Thursday, January 31, 2013

Cyber War, Safety, and OSHA

There is a new hazard that companies need to be aware of: 
Workplace Industrial Cyber Safety Hazards.

Hazard Alert!

There's a war going on, and it's raging here at home; not in the streets or the fields, but on the Internet. You can think of it as a war on the digital homeland. If you work for a power company, bank, defense contractor, transportation provider, or other critical infrastructure type of operation, your organization might be in the direct line of fire. And everyone can become collateral damage.

The Responsibility of Safety Professionals

So what responsibility do we as Safety Professionals and what responsibility do our companies (as employers) have to address cyber industrial safety hazards in workplace? Today computer malware go beyond identity theft. Today computer malware attacks PLC (Programmable Logic Controllers) that control the automation of industrial processes; for instance, to control machinery.

Cyber attacks evolve from espionage attacks that steal intellectual property or monitor communications to disruptive or destructive attacks. Destructive and disruptive cyber attacks are relatively uncharted and troubling territory. Computer virus can start a machine and prevent it from being shut down. Stuxnet is a computer worm; a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges.

The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control (Stuxnet). Another seems right out of the movies: The computer program (Flame) secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

"What if the machinery in your facility started up unexpectedly, started spinning wildly out of control, and refused to shut down? That is the new reality today. Are you prepared for it?"

In the past six months, there have been foreign attacks on oil and gas companies in the Middle East and on U.S. banks, including Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC, and SunTrust. How will we react if the next attack is against the electric grid, or our food and water supply.

Policies such as the 2012 Securities and Exchange Commission's Guidance on Cyber Disclosure now require many Fortune 500 companies to report any type of meaningful cyber threats in their organizations.

OSHA, LOTO, and the General Duty Clause

OSHA requires employers to provide a safe and healthful workplace that
is free from serious recognized hazards. LOTO requires machinery to be shutdown and no be able to be restarted, cycled, or energised.
Workplace Industrial Cyber Safety Hazards are a trigger here requiring employers to address them.


Both Flame and Stuxnet are considered malware. Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. Malware is a general term used to refer to a variety of forms of hostile or intrusive software.

Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs and other malicious programs


Flame secretly mapped, recorded, and monitored Iran’s computer networks, sending back a steady stream of intelligence to prepare for a cyber­warfare campaign.


Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems are used to control and watch industrial processes. Industrial control systems consist of PLC (Programmable Logic Controllers), which can be thought of as mini-computers that can be programmed from a Windows system.

These PLCs contain special code that controls the automation of industrial processes; for instance, to control machinery in a plant or a factory such as those used in pipelines or nuclear power plants. Stuxnet can enter a computer system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate to the operator and your antivirus software that everything is functioning as expected.

Stuxnet is the first-ever computer worm to include a PLC (Programmable Logic Controllers) rootkit to hide itself and target critical industrial infrastructure. Successful exploitation of this vulnerability results in the injection of a backdoor, as well as the installation of two rootkits that will hide both the .lnk files and the accompanying .tmp files.

Origins of Flame and Stuxnet

The United States and Israel jointly developed a sophisticated computer virus named Flame and Stuxnet. Flame collected intelligence in preparation for cyber-sabotage (Stuxnet) aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.

The effort, involving the National Security Agency, the CIA and Israel’s military, has included the use of destructive software such as the Stuxnet virus to cause malfunctions in Iran’s nuclear-enrichment equipment.

U.S. Attorney General Eric Holder announced a criminal probe last June (2012), shortly after a lengthy article by The New York Times' chief Washington correspondent, David Sanger, reported that anonymous, high-level sources in the Obama administration had told him that the U.S. and Israeli governments had used the Stuxnet worm to attack centrifuges at Iran's Natanz nuclear plant.

The Fix

Many security vendors have released Stuxnet removal tool and Microsoft has released Stuxnet FixIt tool too. There is a Microsoft Fix-IT solution, a solution called the G Data LNK Checker to block malicious LNK files, and a Stuxnet Rootkit Remover to clean the infected computers from common Stuxnet variants.

BitDefender has also released a free Stuxnet (Win32.Worm.Stuxnet) removal tool. This tool is capable of removing all known variants of Win32.Worm.Stuxnet, as well as the rootkit drivers that are used to hide critical components of the worm. The tool can be run on both 32-bit and 64-bit Windows operating system installations and will eliminate both the rootkit drivers and the worm.

[ Download Free BitDefender Stuxnet Removal Tool here: ]

[ Download Other BitDefender Security Tools here: ]

Consequences of Cyber War

Until the conflicts are resolved, almost everyone becomes a victim of unintended consequences during war, even cyber war. Cyber war may be digital, but it is still a form of war.


