We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
14
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Krotofil, Marina Larsen, Jason

Formal Metadata

Title
Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion
Title of Series
Number of Parts
109
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Rocking the Pocket Book: Hacking Chemical Plant for Competition and Extortion Marina Krotofil Senior Security Consultant. European Network for Cyber Security Jason Larsen Principal Security Consultant, IOActive The appeal of hacking a physical process is dreaming about physical damage attacks lighting up the sky in a shower of goodness. Let’s face it, after such elite hacking action nobody is going to let one present it even at a conference like DEF CON. As a poor substitute, this presentation will get as close as using a simulated plant for Vinyl Acetate production for demonstrating a complete attack, from start to end, directed at persistent economic damage to a production site while avoiding attribution of production loss to a cyber-event. Such an attack scenario could be useful to a manufacturer aiming at putting competitors out of business or as a strong argument in an extortion attack. Picking up a paper these days it’s easy to find an article on all the “SCADA insecurity” out there associated with an unstoppable attacker with unsophisticated goal of kicking up another apocalypse. Sorry to disappoint excited crowd but formula “Your wish is my command” does not work for control systems. The target plant is not designed in a hacker friendly way. Hopefully by the end of the presentation, the audience will understand the difference between breaking into the system and breaking the system, obtaining control and being in control. An attacker targeting a remote process is not immediately gifted with complete knowledge of the process and the means to manipulate it. In general, an attacker follows a series of stages before getting to the final attack. Designing an attack scenario is a matter of art as much as economic consideration. The cost of attack can quickly exceed damage worth. Also, the attacker has to find the way to compare between competing attack scenarios. In traditional IT hacking, a goal is to go undetected. In OT (operational technologies) hacking this is not an option. An attack will change things in the real world that cannot be removed by simply erasing the log files. If a piece of equipment is damaged or if a plant suddenly becomes less profitable, it will be investigated. The attacker has to create forensic footprint for investigators by manipulating the process and the logs in such a way that the analysts draw the wrong conclusions. Exploiting physical process is an exotic and hard to develop skill which have so far kept a high barrier to entry. Therefore real-world control system exploitation has remained in the hands of a few. To help the community mastering new skills we have developed „Damn Vulnerable Chemical Process“ – first open source framework for cyber-physical experimentation based on two realistic models of chemical plants. Come to the session and take your first master class on complex physical hacking. Speaker Bios: Marina is Senior Security Consultant at European Network for Cyber Security. Through her life she has accumulated vast hands-on experience in several engineering fields. Most recently she completed her doctoral degree in ICS security at Hamburg University of Technology, Germany. Her research over the last few years has been focused on the bits and peac.hes of the design and implementation of cyber-physical attacks aiming at both physical and economic damage. Marina used her pioneering destructive knowledge for designing process-aware defensive solutions and risk assessment approaches. During her PhD she collaborated with several industrial partners, participated in EU projects and collaborated with cool dudes from the hacking community. She has written more than a dozen papers on the subject of cyber-physical exploitation. Marina gives workshops on cyber-physical exploitation and is a frequent speaker at the leading ICS security and hacking venues around the world. She holds MBA in Technology Management, MSc in Telecommunications and MSc in Information and Communication Systems. Jason Larsen is a professional hacker that specializes in critical infrastructure and process control systems. Over the last several years he has been doing focused research into remote physical damage. Jason graduated from Idaho State University where he worked doing Monte Carlo and pharmacokinetic modeling for Boron-Neutron Capture Therapy. He was one of the founding members of the Cyber-Security department at the Idaho National Labs, which hosts the ICS -CERT and the National SCADA Tested .Jason has audited most of the major process control and SCADA systems as well as having extensive experience doing penetration tests against live systems. His other activities include two years on the Window 7 penetration testing team, designing the anti-malware system for a very large auction site, and building anonymous relay networks. He is currently a Principle Security Consultant for IOActive in Seattle.
00:00
Hacker (term)CyberneticsHacker (term)Thermodynamischer ProzessComputer animationLecture/Conference
00:48
SoftwareControl systemSystem programmingBusiness informaticsDifferent (Kate Ryan album)Electric power transmissionType theoryPower (physics)Hacker (term)Factory (trading post)Control flowKeyboard shortcutComputer animationLecture/Conference
01:40
Thermodynamischer ProzessIntegrated development environmentSoftware maintenanceProduct (business)Bit rateLimit (category theory)Operations researchSoftwareControl flowThermodynamischer ProzessHacker (term)ConcentricProduct (business)Group actionReduction of orderBridging (networking)Integrated development environmentWater vaporElectronic mailing listOutline of industrial organizationTraffic reportingComputer animation
03:32
Irreversibler ProzessType theoryLimit (category theory)Heat transferHacker (term)Data miningExplosionRegulator geneWater vaporProduct (business)InformationstheorieCASE <Informatik>Tracing (software)
04:58
Multiplication signWordEvent horizonCyberneticsCASE <Informatik>PlanningTrailBit
05:41
Control systemProcess (computing)AutomationPoint (geometry)Thermodynamischer ProzessDegree (graph theory)Set (mathematics)Element (mathematics)BitMultiplication signComputer animation
06:23
ComputerThermodynamischer ProzessFunction (mathematics)AreaVariable (mathematics)Process (computing)StatisticsSystem programmingControl systemPoint (geometry)Chemical equationSet (mathematics)Thermodynamischer ProzessTerm (mathematics)Variable (mathematics)Process (computing)
07:14
Operations researchLogicComplex (psychology)Scale (map)LoginComputer programPacket Loss ConcealmentBusiness informaticsLogicScaling (geometry)CuboidSmoothingFunction (mathematics)Control systemPacket Loss ConcealmentMultiplication signReading (process)Port scannerSemiconductor memoryCycle (graph theory)output
07:58
Packet Loss ConcealmentFunction (mathematics)outputMoment (mathematics)Haar measureLogicINTEGRALControl systemAlgorithmBusiness informaticsProcess (computing)outputFormal languageControl systemAlgorithmMultiplication signWhiteboardRight angleComputer scienceFunction (mathematics)Thermodynamischer ProzessComplex (psychology)Limit (category theory)Set (mathematics)Derivation (linguistics)Nichtlineares GleichungssystemINTEGRALLecture/ConferenceComputer animation
08:39
TelecommunicationPacket Loss ConcealmentHypermediaThermodynamischer ProzessOperator (mathematics)Task (computing)AnalogyData miningStapeldateiOperator (mathematics)Multiplication signComputer programmingGoodness of fitState of matterLogicFigurate number
09:32
Workstation <Musikinstrument>Thermodynamischer ProzessData integrityInjektivitätDensity of statesControl systemDataflowArithmetic meanData integrityOperator (mathematics)System administratorCyberneticsThermodynamischer ProzessINTEGRALInjektivitätDifferent (Kate Ryan album)Hacker (term)State of matterComputer animation
10:41
Information securityControl systemControl theoryHacker (term)Operator (mathematics)Process (computing)Thermodynamischer ProzessInformation securityThermodynamischer ProzessState observerCategory of beingOrder (biology)Hacker (term)Term (mathematics)PressurePhysicalismControl systemLogicHookingControl theoryDataflowInjektivitätCross-site scriptingComputer animationLecture/Conference
12:10
Process (computing)Information securityControl systemTime domainHigher-order logicInvertible matrixInformationstheorieOperator (mathematics)Thermodynamischer ProzessDomain nameCategory of beingState of matterInformation securityState observerControl systemInformationstheorieLecture/Conference
12:58
GUI widgetThermodynamischer ProzessControl systemVideo gameUsabilityThermodynamischer ProzessControl systemRadio-frequency identificationRight angleEntire functionBitCycle (graph theory)State of matterLecture/Conference
13:37
Control systemLine (geometry)ComputerSineThermodynamischer ProzessSubsetSystem callMultiplicationFeedbackProgrammschleifeAdaptive behaviorControl systemRight angleBusiness informaticsSubsetMultiplicationFeedbackAlgorithmAdaptive behaviorThermodynamischer ProzessPhase transitionCASE <Informatik>Computer animation
14:35
Control systemThermodynamischer ProzessAdaptive behaviorMultiplicationAlgorithmMaxima and minimaComputer wormType theoryCrash (computing)Exception handlingVariable (mathematics)Bounded variationAlgorithmTunisMultiplication signSingle-precision floating-point formatProgrammschleifeSet (mathematics)Control systemObject (grammar)Computer animationLecture/Conference
15:22
Hacker (term)Link (knot theory)Model theoryProcess (computing)CyberneticsPhysicalismAdhesionSoftware frameworkComputer animation
16:31
Open sourceModel theoryProcess (computing)InformationThermodynamischer ProzessInformationstheoriePoint (geometry)Symbol tableWebsiteMoving averageComputer animation
