Sayano-Shushenskaya Accident A Model for What a Duqu/Stuxnet Combo Could Mean

On August 17, 2009, a 900 ton hydroelectric turbine was torn from its moorings at the Sayano-Shushenskaya hydroelectric power plant and dam in Russia.   The 900-ton unit actually lifted high enough (40-50 feet) to crash into the ceiling of the turbine facility.  The accident ultimately cost 75 people their lives.  Every one of the ten power generation units in the plant was damaged, some irreparably.  The 6,500 MW power station will not return to full capacity until 2014.  40 tons of transformer oil was released into the surrounding ecosystem, killing an estimated 400 tons of trout in two fisheries.  Untold hours of production capacity of surrounding businesses were lost due to the interruption of power to the area.  You can get a full picture of the event from a DOE presentation.

Before picture of the turbine generator hall of the Syano-Shusenskaya Plant

Before picture of the turbine generator hall of the Syano-Shusenskaya Plant

In my last post I defined how Duqu is a notable shift in the malware game, most notably as a precursor to carrying out Stuxnet level complexity attacks without the need for human intelligence gathering.   The ability to potentially affect and disrupt industrial controls in turn creates the potential for industrial blackmail and potentially cyber-terrorism.

For the record, I abhor peddling fear and in my time in the IT security space I have never used that tactic, and I am not using it now.  I do think what I described is a very real threat that is at our doorstep right now.  Duqu rang the doorbell.

I spent Wednesday at the SINET 2011 Showcase put on by the Security Innovation Network.  Triumfant was honored to be recognized as a SINET 2011 Innovator at the event, and General Keith Alexander, the Commander of the U.S. Cyber Command gave the closing keynote.   General Alexander used the Sayano-Shushenskaya accident in his talk, and it immediately struck me that the General had provided me with the example I needed for this conversation.

Post-event view of the turbine generator hall.

The Sayano-Shushenskaya plant had been a place of historical operational problems, and the specific turbine (Turbine 2) at ground zero of the accident was particularly problematic.  The turbine had a history of vibration issues that kept it from safely operating at capacity, and a new vibration controller had been installed in 2009.  This controller was offline on the fateful day when another plant experienced problems and Sayano-Shushenskaya was asked to raise capacity to make up for the shortfall.  When the load on Turbine 2 was increased, vibrations steadily increased to over 5 times the load limit, and the structural integrity of the unit ultimately failed.

Back to Duqu.  Introduction of Duqu into the Sayano-Shushenskaya would gather the data needed on not only how to infiltrate the plant systems, but where the plant was most easily compromised.  Hacking into maintenance records would readily pinpoint Turbine 2 as the weakest physical link.  The keylogging capabilities could gather the necessary access to the industrial controls of the plant, including the vibration control process.  The bad guys do not need human intelligence from the plant – Duqu provides all the data they need.

The information to disable energy production in hand, a Stuxnet level attack can be written to infiltrate the industrial control systems of the plant.   The low effort approach would be to disable the vibration control system for Turbine 2 at a time when peak capacity was required and wait for the failure.  A more aggressive approach could actually manipulate the demand on Turbine 2 to force it to run beyond established limits and, with the disabling of the vibration control system, guarantee an event on demand.  This is no different than what Stuxnet did to the centrifuges in the Iranian nuclear sites – it made them spin beyond operational tolerances and destroyed the devices.  The difference is that this attack sends a 900-ton turbine structure 50 feet into the air.

NOTE added 11/18/2011:  Since this post went public on 10/28/2011, it was reported that a water plant in Springfield, Illinois was impaired when the SCADA industrial controller from a water pump was hacked and manipulated to damage the pump and render it operational.  The hackers simply turned the system on and off until the pump overheated and burnt itself out.  Details can be found at Krebs on Security and on Wired.

Too much physical destruction for you to consider?  How about infiltrating the industrial controls of a pharmaceutical company and changing the machines that control the flow of ingredients.  No explosions, no floods, no fires.  But a disturbing bit of potential terrorism.  And not just an Advanced Persistent Threat stealing intellectual property.

Now do you see the connection? Was that the doorbell?

(Triumfant has gone on record as saying we would detect Duqu and would be able to stop the attack before it collected the data it seeks.)


About The Triumfant Blog
This Blog is about all things Triumfant

2 Responses to Sayano-Shushenskaya Accident A Model for What a Duqu/Stuxnet Combo Could Mean

  1. Pingback: Water Utility Attacked, Compromised – the Era of SCADA Attacks Arrives « Exceptional Security

  2. Pingback: The Reader’s Speak – the Top Ten Posts of 2011 « Exceptional Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: