marina krotofil
TRANSCRIPT
![Page 1: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/1.jpg)
Marina Krotofil
Black Hat, Las Vegas, USA06.08.2015
Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion
![Page 2: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/2.jpg)
Industrial Control Systems (aka SCADA)
Physicalapplication
Curtesy: Compass Security Germany GmbH
![Page 3: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/3.jpg)
Cyber-physical systems are IT systems “embedded” in an application in the physical world
Cyber-physical systems
Interest of the attacker is in the physical world
![Page 4: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/4.jpg)
Industrial Control Systems
![Page 5: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/5.jpg)
My research focus
Complex continuous processes (e.g. chemical plants)
Non-opportunistic attacker
What the attacker can do to the process?
What she needs to do and why?
What needs to be programmed into a final payload?
Are traditional cyber-security measures adequate?
I do not research into (but consider) cyber vulnerabilities in communication protocols and control equipment
![Page 6: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/6.jpg)
Ralph Langner: “The pro’s don’t bother with vulnerabilities; they use features to compromise the ICS”
Control systems hacking
![Page 7: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/7.jpg)
Security is not a fundamental science
It is application driven
Security solutions exist in the context of the application
Security science
![Page 8: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/8.jpg)
Security influences design decisions
o Attackers (mis)use functionality of web browsers
o Novel approaches to designing web applications
o Novel security controls in browsers
Par
keri
an h
exad
Early adopter: E-commerce
Application dictates security properties
o Information-theoretic security properties
o CIA triad Parkerian hexad
![Page 9: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/9.jpg)
Wireless sensor networks
o A big hype for about a decade
o Conferences, solutions, promising applications
Failed to adopt
D. Gollmann, M. Krotofil, H. Sauff. Rescuing Wireless Sensor Networks Security from Science Fiction (WCNS’11)
o Remained a “promising” technology with limited deployment
Downfall reasons
o Deficiencies in the attacker models and security requirements
o Unrealistic assumptions about physics of wireless communication
![Page 10: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/10.jpg)
Control equipment vulnerabilities
ICSA-13-274-01: Siemens SCALANCE X-200 Authentication Bypass Vulnerability
ICSA-13-274-01: Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation Vulnerability
ICSA-15-099-01A:Siemens SIMATIC HMI Devices Vulnerabilities (Update A)
ICSA-12-320-01 : ABB AC500 PLC Webserver CoDeSys Vulnerability
ICSA-15-048-03:Yokogawa HART Device DTM Vulnerability
ICSA-15-111-01:Emerson AMS Device Manager SQL Injection Vulnerability
ICS-ALERT-14-323-01: Advantech EKI-6340 Command Injection
ICSA-11-307-01:Schneider Electric VijeoHistorian Web Server Multiple Vulnerabilities
![Page 11: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/11.jpg)
ICS-CERT recommendation
IMPACTSuccessful exploitation of this vulnerability may allow attackers to perform administrative operations over the network without authentication.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
ICSA-13-274-01: Siemens SCALANCE X-200 Authentication Bypass Vulnerability
![Page 12: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/12.jpg)
Impact evaluation
What exactly the attacker can do with the vulnerability?
Any further necessary conditions required?
How severe the potential physical impact?
Answering these questions requires understanding how the attacker interacts with the control system and the process
![Page 13: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/13.jpg)
Due to various schemes for reputation management and data sharing laws, the majority of Operational Technology attacks over the last 20 years have not been made public, making even a catalogue of recent reference events difficult to assemble.
A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
We can and should conduct own research on cyber-physical exploitation
Incident data unavailability
![Page 14: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/14.jpg)
Industrial systems can be controlled without modifying the contents of the messages
o Can be effective even if the traffic is signed or even encrypted
Process data can be spoofed to make it look like everything is normal
o Can be done despite all traditional communication security put in place
1
2
M. Krotofil, J. Larsen. What You Always Wanted and Now Can: Hacking Chemical Processes. Hack in the Box, Amsterdam (2015)
Overlooked data security property
Control system design flaw
Control systems security
![Page 15: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/15.jpg)
Process control
![Page 16: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/16.jpg)
Running upstairs to turn on your furnace every time it gets cold gets tiring after a while so you automate it with a thermostat
(Nest because it’s so cute!)
Process control automation
Set point
![Page 17: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/17.jpg)
Control loop
Actuators
Control system
Physical process
Sensors
Measure process state
Computes control commands for
actuators
Adjust themselves to influence
process behavior
![Page 18: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/18.jpg)
Control system
Jacques Smuts „Process Control for Practitioners“
Termostat controller
+
Error in desired temperaturee(t) = SP - PV
Heat loss
(e.g. through windows)
Heat into houseSet point (SP) Furnace fuel valve
House heating system
Temperature sensor
-Desired temp
Measured temp
(Process variable, PV)
Controller output, COSignal to actuator
(valve)Adjusted fuel
flow to furnace
![Page 19: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/19.jpg)
Control equipment
In large-scale operations control logic gets more complex than a thermostat
One would need something bigger to handle it all
Most of the time this is a programmable logic controller (PLC)
htt
p:/
/mir
aim
ages
.ph
oto
she
lter
.co
m/i
mag
e/I
0000
3zY0
Ku
N5Z
iY
![Page 20: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/20.jpg)
1. Copy data from inputs to temporary storage2. Run the logic3. Copy from temporary storage to outputs
Inp
uts
Ou
tpu
ts
PLC internals
Sensors Actuators
![Page 21: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/21.jpg)
If Input 1 and (Input 4 or Input 11) then Output 6
Control logic
If tank pressure in PLC 1 > 1800 reduce inflow in PLC 3
It is programmed graphically most of the time
Note to the control guys: logic and given examples do not match, they picked randomly. Thank you for noticing ;-)
![Page 22: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/22.jpg)
PID: proportional, integral, derivative – most widely used control algorithm on the planet
The sum of 3 components makes the final control signal
PI controllers are most often used
Jacques Smuts „Process Control for Practitioners“
PID Control
![Page 23: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/23.jpg)
Wires are run from sensors and actuators into wiring cabinets
Communication mediao 4-20 mAo 0-10 vo Air pressure
Usually process values are scaled into meaningful data in the PLC
Field communication
![Page 24: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/24.jpg)
PLC cannot do it alone
PLC does not have the complete picture and time trends
Human operators watch the process 7/24
Most crucial task: resolution of alarms
![Page 25: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/25.jpg)
SCADA hacking
![Page 26: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/26.jpg)
Why to attack ICS
Industry means big businessBig business == $$$$$$$
![Page 27: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/27.jpg)
Alan Paller of SANS (2008):
In the past two years, hackers have successfully penetrated and extorted multiple utility companies that use SCADA systems.
Hundreds of millions of dollars have been extorted, and possibly more. It's difficult to know, because they pay to keep it a secret. This kind of extortion is the biggest untold story of the cybercrime industry.
Industry means big businessBig business == $$$$$$$
Why to attack ICS
![Page 28: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/28.jpg)
Attack goal: persistent economic damage
So
urc
e: sim
en
tari
.com
Why to attack ICS
![Page 29: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/29.jpg)
Here’s a plant. What is the plan?
