Arkie teaches Sequoia about his brainstorm
Mid-October
The Saint Petersburg Flood Prevention Facility Complex (Ко́мплекс защи́тных сооруже́ний Санкт-Петербу́рга от наводне́ний, kómpleks zashchítnykh sooruzhéniy Sankt-Peterbúrga ot navodnéniy), unofficially the Saint Petersburg Dam, is a 25-km (16-mi) long complex of dams for flood control near Saint Petersburg, Russia.…The complex is intended to protect Saint Petersburg from [Baltic] storm surges by separating the Neva Bay from the rest of the Gulf of Finland.…The northern and southern parts of the dam act like two giant bridges, providing access from the mainland to Kotlin Island and Kronstadt.
Historically, storm surges from the gulf have caused over 300 floods of varying severity within the city, some with devastating effects. The dam has the capability to protect the city from water rising up to 5 m (16 ft).
From Wikipedia Article on the Saint Petersburg Dam
Sequoia and Arkie walked over to the house. Nate and Elwood were sitting at the kitchen table, in front of two glasses of white wine and a bottle that was almost empty. Two .22 pistols (a Walther and a Beretta) were also on the table.
“What are you guys doing?”
“Playing Russian roulette. Want in?”
“The last line of defense, huh?”
They both gave Arkie the finger as he and Sequoia went down the basement stairs.
“Actually, that is what we are going to do right now,” said Arkie.
“Russian roulette?” Sequoia looked concerned.
“No. Design the last line of defense.”
Only one person was working in the monitoring center. Usually there were at least four, but neither Arkie nor Sequoia was surprised everyone was topside. Alice was hosting a vegan barbecue, and it was nice fall weather. They sat in front of one of the stations and Arkie logged in.
“OK, let me do a little navigating.” Arkie then pulled out a scribble he kept in his back pocket, filled with IP addresses and users and passwords. “Go ahead, write this down. Don’t video it or even store it on your systems. I mean it, this is – of the highest possible importance. It has to remain secret!” It was a layered set of systems, about seven deep, meaning he had to pass through six portals, darkweb-type entry points, just to get to the starting point.
“OK.”
“OK here – I was up all night looking up Siemens Switch command syntax. And researching hacks into the OS of the switches themselves.”
“But – why?”
“Ever since 2011, the Russian city of St. Petersburg on the Neva River has been protected against the threat of high water from the Baltic by a dam and giant gate across the Neva Bay. There is a low pressure system in the Gulf of Bothnia, between Sweden and Finland. It might be nothing, or it could mean a Baltic cyclone. They sometimes take a couple of weeks to form. There have been cases of it lasting a month or longer, before it breaks up or forms a storm.”
“OK, so will the dam hold?”
“Ha!” Arkie smiled, and continued to test. “Probably. The dam is five meters above sea level. That is a lot. No, it is going to take a major off-the-charts storm to overflow that! Someday, sure, with climate change, and rising sea levels, but not yet. Unless…”
“Yeah…”
“Unless the gate on the dam doesn’t close during a storm. Here is the piece that will be difficult. Check this out! I am into their control center. I came in through a server in the St. Petersburg City Admin building, so – the thought is – that their intrusion detection won’t see me if I come in from one of their boxes. The Russians are good at attack, and sloppy on defense. Anyway, I have been working on this off and on for the last two months. We need to give Chubby some leverage when and if he tries to get GG out.”
“So,” said Sequoia, “What does that box control?”
“This is the Simatic PCS 7 system. I know this system. I helped some people with a simulation of an attack on process control systems years ago. It still looks pretty much the same. Command set is similar to Cisco’s, turns systems off and on to activate, then steps down to lower levels to control those system functions. Of course the operators don’t do it like this, they have a GUI they can mouse around. I know a guy who can crack it. He owes me.”
“Who?”
“Well, I don’t actually know him. I don’t even know what country he lives in; I think he is in Europe somewhere. But he hates Siemens, the company. I don’t know why. Maybe used to work there, or maybe something to do with the war, or maybe it is even more personal than that. Doesn’t matter.”
Arkie demonstrated how they could move around the system; he was displaying and cutting and pasting the current settings of the devices it controlled – pumps for flooding and draining the lagoons, motors for lifting, and releasing the gates, etc.
“Here,” he said. He looked over and saw Sequoia was mesmerized. “See, look – here is a map of St. Petersburg. See where the city is? It is all reclaimed marshland. Peter the Great built it during the 1700s and hundreds of thousands of workers died – froze, disease, the whole thing. It is hard to see how it was different from Stalin’s worst atrocities. But the results speak for themselves. It is a waterway to Western Europe – the Baltic. Here – see this line across the bay? That is called the KZS – 16 miles of dams. Flood control. During storms it stops the flood surge and protects the city. The whole thing – the key point – is here. The S-1. On Russian maps it is “C-1” because C in Russian is pronounced like an S. This is a gate – 200 meters long – a floating gate that is almost always open – for shipping. But during a storm – it closes. It has only closed a couple of times since 2011.”
“And the Siemens industrial control system controls it.”
“Exactly. Well, there might be a storm coming; it might be nothing or it might be big. But there is an extremely low pressure polar vortex developing and if it moves south and hits the high-pressure hot air – bang! We have a massive Baltic cyclone that moves up into the funnel of the Neva Bay. So if we can take control of this system…before it hits…if it hits…”
“…Take control of the system and don’t let them control the S-1! Right?”
“Exactly.”
“Give us the girl, or we flood the city!” Sequoia said in a low, gravelly, hoodlum voice. Arkie laughed.
“As you can see we have breached the first layer of their defenses – we can get to the Simatic login prompt. Which means we can change things – but we need to understand the procedures they use to make it work. Their failsafe systems, etc.”
Sequoia took over the controls and started maneuvering around. She listed out the users, and their authorities. “We are just a guest user here. Go slow. We can look but not touch, right?”
“You are right. We will need to get super-user authority. Have to find a buffer overload sequence. I know we can do that – or my friend can – in fact he probably already has the steps for that. Hear, listen to this – ‘The S-1 submersible storm surge barrier is 200 meters across and 16 meters deep. In the event of a flood warning the barrier’s giant gates close shut. Each one can move freely, functioning like a submerging submarine.’”
Arkie and Sequoia spent about 14 hours straight working on penetrating the dam operation. Arkie’s friend in Europe found a working version of the Simatic PCS 7 – including its virtualized panel – and allowed them to practice on it. He also gave them a technique to buffer overload the guest user and – voilà – super-user! Which meant they could lock out everybody else when the time came. His friend also gave him access into the classified section of Siemens databases, and found the full specs on the hydraulics and access points into the dam.
“The problem – well – the ultimate problem – we have a bunch of problems,” Arkie shook his head.
“Let me get you some coffee; I need a cup myself,” said Sequoia.
“The default setting – if you just let it float and open the valves – is for the S-1 gate to be closed. But they almost never close it. To keep it open they have to activate the hydraulic piston – and the motors that push it – there are two of them about five meters in diameter.”
“Is there a manual override?”
“Of course,” said Arkie. “Here, look at this schematic.” Arkie pulled up a visual of the floor plan of the control room. “In order for this to be a surprise, we would have to activate the gate and lift it after the storm is surging. They will close it well before the surge arrives. So we will have to time locking it ‘open’ before they close it.”
“Or figure out how to open it after it closes.”
“Yeah. I hadn’t thought of that. We will need to game both scenarios.”
“We don’t have time. We have to keep it from closing. Which means we have to sabotage it in a way they don’t suspect until it is too late – for them. And of course have a way to fix it,” said Sequoia, “to open it later.”
“Right.”
“The good news is that the dry dock where it sits when open will be flooded. The gates float out and close on their own. We just have to keep the dry dock ‘dry’ and keep people off it so they can’t open the spigot manually – assuming we can shut it down with the process control.”
“So if the hydraulics don’t work – it will lift the gate up until it floats free, then the water pushes it closed. We can’t let the gate float,” said Arkie.
“It seems impossible. We have a long way to go…”
No comments:
Post a Comment