17:28
PlanningSource codeScheduling (computing)Cartesian closed categoryCoroutineProcess (computing)Roundness (object)Drill commandsComputer animationSource code
18:35
Arrow of timeModel theorySymbol tableBlock (periodic table)Different (Kate Ryan album)Parameter (computer programming)Control systemComputer animation
19:19
Model theoryParameter (computer programming)Thermodynamischer ProzessTransmissionskoeffizientControl flowEntire functionControl systemData structureDemo (music)Computer animation
19:56
Computer wormLevel (video gaming)CyberneticsBuffer overflowPhysicalismBuffer solutionThermodynamischer ProzessComputer wormSet (mathematics)Gastropod shellWebsiteTape driveFlow separationComplete metric spaceCircleProcess (computing)Hacker (term)Computer animation
21:07
Link (knot theory)DatabaseAntivirus softwareData managementHacker (term)Thermodynamischer ProzessLevel (video gaming)SoftwareExploit (computer security)Flash memoryPlastikkarteSystem programmingFirewall (computing)Antivirus softwareDatabaseScheduling (computing)Link (knot theory)Data managementAdditionHacker (term)Control systemLecture/Conference
22:30
Large eddy simulationInternetworkingExploit (computer security)Hacker (term)PlastikkarteAnalogyDigital signalThermodynamischer ProzessMeasurementElement (mathematics)Computational complexity theoryHacker (term)InternetworkingBefehlsprozessorSystem programmingStack (abstract data type)MereologyPresentation of a groupLecture/ConferenceComputer animation
23:08
FirmwareSolitary confinementThermodynamischer ProzessFitness functionComputer animation
23:48
Process (computing)Constraint (mathematics)Thermodynamischer ProzessOperations researchThermodynamischer ProzessStrategy gameUniform resource locatorPlanningInformationstheorieConstraint (mathematics)KinematicsState of matterLevel (video gaming)Multiplication signControl systemLecture/ConferenceComputer animation
24:53
System programmingInformation securityCloud computingMalwareFood energyProcess (computing)Well-formed formulaSampling (statistics)Process (computing)Multiplication signLevel (video gaming)Descriptive statisticsModal logicCategory of beingForcing (mathematics)DiagramElectronic mailing listFigurate numberComputer animation
25:35
outputThermodynamischer ProzessExpert systemLevel (video gaming)Operator (mathematics)outputMathematical analysisProduct (business)Contrast (vision)MereologyExecution unitAreaDemoscene
27:00
LogicPoint (geometry)Hacker (term)Set (mathematics)Level (video gaming)Process (computing)DiagramMereologyPoint (geometry)LogicAbstractionComputer animation
27:40
Control systemData structureLevel (video gaming)Field (computer science)Uniform resource locatorControl systemPlanning
28:24
Product (business)Parameter (computer programming)Cartesian coordinate systemInternetworkingThermodynamischer ProzessTouchscreenControl systemComputer animation
29:16
Sheaf (mathematics)Sheaf (mathematics)CASE <Informatik>Thermodynamischer ProzessDataflowControl systemDirection (geometry)Uniform resource locatorInformationstheorieLevel (video gaming)Configuration spaceContent (media)Data flow diagram
29:59
Loop (music)GUI widgetControl systemGroup actionVariable (mathematics)Control systemContext awarenessHacker (term)Table (information)Model theoryLevel (video gaming)Thermodynamischer ProzessInformationstheorieMathematicsProcess (computing)PhysicalismSheaf (mathematics)Dynamical systemoutputComputer animationLecture/Conference
31:02
Thermodynamischer ProzessControl systemThermodynamischer ProzessSound effectPressurePhysicalismHookingDataflowComputer animation
31:40
Square numberDependent and independent variablesThermodynamischer ProzessCASE <Informatik>Scaling (geometry)PlotterPhysicalismDifferent (Kate Ryan album)Shape (magazine)
32:29
Process (computing)Tape driveDependent and independent variablesThermodynamischer ProzessMusical ensemblePoint (geometry)Sampling (music)Element (mathematics)Computer iconRWE DeaDependent and independent variablesParameter (computer programming)Thermodynamischer ProzessExploit (computer security)MathematicsConfiguration spaceLevel (video gaming)output
33:21
Dependent and independent variablesThermodynamischer ProzessProcess (computing)Radio-frequency identificationControl systemModel theoryProcess (computing)Thermodynamischer ProzessModel theoryDependent and independent variablesDegree (graph theory)Nonlinear systemMereologyoutputExtension (kinesiology)Control systemAlgorithmFerry CorstenMathematical optimizationMathematicsMaxima and minimaLinearizationLecture/Conference
34:47
DataflowThermodynamischer ProzessPole (complex analysis)Thermal fluctuationsThermodynamischer ProzessCircleSound effectPlanningCausalityRing (mathematics)Lecture/Conference
35:42
Data recoveryOrder of magnitudeThermodynamischer ProzessLevel (video gaming)Control systemParameter (computer programming)FrequencyType theorySheaf (mathematics)Thermodynamischer ProzessMultiplicationState of matterPrototypeControl systemComplete metric spaceComputer wormExploit (computer security)Model theoryDistanceLevel (video gaming)Computer animationLecture/Conference
36:55
GUI widgetControl systemLevel (video gaming)Parameter (computer programming)ProgrammschleifeControl systemDivisorComputer wormSensitivity analysisPropagatorExtension (kinesiology)Level (video gaming)Parameter (computer programming)Group actionLecture/Conference
37:42
Point (geometry)Control flowComputer wormLevel (video gaming)Hacker (term)outputThermodynamischer ProzessMathematicsLevel (video gaming)DatabasePoint (geometry)Real numberReading (process)Computer animation
38:21
ExplosionControl flowControl systemInformationstheorieThermodynamischer ProzessHacker (term)ProgrammschleifeParameter (computer programming)InternetworkingInformationstheorie1 (number)Parameter (computer programming)Thermodynamischer ProzessPressureControl systemHacker (term)Closed setLecture/Conference
38:59
Bit rateThermodynamischer ProzessDataflowProxy serverConcentricNumberFerry CorstenOrder (biology)Presentation of a groupProduct (business)CASE <Informatik>Volume (thermodynamics)Point (geometry)
40:24
Bit rateProxy serverProxy serverFerry CorstenAlgorithmParameter (computer programming)CASE <Informatik>Different (Kate Ryan album)Sound effectThermodynamischer Prozess
41:24
CodeMathematical optimizationSoftware testingMathematical optimizationDifferential equationNumberBusiness informaticsPlanningCodeCartesian coordinate systemGrand Unified TheoryDemosceneComputer animationLecture/Conference
42:23
Product (business)Normal (geometry)AverageConcentricFerry CorstenSound effectState of matterVector potentialMultiplication signLecture/Conference
43:01
System programmingCyberneticsSoftware maintenanceProcess (computing)Error messageLevel (video gaming)Type theoryDatabaseOperator (mathematics)ResultantLoginConfiguration spaceCyberneticsThermodynamischer ProzessReal numberSystem programmingComputer animation
44:01
Operator (mathematics)Process (computing)Software maintenanceShift operatorThermodynamischer ProzessShift operatorBitProduct (business)Computer forensicsSystem programmingSoftware maintenanceCASE <Informatik>PlanningThermodynamischer ProzessTunisComputer animationLecture/Conference
45:08
MathematicsResultantMathematicsLine (geometry)Matrix (mathematics)Order (biology)Computer forensicsPattern languageProcess (computing)PlotterMetric systemLatent heatLecture/Conference
46:17
Event horizonThermodynamischer ProzessRegulator geneLink (knot theory)Process (computing)System programmingModel theoryOperator (mathematics)Real-time operating systemPoint (geometry)Traffic reportingDatabaseState of matterInformation securityThermodynamischer ProzessComputer wormLevel (video gaming)PhysicalismSoftwareSystem programmingCyberneticsExploit (computer security)Right angleState of matterMereologyInformation securityParameter (computer programming)InternetworkingInternet der DingePlanningProgram flowchart
48:02
Thermodynamischer ProzessUniqueness quantificationControl systemComputer iconPhysicalismThermodynamischer ProzessCyberneticsRange (statistics)Software testingNumberProcess (computing)Computer wormUniqueness quantificationDifferent (Kate Ryan album)Multiplication signPattern languageFigurate numberElectronic visual displayMeta elementAlgorithmLecture/Conference
49:14
Process (computing)Process (computing)PhysicalismObservational studyField (computer science)Hacker (term)Wave packetLecture/ConferenceComputer animation
Transcript: English(auto-generated)
00:01
I'm Jason Larson, this is Marina and this is Rocking in the Pocketbook, Hacking Chemical Plants for Competition and Extortion. So we're a team of an academic and a hacker. And so if there's any doubt, then I'm the evil devil hacker and she's the cute academic. So we're here to play who
00:23
wants to be a millionaire. So we're all at DEF CON because we want to learn how to hack like in the movies. And if you're in Vegas, probably you want to be rich. And so this talk is about giving you all the tools to get all rich and get all the girls like in the movies. So if you want to get rich and have
00:46
some money, then maybe you want to hack some process control networks. So industrial control systems. So in general, industrial control systems are just a whole bunch of computers that have only one thing that's different than computers in the world. They run physical stuff out in the real
01:02
world. They run power grids, chemical plants, waste water treatment facilities, all of that type of stuff. So typically run for the benefit of mankind. So industry means big business and big business means big dollars. So some smart hacker starts in a coffee shop and sits down and clicks on a
01:24
keyboard and then half a world away, then of course all movies will tell us that fire and destruction and everything breaks out at some factory all the way over there. But all the stuff that happens in the middle is kind of one of the big mysteries of the 21st century. It's just twiddle fingers, explosion and nothing in the middle. So the typical
01:43
understanding of SCADA hacking is that after an attacker breaks into a process control network and gets control, there's this magic big red button and you go mash the big red button and whatever your thing is. It either saves the day and shuts down the process nicely or hits the button and everything blows up. So in reality, the attacker actually has to build the big
02:02
red button. There's not one there for him. And to start with, the attacker has to actually decide what exactly he wants to do to the process. So in general, like all attacks or impacts on the process can be divided into three groups. So you can, for example, damage the equipment.
02:22
You can go like after the production, for example, you can easily spoil the product, reduce the production rate. You can make production more expensive so the product will be less competitive on the market. And these two groups of damage will
02:41
never make the headlines because the companies do not need to report them and they typically do not because it's bad for their reputation. So if you want really to shame the company and make it public, then you have to make the company noncompliant. The most damaging attack will be attack on the occupational and environmental safety because it
03:01
can kill humans and damage the environment. Less damaging attack will be on the pollution. For example, if you contaminate the water or soil or exceed the, for example, heavy metals concentrations in the emissions or like delays the production. And when the attacker decides like, okay, what
03:26
exactly do I select out of this list? So he has to kind of follow some thinking process. So for example, damage equipment, damage comes to the hacker mind first. The
03:41
disadvantage is that it is irreversible. So you can't do it later on. The other problem that it is difficult to understand what is the collateral damage. So if you something explodes and human is in the vicinity, then it kills the human and this attack transfers into the
04:01
compliance violation. The advantage of the compliance violation attack is that all of those regulations and limits and everything is online. So basically it's public information. It's easily available. Again, the problem is that the collateral damage is unclear because, for example, if you contaminate the water, you may kill the fish. So
04:21
many people get upset with that. This type of attack must be reported. So it's probably, it might be what you want. But if you are not unclear how well you hide your traces, you might not want to do, like, it may be a problem for you because the guys will be investigating the case. So out
04:43
of this consideration, the attacks and the production damage is actually more profitable scenario because nobody needs to report them, nothing gets killed. So for the attack, it sounds like a more safer scenario. And this is actually the scenario we will be considering in this
05:01
talk. So we will illustrate the attack from beginning to end, how we will cause persistent economic damage to the plant. And the key word here is persistent. So you won't make it hurting for a long time. It means that you have to make sure that the attack will not be attributed to a cyber event and not be eradicated. So this scenario
05:24
will be useful, for example, for the extortion attack or if you want to kick out the competitor out of the business. In any case, you can earn money. So... Okay. So process control. We're going to go over a little bit of process control basics. This is a 101 track for anybody
05:42
that doesn't understand process control terribly well. So the basic of process control is a control loop. So if you go and look at your typical thermostat, we have a nice cute thermostat, a nest here. I actually have one in my house, but I haven't gotten around to hacking it yet. So on the thermostat, you've got a sensing element that
06:02
measures the temperature and then you have a set point. So whatever temperature you set it to, you say I want my house to be set to 72 degrees and keep it at 72 degrees. So we do this because in the 21st century, nobody likes to run up and down and manually kick the furnace on every time they want it a little bit hotter and then run back up and kick
06:20