![Page 30: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/30.jpg)
Compliance violation
Safety
Pollution
Contractual agreements
Production damage
Product quality and product rate
Operating costs
Maintenance efforts
Equipment damage
Equipment overstress
Violation of safety limits
Purity Relative price, EUR/kg
98% 1
99% 5
100% 8205
Paracetamol
Source: http://www.sigmaaldrich.com/
What can be done to the process
![Page 31: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/31.jpg)
Attack considerations
Equipment damageo Comes first into anybody’s mind (+)o Irreversible ( )o Unclear collateral damage (-)o May transform into compliance
violation, e.g. if it kills human (-)
Compliance violation
Production damage
Equipment damage
Compliance violation
o Compliance regulations are public knowledge (+)o Unclear collateral damage (-)o Must be reported to the authorities ( )o Will be investigated by the responsible agencies (-)
±
±
![Page 32: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/32.jpg)
Plants for sale
From LinkedIn
More plants offers:http://www.usedplants.com/
![Page 33: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/33.jpg)
Car vs. plant hacking
It is not about the size
It is about MONEYPlants are ouch! how expensive
![Page 34: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/34.jpg)
Vinyl Acetate Monomer plant (model)
![Page 35: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/35.jpg)
Behind great woman is a great man
Acknowledgement
![Page 36: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/36.jpg)
Professor Programmer
Process Automation Consultant
Acknowledgement
Chemical Engineer
Student
Cyber-physical hacker
![Page 37: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/37.jpg)
Acknowledgement
Alexander Isakov – awesome software engineer
Alexander Winnicki – very good student
Dieter Gollmann – most supportive professor
Jason Larsen – cyber-physical hacking guru
Pavel Gurikov – chemical engineer who believes in hackers
William Horner – experienced automation expert
![Page 38: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/38.jpg)
Stages of cyber-physical attacks
![Page 39: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/39.jpg)
Attack payload
Attack objective
Cyber-physical payload
![Page 40: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/40.jpg)
Stages of SCADA attack
Control
Access
DiscoveryCleanup
Damage
J. Larsen. Breakage. Black Hat Federal (2007)
![Page 41: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/41.jpg)
Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack
![Page 42: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/42.jpg)
Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack
![Page 43: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/43.jpg)
Access
![Page 44: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/44.jpg)
Traditional IT hacking
• 1 0day• 1 Clueless user• Repeat until done
• AntiVirus and Patch Management• Database links• Backup systems
• No security• Move freely
![Page 45: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/45.jpg)
Modern IT hacking
Select a vulnerability from the list of ICS-CERT advisories
Scan Internet to locate vulnerable devices
Exploit
• E. Leverett, R. Wightman. Vulnerability Inheritance in Programmable Logic Controllers (GreHack‘13)• D. Beresford. Exploiting Siemens Simatic S7 PLCs . Black Hat USA (2011)
![Page 46: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/46.jpg)
Smart instrumentation
o Converts analog signal into digital
o Sensors pre-process the measurements
o IP-enabled (part of the “Internet-of-Things”)
Computational element
Sensor
Plants modernization
Old generation temperature sensor
![Page 47: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/47.jpg)
Invading field devices
J. Larsen. Miniaturization. Black Hat USA (2014)
Water flow
Shock wave
Valve PhysicalReflected shock wave
Valve closes Shockwave Reflected wave
Pipe
movement
Attack scenario: pipe damage with water hammer effect
Inserting rootkit into sensor’s firmware
![Page 48: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/48.jpg)
Discovery
![Page 49: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/49.jpg)
Process discovery
What and how the process is producing
How it is build and wired
How it is controlled
Espionage, reconnaissanceTarget plant and third parties
Operating and safety constraints
![Page 50: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/50.jpg)
Espionage
Industrial espionage has started LONG time ago (malware samples dated as early as 2003)
![Page 51: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/51.jpg)
Process discovery
![Page 52: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/52.jpg)
Know the equipment
Stripping columnStripper is...
![Page 53: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/53.jpg)
RefinementReaction
Max economic damage?
Final product
Requires input of subject matter experts
![Page 54: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/54.jpg)
Understanding points and logic
Piping and instrumentation diagram
Ladder logicProgrammable Logic Controller
Pump in the plant
![Page 55: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/55.jpg)
Understanding points and logic
Piping and instrumentation diagram
Ladder logicProgrammable Logic Controller
Pump in the plant
HAVEX: Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C.
![Page 56: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/56.jpg)
CC
1
PC
TC
LC
2
3
LC4
PC
5
6
TC
7
LC
8
TC
9
TC
11
LC
12
TC
14
TC
16
CC
CC 17
18
TC
19
CC
LC25
20
TC21
TC LC
LC
24
2223
26
15
1310
Understanding control structure
Control loop
![Page 57: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/57.jpg)
Control loop configuration
![Page 58: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/58.jpg)
Watch the flows!
fixed
HAc flows into two sections. Not good :(
![Page 59: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/59.jpg)
Obtaining control != being in control
Obtained controls might not be useful for attack goal
How do I even speak to this thing??
