Niro Cyber Security Articles

Nieuws

Lessons from the BP Refinery Incident

The role of alarm flooding in cyber-physical security:

How could attackers exploit alarm systems to breach security? What happens when the very systems designed to alert us to danger become the tools used to create chaos? The recent BP refinery explosion sheds light on these critical questions, illustrating how a deluge of alarms can overwhelm operators, creating opportunities for malicious actors.
On September 20, 2022, the BP-Husky Toledo Refinery in Ohio experienced a catastrophic incident resulting in the deaths of two employees. During a 12-hour period leading up to the explosion, over 3,700 safety alarms were triggered. This "alarm flood" overwhelmed the refinery's operators, causing significant delays and errors in responding to critical situations (CSB) (Stock Analysis).
The Impact of Alarm Flooding
An alarm flood occurs when more alarms are activated than can be effectively managed by operators. In the BP refinery case, this overwhelming number of alarms distracted and exhausted the operators, preventing them from identifying and responding to the most critical warnings. This contributed to a series of cascading failures that culminated in a deadly explosion.
Alarm flooding isn't just a hazard in industrial settings; it's also a tactic that can be exploited by cyber and physical attackers. By intentionally triggering multiple alarms, attackers can obscure their actions, making it difficult for security personnel to discern legitimate threats from false positives.
When the defense side either becoming overwhelmed by the alarm system, or has become complacent to it, as is the case when alarms regularly and falsly trigger, this creates a vulnerability attackers can use to bypass security.
Historical Context and Similar Incidents
This phenomenon isn't new. The BP Texas City refinery explosion in 2005, which killed 15 workers and injured 180 others, also involved significant alarm management issues. In that incident, crucial alarms and instrumentation failed, contributing to the severity of the disaster.
Another example is the 2015 cyber attack on a Ukrainian power grid, where attackers used a combination of cyber and physical tactics to create chaos. They triggered multiple false alarms, which overwhelmed the operators and allowed the attackers to disconnect substations without immediate detection.
Exploitation by Physical Attackers
Physical attackers, or even black teams during penetration tests, can leverage alarm flooding to exploit vulnerabilities in security systems. By intentionally triggering a flood of alarms, attackers create chaos that overwhelms security operators. This chaos can obscure real threats, as the sheer volume of alarms makes it difficult for operators to identify and respond to genuine issues.
In the BP refinery incident, the operators were inundated with over 3,700 alarms, leading to significant delays and errors in addressing the critical situation. This same principle can be applied by attackers who aim to exploit the confusion and overload caused by excessive alarms. By generating numerous false alarms, they can distract and exhaust security personnel, reducing the effectiveness of their response and creating opportunities for intrusion.
Conversely, attackers can also exploit complacency. When alarms are frequently triggered without resulting in actual incidents, security personnel may become desensitized, leading them to ignore or downplay future alarms. This complacency can be dangerous, as it increases the likelihood that a genuine threat will go unnoticed or be responded to inadequately. For example, if a facility's alarm system regularly triggers false alarms, security staff might eventually regard these alarms as nuisances rather than potential threats. An attacker could exploit this by timing their intrusion to coincide with a period of alarm fatigue, thus bypassing the security measures in place.
In both scenarios—chaos and complacency—attackers take advantage of human factors in security operations. Chaos can mask their activities, while complacency can create a false sense of security, both of which increase the risk of successful breaches. Understanding these tactics is crucial for improving alarm management and ensuring that security personnel remain vigilant and effective in their roles.
A big legal & Safety point is to remember in OT environments, you will likely never be allowed to cause alarm flooding and in any engagement, you will have to get permission before you either downgrade the client’s security or cause chaos.
That said, understanding and monitoring how a security team, or even employees react to alarms is an important part of security tests.
A Complacency Case Study

Once we where asked to break into a bank that had a unique, and very expensive turn style for access control. Complete with a laser and pressure sensor to prevent someone hoping over the barrier it sounds very secure on paper. However, during our embedded recon we noticed that employees would place their work bag / laptop / backpack / etc onto the device as they scanned their ID upon arriving in the morning, which due to the pressure sensor would set off the alarm, but only for a moment due to the pressure sensor believing someone was attempting to vault over the turn style.
Once the alarm triggered, the guard in the lobby would casually turn and check everything looked ok and go back to his phone. This complacency made for an easy way to gain one method of entry into the bank. By approaching the turn style dressed like an employee with an ID card in one hand and my belongings in the other, our team member simply hopped over the turn style and when the guard glanced over he saw a well dressed man, bag in one and and ID in the other, exactly what he had been trained to expect to see in such situations and didn’t give it a second thought.
This method of exploiting alarm complacency was so simple but successful that during the reporting phase, the client wanted to try it and was horrified to realize it not only worked but he apparently did it multiple times in a single day and was never noticed or caught. This client’s very expensive access control systems were rendered useless by a little embedded recon.
Conclusion
The tragic incident at the BP refinery highlights the dangers of alarm flooding and the need for robust alarm management systems. By learning from these events, organizations can improve their resilience against both accidental and malicious disruptions. Effective alarm management is not just about technology; it's about ensuring that human operators are equipped and prepared to handle complex, high-stress situations.
Understanding how attackers can exploit alarm flooding & complacency helps in developing better security protocols and training for both cyber and physical security personnel. Ensuring that alarm systems are designed to handle high volumes without overwhelming operators is crucial in maintaining the integrity and safety of critical infrastructure.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Nirocybersecuritytraining provides training courses focused on physical penetration testing, lock-picking, bypassing techniques, social engineering and other essential skills.
• Nirocybersecurity training- 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
• Nirocybersecurity Physical Audit Training - 2 day course on how to setup and run a physical security audit
• Nirocybersecurity Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
• Nirocybersecurity Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
• Nirocybersecurity Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
• Nirocybersecurity Private Instruction - Focused learning & training based on your needs .