The Terrorism Risk Insurance Act (TRIA) is a US federal law signed into law by President George W. Bush on November 26, 2002. The Act created a federal "backstop" for insurance claims related to acts of terrorism, mainly 9/11. The Act is intended as a temporary measure to allow time for the insurance industry to develop their own solutions and products to insure against acts of terrorism. The Act was set to expire December 31, 2005, but was extended to Dec. 31, 2014.

TRIA created a U.S. government reinsurance facility to provide reinsurance coverage to insurance companies following a declared terrorism event. TRIA is a short-term measure designed to help the insurance market recover from 9/11 and develop solutions to insuring terrorism.

Terrorism is not War.

War: An organized, armed, and often a prolonged conflict that is carried on between states, nations, or other parties usually over territory or resources. War can also be the liberation of a nation.

Terrorism: The French word terrorisme in turn derives from the Latin verb terreō meaning “I frighten.” Although “terrorism” originally referred acts committed by a government, currently it usually refers to the killing of innocent people by a non-government group in such a way as to create a media spectacle.

War usually has rules of conflict, such as the treatment of prisoners, terrorism does not follow the same rules, and often target civilians to put fear into the populace.
Most insurance policies include an "Act of War Exclusion." This can leave an employer vulnerable to (injury) claims as a result of a cyber attack.


It may take 5 to 10 years before we hear of a fatality caused by a machine with an infected PLC.Until then we will not hear about the machines refusing to shut down and "burning out" or "flying apart." We will not hear about the minor injuries from these events either. The employers may not even realize that their machines have been infected by a computer virus. They may simply say these were machine failure. 

Overshadowed by Terrorism

 There are warnings to power plants, pipelines, utilities, etc. for this, but they are for terrorism, not worker safety. Yes there is a danger to the public from these kinds of companies, but there is an even bigger danger from companies that are not considered terrorist targets. The danger is from being unaware that these computer viruses can affect their machinery.

These companies that make soda cans, plastic food containers, and key chains are not aware that one of these viruses that is aimed at a gas pipeline can find its way into their machinery and injure a worker. They may not even know it after the fact if they do not do a forensic investigation into the machine failure.

On the Front Line

Note: I am going to simplify the issue of Nuclear Automation. I realize to a certain degree today automation exists, the proposal (and reality) is much more complicated.
I have kept my eye on this issue from my work in the nuclear industry. The rule of thumb is triple redundancy, and up until recently, there were not three (reliable) computer OSs (Operating Systems) to provide triple redundancy. With Apple's OSX now a mainstream OS, there are three (Windows, Linux, and OSX).

Now there is real talk of automation in the Nuclear Industry. It scares me personally. There is no such thing as a completely closed system, and trying to achieve it is impractical. I question how much of the push for automation is for safety and how much is a cost savings.

Final Thoughts

I wear two hats in my organization: Risk Manager and IT Manager. It is from this unique perspective I was able to recognize this emerging threat. For years I have warned, educated, trained, and help prepare my clients for cyber threats.

For the last 10+ years I have been working with my clients to assess and prepare for hazards related to automated control systems. I am at the point now that I feel comfortable to come forward and begin educating our profession.

This opens up a new field in safety: Workplace Industrial Cyber Safety. This provides new opportunities for safety professionals such as myself, and gives a new career and  learning option for existing and upcoming safety professionals.

Employers and safety professionals need to think about and plan for escalating cyber conflicts and for disruptive and destructive attacks, not just espionage or intellectual property theft (the major focus undertaken against advanced persistent threats and hack in recent years). After all, more countries and groups will gain the ability to launch sophisticated attacks.

What can we do as Safety Professionals?

  • As safety professionals, we need to make sure that we have mechanical energy-isolation devices, that are not dependent on software, PLCs, to Lockout/Tagout our equipment.
  • Anticipate, recognize, prepare, and train for hazards from automated control systems becoming infected or corrupt, such as machinery that has been shut down starting, "run away" machinery,  and prevent machinery from being shut down.
  • Work with stakeholders (vendors, suppliers, maintenance, management, IT) to protect against automated control system hazards (upgrading existing networks, ordering new equipment with mechanical safeguards built in).  
  • Conduct (or have conducted) threat assessments based on level of cyber security and industry. 
  • Review your company's need to comply with policies such as the 2012 Securities and Exchange Commission's Guidance on Cyber Disclosure
  • If we do not have the expertise, then bring in someone who does. 
  • More training.


Take note:

 I have searched the Internet, published works, other blogs, and this is the first and only place to recognize the risks of cyber attacks as a workplace hazard in respect to OSHA. This is the cutting edge, forward thinking that I try to provide.

Thank you for reading.

No comments: