cyberattack threat statement for the CISTAR process (study of the threat history, current cyberattack capabilities, possible motivation/intent behind the attacks and the potential actions from these attacks to decide on a cyber threat rating) 8

HAZOP Analysis of CISTAR Process – Shale gas Process withdrawn from theSchematic wellheads undergoes a series of separation, acid gas removal and dehydration steps Dry and sweet shale gas proceeds to the CISTAR complex starting with NGL activation Wellheads and the upstream facilities are assumed to be controlled independently 9

HAZOP Analysis of CISTAR Process – The CISTARProcess facilities are assumed to be controlled by a separate Schematic control room The focus of this study will be on the CISTAR facilities and its associated control room 10

HAZOP Analysis on CISTAR Process CISTAR Process:Assumed Controls Dehydrogenation – Oligomerization – Liquid Hydrocarbon Recovery Assumed controls/control strategy: Shale gas flow control only at the inlet to the process (inlet to EXP-1) Fuel gas flow control to the fired heater connected to the thermal dehydrogenation reactor (TD-R) to control the temperature of the reactor The exit temperature of the oligomerization reactors (OLI-Rs) controlled by the heat exchanger upstream of the reactor (HXINT-1, H1, H2) Liquid level control for the day tank (TANK-1) by controlling the inlet flow to the tank DOL Process with assumed controls 11 Zewei, C.; Li, Y.; Rodriguez Gil, E. A.; Sawyer, G.; Agrawal, R. Paradigm Shift of Process Hierarchy: A Transformative Intensification Strategy for Small Scale Natural Gas Liquid to Liquid Fuel Process; 2021.

Cyber-enhanced HAZOP Analysis Term Terms and Definitions Description Potential Cyber Interface Operational Deviations (Parameter Deviations) Possible Cause Failure Scenarios Possible Incident Consequence Potential Cyber Risk Rating (Unmitigated) Potential Safeguards 12 Operational parameters/interface (at the control room) for the equipment vulnerable to cyber attacks Process parameters that have deviated from the set point (temperature, pressure, etc.) The possible equipment or instrumentation cause for the deviation (Assumed that all equipment has inlet / outlet block valves to isolate for maintenance, and these are manually operated) Scenario description causing the deviation or incident to occur Major incidents caused by the deviation (for example, rupture, loss of containment, fire, explosion) Consequences (damages/operational issues) caused by the incident Potential risk level to the safe operation if cyber attack occurs (without any safeguards in place) Suggested instrumented/mechanical/procedural safeguards to protect the equipment/system from the described scenario. To be effective, safeguards must not be cyber vulnerable. (Note: Instrumented safeguards implementing two-way remote communications could pose additional threats)

Cyber-enhanced HAZOP Analysis – Example 1 Analysis on Expander EXP-1 13 Potential Cyber Interface Shale Gas Inlet Flow Operational Deviations High Pressure Possible Causes Upstream flow variation or Expander Impeller Failure Failure Scenarios Higher pressure downstream of the expander Possible Incident No Consequence Operational Issues in the TD-R Potential Cyber Risk Rating (Unmitigated) Low Potential Safeguards High pressure shutdown interlock (Instrumented) (Twoway communication)

Cyber-enhanced HAZOP Analysis – Example 2 Analysis on Oligomerization Reactors, OLI-R-1, OLI-R-2, OLI-R-3 14 Potential Cyber Interface Reactor furnace control Operational Deviations High temperature Possible Causes Irregular reactor furnace operation Failure Scenarios High temperature within the reactor leading to potential runaway conditions Possible Incident Loss of containment, fire, explosion in the reactor Consequence Potential runaway conditions Potential Cyber Risk Rating (Unmitigated) High Potential Safeguards High temperature alarm and shutdown interlock (Instrumented) (Two-way communication)

Cyberattack Threat Statement Methodology Steps for development of an overall cyberattack threat statement: Conduct a cyber-enhanced HAZOP analysis for all equipment associated with the CISTAR process Identify the critical components in the process (high potential cyber risk rating with catastrophic consequences employing safeguards with 1-way/2-way communication for control) Study previous incidents on these critical components (to guide the future process designers on the cyber threats associated with these components) Generate an overall cyberattack threat statement for the CISTAR process (study of the threat history, current cyberattack capabilities, possible motivation/intent behind the attacks and the potential actions from these attacks to decide on a cyber threat rating) 15

Identification of Critical Three components identified to be critical for the CISTAR process Components Potential Cyber Interface Pressure Indicator at Thermal TD-R, temperature Dehydrogenation indicator at TD-R, fuel Reactor (TD-R) gas inlet flow control valve Equipment Oligomerization Temperature sensor Reactors (OLI-Rat OLI-R outlet, fan 1, OLI-R-2, OLIRPM control R-3) Product Storage Liquid level sensor, Tank (TANK – 1) flow control valve 16 2-way Instrumented Safeguards High pressure alarm with heater shutdown, High temperature alarm with heater shutdown Consequences Explosion, fire due to loss of firebox High temperature indicator with alarm and interlock Loss of containment, fire, explosion due to potential reaction runaway Liquid level indicator with alarm and flow control Explosion, loss of containment, fire due to tank overfill and release of light hydrocarbon liquid Critical components: high potential cyber risk rating with catastrophic consequences employing safeguards with 1-way/2-way communication for

