Valves are literally everywhere. They are critical flow-control devices in industrial process control operations for chemical and materials manufacturing, water and wastewater management, oil and gas processing, power generation and many other applications. Could your valves be a cybersecurity risk?

By 2025, the U.S. valve market is anticipated to reach $36.2 billion, largely attributed to the growth in the oil and gas industry according to a Research and Markets report. Control valves represent a significant portion of the valve market share. A recent marketing report by Mordor Intelligence explored the trends for control valves. According to the study, the 2017 global control valve market had a value of $9.76 billion and is predicted to experience a compound annual growth rate (CAGR) of 3.67% over the next five years to $11.76 billion.

Control valves are power-operated devices that automatically modify fluid flow or rate pressure in a process system. Control valves include globe, angle, diaphragm, ball, butterfly and choke valves. Globe valves hold the largest market share of all of the control valve types and are used in applications such as fuel oil systems, cooling water systems, boiler and main steam vents and drains, feedwater or chemical feed systems and turbine lube oil systems.

Smart Valves

Valve equipped with smart valve positioner. Source: SiemensValve equipped with smart valve positioner. Source: SiemensOperating and maintaining all of these valves can be expensive, especially when unexpected failures arise. One recent trend to monitor and remotely control valves is the use of smart valves or valves with smart valve positioners. Smart valves, networked through the industrial internet of things (IIoT), provide real-time information on the valve operation as well as the process system. If a blockage or other problem occurs, smart valves can dynamically reconfigure a pipeline to avoid the problem area.

Additionally, smart valves help with preventive maintenance of surrounding equipment in process systems. New artificial intelligence (AI) technology integrated with some smart valves detect and classify sound data in machinery. The information from these valves determines the health of the equipment and detects issues before a failure occurs.

The desire to wirelessly monitor and maintain equipment in process plants as well as subsea and oil and gas applications is contributing to the rising popularity of smart valves. The largest market for smart valve installations will be new and updated oil exploration sites in the Middle East.

Cybersecurity Concerns

Cybersecurity threats are a growing industry concern. Attacks on water and wastewater systems, nuclear facilities, chemical processing plants and oil and gas installations could have catastrophic effects. The EPA has issued a water sector cybersecurity brief for water and wastewater utilities to address these growing concerns.

Programmable logic controllers (PLC) are vital control systems that automate material handling and manufacturing equipment, power grids, railways, airports and many other critical infrastructure applications. Billions of PLCs are currently in operation around the world. Many of them are old controllers with little or no integral security mechanisms. Industrial networks typically have weak or no authentication and the limited memory and CPU found in many PLCs makes them an easy target.

Georgia Tech recently performed an experiment introducing ransomware to the PLC in a mocked-up water treatment system. The experiment included three common PLCs and the attack was designed to show how hacking could lead to excess chlorine being introduced to the water supply.

Another example of PLC hacking is the Stuxnet worm, first discovered in 2010. The Stuxnet worm is a computer virus specifically designed to attach Siemens’ supervisory control and data acquisition (SCADA) systems. The virus continuously collects data and executes commands over a long period.

Control Design reported that a USB thumb drive introduced the Stuxnet worm to a nuclear plant in Natanz, Iran, destroying approximately 1,000 centrifuges inside the plant. A Windows computer running a Siemens software program named Step 7 detected the virus, but the damage had been done.

Iranian President Mahmoud Ahmadinejad visits the Natanz Nuclear Plant, site of the Stuxnet worm attack. Source: www.president.irIranian President Mahmoud Ahmadinejad visits the Natanz Nuclear Plant, site of the Stuxnet worm attack. Source: www.president.ir

Black hat conferences provide security professionals a place to learn the latest in information security risks, research and trends. Recent black hat events in London and Las Vegas demonstrated additional PLC vulnerabilities.

At Black Hat USA in Las Vegas, researchers demonstrated a PLC worm named PLC-Blaster. The worm spreads among PLCs on the same network, avoids detection and issues rogue commands to connected machinery. A “silent” rootkit for PLCs demonstrated at Black Hat 2016 can manipulate items in the PLC process, such as opening and closing valves. The rootkit did not touch the PLC logic or runtime, which allowed it to run undetected.

Even PLCs that are not connected to a network, referred to as “air-gapped,” can be vulnerable. Cyber-X provides industrial cybersecurity platforms for continuous, non-invasive risk assessment and machine-to-machine (M2M) anomaly detection. According to Cyber-X, two-thirds of the industrial networks in operation are air-gapped. Most companies believe that these air-gapped networks are safe from cybersecurity threats. To demonstrate that this is not necessarily true, Cyber-X wrote ladder logic code that generated frequency-modulated RF signals. These signals could contain encoded data such as nuclear blueprints. The PLCs do not contain radio transmitters, but the RF signals generated by the code could be read from a distance of one meter. Greater distances would be possible with the proper antenna or code.

Cybersecurity threats are not limited to computers or PLCs. Other components in a smart technology system, such as smart valves and pumps, are also vulnerable to attack. As Georgia Tech demonstrated, terrorists could exploit a water treatment system to change the amount of chlorine added to the water. While Georgia Tech focused on the PLC, a similar attack could target a smart valve. Any component using smart technology is a potential risk, as data rather than humans control the components.

Sean Peasley of Deloitte, an audit, consulting, tax and advisory service company, estimates that $200 to $300 billion of engineering is lost in the U.S. each year to hacking, primarily by Chinese perpetrators. He also stated that all of the valve manufacturing companies have probably already been hacked. While intellectual property theft is definitely a major concern, terrorists and other malicious actors could use this stolen data for harmful cybersecurity attacks.

Some plants separate information technology systems from operational technology systems. This separates the sensors and monitoring instrumentation from the networked control systems, allowing a comparison of real-time system measurements to the control data and minimizing the exposure of the operational technology system to hacking.

Conclusion

Smart valves and smart valve positioners offer many advantages over traditional technology, especially in applications such as subsea and oil exploration where remote monitoring and control is extremely valuable. Although relatively few cases exist for industrial control or smart technology system hacks, the risk does exist. Companies should educate themselves on the potential dangers and take proper measures to limit their exposure and enhance early detection.

References

Stealthy New PLC Hack Jumps the Air Gap

How to hack programmable logic controllers