Attacker might not necessary be able to control obtained controls
Huh ???
K. Wilhoit, S. Hilt. The little pump gauge that could: Attacks against gas pump monitoring systems. Black Hat (2015)
Control Loop XMV{1}
XMV{2}
XMV{3}
![Page 60: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/60.jpg)
Control
Every action has a reaction
![Page 61: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/61.jpg)
Physics of process control
Once hooked up together, physical components become related to each other by the physics of the process
If we adjust a valve what happens to everything else?
o Adjusting temperature also increases pressure and flow
How much does the process can be changed before releasing alarms or it shutting down?
o All the downstream effects need to be taken into account
![Page 62: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/62.jpg)
Process interdependencies
![Page 63: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/63.jpg)
Process interdependencies
![Page 64: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/64.jpg)
Understanding process response
Controller Process
Transmitter
Final control element
Set point
Disturbance
• Operating practice • Control strategy
• Sizing• Dead band• Flow properties
• Type• Duration
• Sampling frequency• Noise profile• Filtering
• Control algorithm• Controller tuning
• Equipment design• Process design• Control loops coupling
![Page 65: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/65.jpg)
Understanding process response
Controller Process
Transmitter
Final control element
Set point
Disturbance
• Operating practice • Control strategy
• Sizing• Dead band• Flow properties
• Type• Duration
• Sampling frequency• Noise profile• Filtering
• Control algorithm• Controller tuning
• Equipment design• Process design• Control loops coupling
Have extensively studied
![Page 66: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/66.jpg)
Process control challenges
Process dynamic is highly non-linear (???)
Behavior of the process is known to the extent of its modelling
o So to controllers. They cannot control the process beyond their control model
UNCERTAINTY!
This triggers alarms Non-liner response
![Page 67: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/67.jpg)
Control loop ringing
Caused by a negative real controller poles
Makes process unstable and uncontrollable
Amount of chemical entering the reactor
Ringing impact ratio 1: 150
![Page 68: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/68.jpg)
Types of attacks
Step attack
Periodic attack
Magnitude of manipulation
Recovery time
![Page 69: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/69.jpg)
We should probably automate this process
(work in progress)
I am 5’3’’ tall
Outcome of the control stage
![Page 70: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/70.jpg)
Outcome of the control stage
Sensitivity Magnitude of manipulation Recovery time
High XMV {1;5;7} XMV {4;7}
Medium XMV {2;4;6} XMV {5}
Low XMV{3} XMV {1;2;3;6}
Reliably useful controls
![Page 71: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/71.jpg)
Alarm propagation
Alarm Steady state attacks Periodic attacks
Gas loop 02 XMV {1} XMV {1}
Reactor feed T XMV {6} XMV {6}
Rector T XMV{7} XMV{7}
FEHE effluent XMV{7} XMV{7}
Gas loop P XMV{2;3;6} XMV{2;3;6}
HAc in decanter XMV{2;3;7} XMV{3}
The attacker needs to figure out the marginal attack parameters which (do not) trigger alarms
To persist we shall not bring about alarms
![Page 72: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/72.jpg)
Damage
![Page 73: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/73.jpg)
How to break things?
