Friday, February 17, 2017

ICS Hacker Convicted

Yesterday the US Attorney’s Office for the Middle District of Louisiana announced that an individual had been sentenced to serve 34 months and pay $1.1 million as a result of his conviction for “for hacking into the computer system of an industrial facility to disrupt and damage its operations”. This appears to be the first conviction for an attack on an industrial control system in the United States.

The Attack


There is very limited information available on the attack. What is publicly available is that a fired IT worker at the Georgia Pacific Port Hudson Mill (Port Hudson, LA, just north of Baton Rouge) accessed “the control and quality control systems for making paper towels” according to one news report. The attack was conducted via a virtual private network (VPN) connection to the plant computer network.

A plant spokesman was quoted as saying: “"Things that were automatic were completely shut down.”

Another news report notes that there were multiple attacks on the facility computers between February 14th and 27th in 2014.

On the face of it, this does not appear to have been a sophisticated attack involving unknown or ineffectually mitigated control system vulnerabilities. Rather it looks like a fairly standard case of a system-knowledgeable person who did not have his system access adequately revoked when he was terminated.

The Law


The individual was convicted for violations of 18 USC 1030(a)(5)(A). Section 1030 is known as the “Fraud and related activity in connection with computers” section of the US Code and was designed to deal with financial crimes dealing with computers. The specific sub-paragraph charged explains the offense as whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”.

The key definition here is that for a ‘protected computer’. The first part of that definition applies specifically to computers at financial institutions or the US government; which obviously does not apply in this case. Instead the second part of the definition (which I’ll call the ‘interstate commerce clause’) which states:

A computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States” {§1030(e)(2)(B)}.

Since Georgia Pacific is a multi-national company that certainly sells materials from this facility across state-lines, it would be easy how to see that the US Attorney could argue that this attack had a significant effect on either interstate and foreign commerce if the damage caused by the attack interfered with timely product shipments.

In establishing the ability for the court to punish a violation of §1030(a)(5)(A) the prosecution would have to prove that the attack resulted in one of six specific types of harm outlined in §1030(b)(4)(A)(i). Only four of those are potential interest in this case:

• Loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value;
• Physical injury to any person;
• A threat to public health or safety;
• Damage affecting 10 or more protected computers during any 1-year period.

Give the $1.1 million restitution ordered by the court, I would assume that the US Attorney used the first harm category.

Commentary


There is nothing in readily available information on this case that explains how the damage of $1.1 million occurred. Having worked in a company that sold into the paper industry for years I have learned a little about the paper making process. As each large paper roll is made any interruption of the machinery making that roll significantly damages that roll and requires a restart of a fresh roll of paper. If stoppages occurred on multiple occasions that week, I suspect that an accounting of damaged rolls and lost production could total $1.1 million without having to have included any physical damage to the equipment at the facility.

These attacks happened in 2014 and the Federal Grand Jury indicted the individual in 2015. There is no indication that the DHS ICS-CERT was involved in the investigation of the incident (and given the rapidity with which the FBI responded to the issue, it does not appear that it would have been necessary).

It would have been nice, however, if ICS-CERT had been brought into the case early on, not so much to help in the arrest and prosecution of the perpetrator, but so that ICS-CERT could publicize the attack to the ICS community. This could have been used to reinforce the need for some basic security procedures (revocation of access) and to point out (again) the vulnerability of ICS to easy attacks by anyone with control system network access.

It is not too late, however, for ICS-CERT to prepare a public report on this attack. While there was no trial for this case (the perpetrator plead guilty) there was a grand jury indictment in which the process of the attack had to presented in some detail. That should provide enough detail for ICS-CERT to prepare a relatively detailed report on the attacks.

This case also raises some interesting legal questions (DISCLAIMER: I AM NOT A LAWYER) about the adequacy of §1030 for the prosecution of attacks on industrial control systems. There have been a couple of attempts to amend §1030 (for example S 2931 in the 114th Congress) to specifically address industrial control system attacks, but none of them have proceeded past the introduction phase.

The big problem is that §1030 is a fraud related section of the US Code and attacks against control system (other than perhaps ransomware attacks) are not really related to fraud. The problem is further aggravated by the fact that the definition of computer used in that section is really designed to identify IT or communications systems not industrial control systems. Since this bill never came to trial, the use of this section to prosecute ICS related attacks has not really been legally tested.

I am sure that the US Attorney was prepared to argue that the definition could be interpreted (very broadly) to have included control system computers. A defense lawyer, on the other hand, could argue that the failed congressional attempts to specifically include ICS computers in the definition reflect a congressional intent not to allow that inclusion.

Unfortunately, it is impossible to determine in advance how a specific court would deal with such arguments. Appellate court acceptance of any outcome of that decision would be even harder to predict. The fact that this individual’s legal team did not (apparently) recommend such a fight of the prosecution might simply reflect the legal cost of such a fight rather than having reached a conclusion on the merits of the use of §1030 to prosecute an ICS attack.

That fight is almost certain to occur on some future case.


NOTE: Thanks to Chris Sistrunk for sharing the press release on this case on the ICS-ISAC Open Community on Facebook.

No comments:

 
/* Use this with templates/template-twocol.html */