Pro-Russian group Zarya claims hacking a Canadian pipeline

Pro-Russian group Zarya claims hacking a Canadian pipeline

Amidst numerous publications covering the recent information leak at the US Pentagon, one report delves into a potential security breach of a Canadian pipeline. The report details an email exchange between Zarya (Russian for “Dawn”), a Russian nation-state sponsored hacking group, and the Russian FSB.

Zarya claims to have successfully infiltrated the Canadian pipeline operator’s network and boasts the ability to manipulate valve pressure, disable alarms, and initiate an emergency shutdown of the facility.

An FSB officer instructed Zarya to maintain their network access and remain on standby for further instructions, anticipating that a successful operation could lead to an explosion at the gas distribution station.

According to the leaked documents, the FSB is allegedly monitoring Canadian news reports for any indication of an explosion resulting from the potential security breach by Zarya. The documents also suggest that Zarya claims to have already caused enough damage to the pipeline operator to result in a profit loss, but insists that their intention is not to cause harm to human life, but rather economic damage to Canadians.

However, as none of the Canadian pipeline operators have confirmed these claims and given that some of the leaked documents have been altered by the Russian FSB, it is uncertain whether these claims are true. Thus, for now, these reports must be considered unverified and potentially false.

Nevertheless, this incident serves as an important example of the possible consequences of cyber-physical risks. The suggestion of a possible explosion is especially concerning, as similar claims were made in the past, including in 2008 (Turkey), 2014 (Ukraine), and more recently in 2022 (by Ukrainian threat actors).

Despite the lack of concrete evidence, the possibility of a cyber-physical attack is very real, especially if the attacker manages to infiltrate the control system. In addition to considering the potential consequences of an attack, it is also important to discuss how to respond if such a claim is made, even if there has been no actual attack. These are interesting topics that I like to explore in more detail in this blog.

To begin, let’s examine some of the fundamentals of pipeline automation. This includes an overview of the general architecture of a pipeline system, the types of automation functions used, and the specific targets that can be attacked in order to trigger an explosion.

Figure 1-Simplified pipeline system architectures

A pipeline has several different locations, a main control center from where overall operations is controlled and various sub-stations, block valve stations:

  • A compressor station is a key component of a pipeline system that compresses natural gas for their transportation through the pipeline. The station typically consists of a series of compressors that increase the pressure of the gas to maintain its flow through the pipeline. The compressor station is located at intervals along the pipeline to ensure that the pressure of the gas remains consistent throughout the pipeline independent of the terrain differences (e.g height) and the length of the pipeline. Compressor stations are controlled by a Distributed Control System (DCS) and safeguarded by a Safety Instrumented System (SIS). Most of the time there is also a compressor control system (CCS) present, though sometimes the DCS gets this function. And there are various other automation functions not relevant for this story.
  • A metering station has the function to measure and monitor the flow rate and quantity of the gas in the pipeline. It can be combined with the compressor station. Such a station typically consists of various meters that measure and record the gas flow rate, pressure, temperature, and other parameters. The data collected from the metering station is critical for the billing and accounting of gas transactions, as well as for ensuring that the pipeline is operating within safe and efficient parameters. Sometimes it is also used for odorizing the gas, which is necessary to detect gas leaks.
  • A take-off station, sometimes known as a delivery station, is a station located along a gas pipeline where gas is split off to be delivered to another gas pipeline of a different operator, or delivered to local distribution systems, such as for residential or commercial use. The take-off station typically consists of metering and regulation equipment, along with pipelines that distribute the gas to local distribution systems. Also, these stations may include odorization equipment to add an odorant to the gas.
  • A block valve station is typically a small station along a gas pipeline where a block valve is installed to control the flow in the pipeline. Block valves are very large valves that can be remotely controlled to stop or limit the flow of gas in case of an emergency. For example, if a gas leak or rupture occurs in the pipeline. The block valve station is a critical component of a gas pipeline system, as it allows for the quick shutdown of the pipeline in case of an emergency.

Because of the remote locations, pipeline control systems typically utilize a centralized SCADA (Supervisory Control and Data Acquisition) system that oversees all pipeline locations. In addition to the SCADA system, local control for compression is achieved using a combination of DCS (Distributed Control System) and SIS (Safety Instrumented System) functions, which is extended with a CCS (Compressor Control System) as needed.

While a pipeline control system has numerous other critical systems, such as communication systems, leak detection systems, CCTV, dispatching systems, historian systems, and network management systems, the focus of this blog is on the compression function in the context of a potential attack scenario that could lead to an explosion. Therefore, I focus my attention to the compressor stations along the pipeline. If the FSB or Zarya wants to cause an explosion, this is where it will happen.

In the realm of cyber-physical attacks on compressors, changes in pressure levels are a crucial factor to consider. Excessively high pressure, as well as sudden drops in pressure, can lead to severe damage to the equipment. In either case, there is a risk of losing containment of the gas, which could ultimately result in an explosion.

To better understand the potential dangers, let us first examine the two scenarios separately – high pressure and sudden pressure drops. We can then combine these scenarios to understand how a cyber-physical attack could potentially cause an explosion. Additionally, it is important to consider how a gas pipeline operator should respond when notified of an upcoming cyber-attack. Let’s start with causing a sudden pressure drop.