Attacker needs one or more attack scenarios to deploy in final payload
The least familiar stage to IT hackers
o In most cases requires input of subject matter experts
Accident data is a good starting point
o Governmental agencies
o Plants’ own data bases
![Page 74: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/74.jpg)
Hacker unfriendly process
Target plant may not have been designed in a hacker friendly way
o There may no sensors measuring exact values needed for the attack execution
o The information about the process may spread across several subsystems making hacker invading more devices
o Control loops may be designed to control different parameters that the attacker needs to control for her goal
![Page 75: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/75.jpg)
Measuring the process
An
alyz
er
• Reactor exit flowrate• Reactor exit temperature• No analyzer
FTTT
Chemical composition
FT
Measuring here is too late
An
alyz
er
An
alyz
er
An
alyz
er
![Page 76: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/76.jpg)
Measuring attack success
If you can't measure it, you can't manage itPeter Drucker
I have a dream – that one day I will find all
the right KPI‘s…
![Page 77: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/77.jpg)
“It will eventually drain with the lowest holes loosing pressure last”
“It will be fully drained in 20.4 seconds and the pressure curve looks like this”
Technician Engineer
Technician vs. engineer
J. Larsen. SCADA triangles: reloaded. S4 (2015)
![Page 78: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/78.jpg)
Technician answer
Reactor with cooling tubes
Usage of proxy sensor
Only tells us whether reaction rate increases or decreases
Is not precise enough to compare effectiveness of different attacks
![Page 79: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/79.jpg)
Quest for engineering answer
0,00073; 0,00016; 0,0007…
Code in the controller
Optimization applications
Test process/plant
![Page 80: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/80.jpg)
Engineering answer
Vinyl Acetate production
![Page 81: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/81.jpg)
Product loss
Product per day: 96.000$
Product loss per day: 11.469,70$
![Page 82: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/82.jpg)
Product loss, 24 hours Steady-state attacks Periodic attacks
High, ≥ 10.000$ XMV {2} XMV {4;6}
Medium, 5.000$ - 10.000$ XMV {6;7} XMV {5;7}
Low, 2.000$ - 5.000$ - XMV {2}
Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2}
Product per day: 96.000$
Still might be useful
Outcome of the damage stage
![Page 83: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/83.jpg)
Clean-up
![Page 84: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/84.jpg)
Socio-technical system
• Maintenance stuff• Plant engineers• Process engineers• ….
Cyber-physical system
Controller
Operator
![Page 85: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/85.jpg)
Creating forensics footprint
Process operators may get concerned after noticing persistent decrease in production and may try to fix the problem
If attacks are timed to a particular employee shift or maintenance work, plant employee will be investigated rather than the process
![Page 86: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/86.jpg)
Creating forensics footprint
1. Pick several ways that the temperature can be increased
2. Wait for the scheduled instruments calibration
3. Perform the first attack
4. Wait for the maintenance guy being yelled at and recalibration to be repeated
5. Play next attack
6. Go to 4
![Page 87: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/87.jpg)
Creating forensics footprint
Four different attacks
![Page 88: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/88.jpg)
Defeating chemical forensics
If reactor deemed malfunctioning, chemical forensics will be asked to assist
Know metrics and methods of chemical investigators
Change attack patterns according to debugging efforts of plant personnel
![Page 89: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/89.jpg)
Operator’s screens
Regulatoryfilings
Point database
Safety briefs
HistorianSmall
changes to the process
Realtime data from
sensors
Safety systems
SEC filingsProcess experts
Custom research
Final Payload
Custom operator
spoofs
Waiting for unusual events
Log tampering
Minimalprocess model
Accidentdata
Forensicfootprint
Discovery
Control
Damage
Cleanup
AccessICCP
Regulatory reporting
Just-in-time manufacturing
Wireless links
![Page 90: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/90.jpg)
Postamble
![Page 91: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/91.jpg)
State-of-the-art of ICS security
TCP/IP
![Page 92: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/92.jpg)
Take away
SCADA hacking can be more sophisticated than simply blowing, breaking and crashing
o Espionage attacks matter! They hurt later
Better understanding what the attacker needs to do and whyo Eliminating low hanging fruitso Making exploitation harder o Making cost of attack exceeding cost of damage
Look for the attacker o Wait for the attacker where she has to goo Process control stage is done on live process
![Page 93: Marina Krotofil](https://reader033.vdocuments.net/reader033/viewer/2022051711/5868e12c1a28aba27d8b9579/html5/thumbnails/93.jpg)
TE: http://github.com/satejnik/DVCP-TEVAM: http://github.com/satejnik/DVCP-VAM
Marina Krotofil [email protected]
Damn Vulnerable Chemical Process
Thank you