It appears that the attackers managed to get through most of the layers of defence and had full access within the process control network. At this stage, they could have relatively easily disrupted the process but it seems that the attackers were wanting to cause physical damage.
If you have access to a the DCS2, you can disrupt the process by changing any one of a number of parameters. This can make a process unstable or can shut a process down but it is difficult to actually cause a dangerous situation. When designing a process, it is generally assumed that every control loop will fail once every 10 years. Therefore other processes must be in place to ensure that even if the control system does something wrong, it does not cause a dangerous situation. This may be in the form of physical devices such as relief valves or bursting discs.
Where the danger is still unacceptably high, a SIS or Shutdown System is employed to act independently of the main control system, assess the process conditions and make the system safe (by shutting down using independent valves). If the attacker was messing around in the SIS, they clearly wanted to make a bigger disruption than just shutting the plant down. It looks like in this case they made a mistake at one part, and the systems self diagnostic didn't like what it saw and put the plant into the safe position. It was only after everything had shutdown that the intrusion was noticed.
One of the key things that was mentioned over and over again by the Schneider representative was that if the device had been left in 'run' mode instead of 'program' the whole attack would have failed. Sometimes the simple things can block even advanced attacks.
- Safety Instrumented System. AKA Emergency Shutdown System ↩
- Distributed Control System. The normal control system. ↩