Cyberattack Threat Statement Methodology Steps for development of an overall cyberattack threat statement: Conduct a cyber-enhanced HAZOP analysis for all equipment associated with the CISTAR process Identify the critical components in the process (high potential cyber risk rating with catastrophic consequences employing safeguards with 1-way/2-way communication for control) Study previous incidents on these critical components (to guide the future process designers on the cyber threats associated with these components) Generate an overall cyberattack threat statement for the CISTAR process (study of the threat history, current cyberattack capabilities, possible motivation/intent behind the attacks and the potential actions from these attacks to decide on a cyber threat rating) 17

Critical Component Incident Studying previous cyberHistory incidents for the three critical components Incident Florida water treatment facility1 Maroochy water services breach2 Industrial heating system attack3 German Steel Mill Attack2 Triton attack (malware targeted for Triconex safety controller)4 Turkish oil pipeline5 Triton, which was named for the Triconex safety controller model that it targeted, malware attack against a petrochemical plant in Saudi Arabia. The malware allowed the hackers to take over the plant's safety systems remotely, though a flaw in the code allowed the plant to respond before any damage occurred. Hackers manipulated the operating parameters, as well as prevented the pressure alarm from going off. Henriquez, M. https://www.securitymagazine.com/articles/94552-hacker-breaks-into-florida-water-treatment-facility-changes-chemicallevels 2 Hemsley and Fisher, History of Industrial Control System Cyber Incidents 2018 3 Goodin, D. https://arstechnica.com/information-technology/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/ 4 Giles, M. https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malware 5 Bogle, A. https://slate.com/technology/2014/12/bloomberg-reports-a-cyber-attack-may-have-made-a-turkish-oil-pipeline-catch1 18 Short Description Flow controller The computer system was compromised and used to send instructions to the ICS, changing NaOH levels. Disgruntled employee used proprietary equipment to mimic a field controller and send malicious commands to other controllers over radio and compromising the system. Temperature controller Heating and fire detection system was compromised as the control box was directly connected to the internet. Heating and fire detection system was compromised as the control box was connected to the business network. Safe shutdown was also hampered leading to massive damage. Pressure controller

Cyberattack Threat Statement Methodology Steps for development of an overall cyberattack threat statement: Conduct a cyber-enhanced HAZOP analysis for all equipment associated with the CISTAR process Identify the critical components in the process (high potential cyber risk rating with catastrophic consequences employing safeguards with 1-way/2-way communication for control) Study previous incidents on these critical components (to guide the future process designers on the cyber threats associated with these components) Generate an overall cyberattack threat statement for the CISTAR process (study of the threat history, current cyberattack capabilities, possible motivation/intent behind the attacks and the potential actions from these attacks to decide on a cyber threat rating) 19

Cyber Threat Statement 20 Threat Cyberattack General Threat History Previous cyberattacks like Triton, Turkish Oil Pipeline incident, Maroochy water services breach, etc. have focused on targeting ICS components to cause significant physical and economic damage. Specific Threat History No history at proposed CISTAR facility Capability Severe physical damage can be inflicted by cyber-attacks on the pressure controller (across TD-R), temperature controller (across TD-R and OLI-reactors) and the flow controller (TANK-1)). Motivation/ Intent Sophistication of cyber criminals is out stripping the ability to effectively counter the attacks, resulting in increased malicious events, loss of data and physical damage. Potential Actions Malicious intent, personal enrichment, political or religious motivation. Overall Assessment The exposure to these proposed small remotely operated gas processing plants assets by cyberattack was evaluated by the team and determined within the next 10 years that the cyber-attack potential on these facilities is a ‘Medium’ threat Threat Ranking Medium Similar assessment can be repeated for other threat vectors (Theft, Vandalism, Terrorism, etc.)

Summary Cyber-enhanced HAZOP analysis was conducted on the CISTAR Process Performed on all equipment associated with the process All safeguards were classified based on the communication type (Local SIS, 1-way or 2-way) Three potential cyber interfaces were identified to be critical The temperature and pressure controllers on the alkane dehydrogenation reactor (TD-R) The temperature controller on the oligomerization reactors (OLI-R-1/2/3) The level controller of the product tank (TANK-1) 21

Summary Past cyber incidents related to these controllers were studied to understand their cyber-vulnerability and guide design of additional safeguards Temperature control: Triton malware attack, German steel mill attack1,2 Pressure control: Triton malware attack, Turkish oil pipeline breach1,3 Flow control: Maroochy water services breach2 Overall cyberattack threat statement generated CISTAR process threat ranking: Medium Giles, M. https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructuretriton-malware 2Hemsley and Fisher, History of Industrial Control System Cyber Incidents 2018 3 Bogle, A. https://slate.com/technology/2014/12/bloomberg-reports-a-cyber-attack-may-have-made-aturkish-oil-pipeline-catch-fire.html#: :text In 2008%2C two years before,Baku-Tbilisi-Ceyhan pipeline 1 22

Impacts and Future Work Impacts Cyber-enhanced HAZOP study can identify critical components associated with the process (high cyber risk components with catastrophic consequences) Procedure/methodology outlined for studying the overall threat assessment can help future CISTAR engineers to identify cyber threats following final design of the process or control strategy employed Guide the CISTAR design engineers on the choice of high-risk components (decision on make & type of controllers based on incident history)

Impacts and Future Work Future Study of individual threat vectors to understand their risk potential Study of communication modes (wired/wireless) and communication protocols (Modbus, DNP3, IEC 61850) to identify additional cyber threats and safeguard design Study of different control strategies and how they impact the overall risk

Thank You! Questions?