A surge is a phenomenon that occurs in a compressor when the pressure in the discharge line exceeds the pressure that the compressor can maintain, causing a sudden reversal of flow through the compressor. This can cause severe damage to the compressor. The discharge line of a compressor is side of the compressor where the pipeline is connected that carries the compressed gas from the compressor in the downstream direction.

When a surge occurs, it causes a sudden and significant increase in the load on the compressor. The compressor would struggle to maintain the required pressure and may eventually stall, leading to a sudden loss of flow and increased pressure in the pipeline. This causes severe damage to the compressor and surrounding equipment, such as bearings, seals, and piping. Additionally, the sudden reversal of flow through the compressor causes severe vibrations, which can damage the compressor’s internal components.

To prevent surging, the compressor control typically implements surge control devices, such as a recycle valve (also known as a bypass valve or anti-surge valve). The recycle valve is part of a closed-loop control function that continuously monitors the pressure and flow rate of the gas in the pipeline and adjusts the compressor speed and the position of the recycle valve as needed to maintain stable and safe operation. This is typically done by a compressor control system (CCS), but can also be implemented in some cases in the DCS.

So one possible attack scenario is to maintain the recycle valve in the closed position while causing a pressure drop at the suction side of the compressor. If an attacker has access to the control system, as Zarya claims, we can cause such a drop by suddenly closing the block valve on the suction side. Block valves are normally limited in their closing speed by a travel rate setting, the threat actor could modify this setting to increase the travel rate closing the valve faster which will increase the speed of the pressure drop. This might be enough to damage the compressor, which would result in a considerable repair time.

The above scenario could cause an explosion, but every design has some safety margin. But we have here three fault conditions occurring at the same time:

  • Closing block valve;
  • A block valve with a too-high travel rate;
  • A recycle valve that doesn’t open.

A process safety hazard would most likely not analyze (so not mitigate) this scenario because it is very unlikely to simultaneously occur as a random failure. But in a cyber-physical attack scenario, an intentional failure scenario, this is all within reach for someone having access into the control environment at a level Zarya claims to have.

To further enhance the potential impact of a cyber-physical attack on To further enhance the potential impact of a cyber-physical attack on a compressor, we can increase the charge pressure suddenly while also closing the block valve on the charge side with an increased travel rate. This would cause a sudden rise in pressure as the gas compresses due to the closed valve, and at a certain point, it would decompress in the reverse direction.

To further enhance the potential impact of a cyber-physical attack on a compressor, we can increase the charge pressure suddenly while also closing the block valve on the charge side with an increased travel rate. This would cause a sudden rise in pressure as the gas compresses due to the closed valve, and at a certain point, it would decompress in the reverse direction.

This heightened scenario significantly increases the risk of damage and loss of containment, which could ultimately lead to an explosion.

So if the Canadian pipeline threat story is true then at least we can say the FSB officer is right. The level of control established by Zarya could lead to an explosion. This is no surprise because Russia has many gas pipelines with many compressor stations, so they have done a cyber-physical risk analysis and recognized the danger. It is even so they use many of the same systems as we do in the “West” to repeat some legacy through today’s new “Iron Curtain” terminology.

So what to do if you get a phone call from your local intelligence service warning you of an upcoming cyber-attack?

Number one in most cases would be to disconnect from external systems and networks. However, this is not that easy for a pipeline system because the orders for gas (“dispatches”) enter the system through the dispatcher system, a system that often depends on emails. Additionally, all networks are typically redundant, as is the Main Control Center (MCC). There is most likely a Backup Control Center (BCC) and the networks might make use of alternative networks as backup such as satellite connections or even 4G connections. Additionally isolating might mean disconnecting your security operating center, though you might need their expertise.

Number two might be to partially operate in manual mode, for example from the substations. This wouldn’t be that easy if there are many substations and few personnel. Long pipelines can easily have more than 10 substations and hundreds of block valve stations. They are generally only manned during day time. It might help for a few days but then we need to have fixed the issue.

Number three would be to search the system for indicators of compromise (IOC). How did the threat actor enter and how does he/she maintain access? This is a very complex task because we need to review every cyber threat scenario for all possible TTP. It would help if the asset owner would have conducted a cyber-physical risk assessment in the past because such an assessment would map the various tactics, technology, and procedures (TTP) used by a threat actor on the various process hazards we discussed above. We would have a risk register available leading us to all TTP to investigate. A specialist OT security organization can help link the Tactics, Techniques, and Procedures (TTPs) used in a cyber-attack to the Indicators of Compromise (IOCs) associated with those TTPs. However, if a pipeline operator is not adequately prepared for such an attack, the process of linking TTPs to IOCs may take a considerable amount of time. Moreover, there is a significant risk that IOCs may be overlooked, which could result in further damage or harm.

While many pipeline organizations have conducted risk assessments, they often do not delve deep enough to analyze the specific risks associated with cyber-physical systems. Consequently, essential information may not be available. This is where a specialist with a deep understanding of system configuration, relevant parameters, cyber threats, process hazards, and cyber-attack techniques is necessary. Such a specialist can provide an in-depth cyber-physical risk assessment that is critical for ensuring the safety and security of pipeline operations.

Unfortunately, such experts are rare. Therefore, if your pipeline operator and have not yet conducted a cyber-physical risk assessment, it is essential to start preparing for one. The connection between process hazards and cyber hazards with their TTP is essential information. Doing so will better enable you to identify and monitor potential indicators of compromise and identify steps to mitigate risk before a cyber-physical incident occurs.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related