Could Your AC Drives Systems Be the Target for Cyber-Attack?

By Himanshu Shah

Category:
Industry Trends

Today variable frequency drives (AC drives) systems, often used in critical industrial applications, are vulnerable to cyber-attacks that can result in significant damage to facilities.  We are all aware of Stuxnet, the malicious computer worm identified in 2010 that caused substantial damage to Iran's nuclear program. 

The Stuxnet malware infected the software at several industrial sites in Iran, including a uranium-enrichment plant.  The Stuxnet worm spread throughout facility’s automation systems enabling the worm’s authors to spy on and tamper with the industrial systems.  They instructed the control system to drive the centrifuges at a speed that introduced unacceptable wobble and caused them to self-destruct.  Since the safety limits of variable frequency drives were programmed in software, some industry experts believe that Stuxnet removed safety limits in the controller’s memory, allowing the centrifuges to operate beyond those safety limits. 

Yes, that was in Iran.  But could such attacks occur on other critical industrial operations in other parts of the world?  Unconfirmed reports suggest that this (obviously well-financed) Stuxnet attack was conducted by a joint Israeli-American operation. Whether or not this is an example of “terrorism” would likely depend on the individual’s world view.  However, in today’s chaotic global political arena, terrorism certainly is a significant concern.  As travel restrictions increase and border vetting becomes more rigorous, many terrorists will likely seek out opportunities to cyber-attack facilities.  There is no shortage of reasons for terrorists to seek to damage industrial facilities (not to mention for any disgruntled employees that may work in those facilities).  Clearly, variable frequency drive systems in these facilities represent viable targets.  Attackers may not need a malicious worm like Stuxnet, but could possibly cause large damage with far less sophisticated means.

ARC seeks your experiential perspective in this area of cybersecurity issues that relate to AC drives systems applications.  Some specific questions include:

  1. Do you think AC drives systems should be considered as targets for cyber-attacks?
  2. If yes, which types of AC drives systems applications do you think are most vulnerable to cyber-attack?
  3. If an end user, what steps would you take to mitigate such an attack?
  4. What steps do you think AC drives systems suppliers should take to increase protection from cyber-attack?

Fortunately, to date, we have not heard of many cyber-attacks on AC drives systems that have resulted in significant damage.  But it would be naïve to think AC drives systems are not or will not be targets in industries with critical applications.   While the frequency of these attacks could be very small, the potential impact could be huge.  Cyber-attacks on AC drives systems could cripple water supplies, power plants, and industrial operations of all types.

By all means, I invite you share your concerns, thoughts, and comments in this area based on your knowledge and experience.  You can reach me at hshah@arcweb.com.

Engage with ARC Advisory Group