Honeywell Warns of Increasing Attacks by State-Sponsored Hackers

  • Oil refineries, chemical plants, nuclear reactors all targeted
  • One-third of malware enters control systems via USB drives

Hackers are increasingly targeting industrial facilities, from oil refineries to nuclear power plants, with sophisticated attacks aimed at capturing data and remotely controlling the sites, according to a Honeywell International Inc. executive.

Honeywell has seen evidence of threats from nation-states and "sponsored attackers" backed by nations in two-thirds of the 30 industrial sectors the company tracks at its Duluth, Georgia-based cyber research lab, according to Eric Knapp, chief cybersecurity engineer at Honeywell Process Solutions. The unit provides cybersecurity for more than 400 industrial sites worldwide, including oil and gas producers, chemical and power plants, natural gas processors, and mining and water treatment facilities.

"We’ve seen that there’s definitely increasing exposure to what we call high-capability threat actors," Knapp said in a phone interview. "Nation-state and sponsored attackers are definitely out there, and they’re definitely focusing on these industries."

Ukraine Attack

Knapp wouldn’t name specific countries but said that the advanced hacking methods being detected are typically associated with nations or groups they sponsor. A U.S. indictment unsealed in March accused a hacker based in Iran of gaining remote access to a computer controlling a dam in Rye, New York, for about three weeks beginning in 2013, while six other Iranians attacked U.S. banks and companies including the New York Stock Exchange, Nasdaq, Bank of America Corp., JPMorgan Chase & Co. and AT&T Inc. Iran rejected the accusations.

In December, hackers in Ukraine showed the potential for an online attack to inflict real-world damage by disrupting power to tens of thousands of people. Destructive malware knocked out at least 30 of the country’s 135 power substations for about six hours.

Honeywell’s Knapp said hackers typically seek data or log-in details that give them access to industrial-control systems at the facilities, letting them digitally manipulate the operations from afar.

"We’ve seen administrative credentials for sale. We’ve seen specific access to specific industrial facilities for sale" online, Knapp said. "If I were to peruse the black market and I didn’t have any scruples, I could say, ‘I want to access this facility,’ and I can purchase the access to that, which is scary."

For more background on state-sponsored hacking, click here.

One-third of malware Honeywell has detected at industrial facilities entered the control system’s network through infected USB drives plugged in by users.

Companies have built stronger networks around their control systems, making direct access more difficult for hackers. Instead, attackers craft malware to hit a company’s more vulnerable corporate system and then infect any removable USB drives attached to that network. The control system’s network, housed separately, is breached when a worker plugs the infected USB drive into it.

"There’s still a need for information to flow between the business and the control system," Knapp said. "The bad guys know that they need to go in that way so they’re designing their attacks to take advantage of that."

Other challenges include costly measures needed to update industrial control systems to respond to current cyberthreats. Some facilities are also using control systems that are three to four decades old, Knapp said.

"There’s just an inherent challenge in protecting these systems," he said. "In a lot of cases, because of the age of systems they predate cybersecurity."

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE