petrochemical plants attack malware

Since the Stuxnet virus attack in 2010— one of the first viruses, according to specialists, created specifically to affect real infrastructure sites (and not just online infrastructures)— contaminated around 60% of Iranian computers nationwide, the country has become aware that it represents a priority target for cyberattacks. Although measures have been implemented to strengthen cyber defenses, they were not enough to prevent malware from infecting two Iranian petrochemical complexes last summer. This incident arises within a tense international setting surrounding the nuclear question.

We’d like to take a look back at this incident, proof of the threat of industrial cyberattacks and the fundamental role of cybersecurity in industrial systems, which are today highly computerized and interconnected with traditional information systems and the Internet.


Petrochemicals, an industry led by computerized systems


Petroleum derivatives

The petrochemical industry transforms and uses the chemical components of petroleum and its derivatives. The compounds derived from the chemical synthesis of petroleum, natural gas and biomass are used to manufacture many everyday objects: Plastic materials, textile fibers, detergents, solvents, medicines, food coloring and even fertilizer are made in petrochemical plants.

The sector represents a key link in modern industry: It helps ensure the viability of many industrial sectors in a wide range of fields such as construction, automotive, healthcare, computers and even household appliances. The sustained development of Asian countries and the Indian subcontinent increases the global demand for these products derived from chemical synthesis and renders the petrochemical industry even more dynamic.


Complex procedures for products of mass consumption

Although biomass resources are on the rise, the petrochemical industry still heavily relies on conventional fossil fuels such as oil and natural gas as its raw materials. The industry then takes these conventional fossil fuels and puts them through long and complex processes to refine and transform them.

Forn example, petroleum naphtha is derived by refining crude oil at 800ºC through a process called steam cracking. In this process, oil is transformed into lighter hydrocarbons, olefins, also known as “building blocks”, which are assembled in another stage known as polymerization. They are then used as industrial inputs and constitute the basis for many products such as plastic materials (polyethylene, polypropylene, polystyrene) and solvents.


Industrial information systems: targets for cyberattacks

Because of the complexity and the level of precision of both upstream (refining, purification) and downstream (steam cracking, polymerization) processes in the petrochemical industry, industrial information systems are needed throughout the entire production chain: automatic management and regulation, industrial control systems and information systems, among others.

The large range of systems and their interoperability improve the performance of plants but these characteristics also make these systems a choice target for cyberattackers. Production chains are thus exposed to malware that can damage a whole industry and the security for entire regions.

Not only can cyberattackers target industrial information systems that are already set up and lacking protection, but they can also interfere in the production phases of these systems or their components. Therefore, they are already infected at the time of purchase. This is the situation which the Iranian petrochemical industry faced when, in the summer of 2016, two of its plants fell victim to malware, which managed to infiltrate even before information systems were installed.


Iran: how the petrochemical industry was infected by malware

No stranger to cyberattacks, the Iranian government periodically organizes inspections in its plants. On August 27, 2016, the head of Iran’s Civil Defense Organization, Mr. Gholam Reza Jalali, publicly announced that a malicious industrial software had been detected in two of the country’s petrochemical plants.


A strategic industry, target of a cyberattack

A few months prior, a series of fires had occurred in various Iranian petrochemical plants. Fearing that these fires were linked to a malware attack, Iran’s National Cyberspace Council opened investigations.

That is how the malware was detected in two petrochemical plants, although it was not linked to the fires. The malicious software had been imported from abroad and was hidden at the core of new equipment. It remained dormant until the equipment was installed in Iran’s plants. Although the malware managed to infect the information systems, it was not activated and detection was carried out in time.

The Iranian petrochemical industry thus managed to prevent a bad situation from turning into a worst-case scenario. However, the situation still remains troubling: a strategic installation for the economy and industry of the country was targeted…and reached.

Such an attack thus remains a threat, even more so since the origin of the malware is still unknown. If they don’t adopt measures to ensure cyber defense, the major industries using these information systems will remain an open target: industrial cyberattacks are multiplying and other incidents like this will occur.

Malware: a threat hovering over your industrial information systems

This is not the first time that the Iranian industrial sector has been targeted. Seven years ago, one of the 4 most emblematic industrial cyberattacks took place: the computer virus Stuxnet contaminated Iranian centrifuges for uranium enrichment, thus jeopardizing the country’s civil and military nuclear development programs. This attack is believed to have been led by American and Israeli intelligence agencies.

Since then, Iranian authorities have claimed they have improved their cyber defense by installing local firewalls to protect all sensitive sites, especially nuclear, military and economic sites. However, the discovery of this malware hidden in imported equipment is proof of how these measures are not enough!


Industrial cybersecurity: a priority

This new attack proves how primordial it is to protect industrial information systems from cyberattacks and malware intrusions.

Ignoring the danger that malware represents could put entire sections of industries at risk. A successful attack can result in significant material damage and put workers and the population in danger. Additionally there are heavy economic consequences of interrupting production (whether partially or in full) at an industrial site or replacing infected or damaged equipment.


Given this context and faced with such major consequences, industry players need to take measures to guarantee the integrity and the security of their infrastructures. Defining a cyber defense strategy, adopting cybersecurity systems for the industrial internet and performing regular diagnoses of installations are essential measures to take. Sentryo works alongside industrial leaders to help them design and implement their industrial cybersecurity projects.