it off every time they want it a little bit colder. So in process control terms, this is a control loop. So in a control loop, you have the physical process, your furnace that's running on, and you have some sensors, namely the temperature sensor, and they feed back through the control systems, the actuator, and the actuators turn stuff on and off and keep everything in balance wherever the set point
06:43
is set. So in the control system, this is just another way to look at a control system. Here we have all the same processes and the measured, the actual set point
07:02
is called the process variable. The observed temperature in the house right now is called the measure variable and it feeds back and in the little red X over there, we make decisions on whether or not we should kick things on and kick things off. So if you go up to large scale, then you can't really fit all of the logic that needs to run a whole big
07:22
chemical plant inside of a little thermostat. So we stick them in larger boxes. We call these programmable logic controllers. So they're just large specialized computers that sit there and run a whole bunch of logic that keeps your plant humming along smoothly. So in general, the internals of PLC, you have a whole bunch of sensors that are plugged into
07:42
it, and one time per scan cycle, it takes all the readings from all those sensors and copies it into the input memory. Then it runs a whole bunch of logic based on that and then produces a bunch of outputs and those outputs then are turned around and run all of the actuators in it. So the PLC is really the brains of the control that are running it. So most PLCs are still programmed graphically.
08:02
This comes back from the day when everybody still ran processes from peg boards. You would actually have your input plugged into the plug, run over there, stick it in an AND block, take it to the output and twiggle it around. So we did that graphically and still programmed that way. So most of the time as a computer
08:21
scientist, you scream no, just give me your real language. So the most common control algorithm that's out there is PID, proportional, integral and derivative. This is just a complex set of equations that run to try and keep the process within certain limits. So outside the PLC, you
08:41
have all the PLC and the wires running all out into plants. So those are usually cabled up and run into big wiring closets. These are mostly analog things. So they do 4 to 20 milliamps, 10 volts, et cetera. So this is usually not IP based technology. So even though the PLC has all this logic and everything the engineer can throw into it,
09:01
then we still need humans. So a good friend of mine that works in nuclear says that any chemical plant you build, when you first kick it on is an imminent state of failure and it stays that way forever. And so things go wrong all the time in plants. So anybody that's ever worked in it knows
09:21
that it doesn't just hum along batch after batch like a computer program. And so the operator has to sit there and see all the alarms coming over there and figure out what to do with the alarms and shut things down and generally keep things in control. So specifically for this talk, it
09:40
is extremely important to understand what is the difference between IT hacking and OT hacking. Because what we are going to do here, it's not IT hacking, it's OT hacking operational technologies. So to explain the thing, so this is the scenario of the Stocksnet. So you see the centrifuge at the end. So there is a sys admin who has
10:01
figured it all out for you. There are linkage of the data between cyber assets and there are work flows. And then we have the infected PLC which prevents the operator from observing the real state of the process. So the centrifuges were breaking, the operator was not aware about that. So after the attack was discovered, the next
10:22
admin will start figuring out how did it happen, what interrupted the flow, was it data integrity, was it dose, what kind of integrity, was it packet injection. None of that has any sense to the operator. He doesn't give a shit. Only what he says is like I am not controlling the process. And
10:41
this is what is important to understand that in OT security, the security properties which you need to observe are observability and controllability. You need to be able to observe or measure the process in order to be able to control it. If you are not measuring, if you are not observing the process, you are not controlling it. So you are not having your process.
11:07
So an attacker that wants to do something beyond simple mayhem will want to reliably control the process. So if you run over there and you hack into a process and you say, oh, there's a burner, there's a burner underneath this tank, I'll
11:23
just crank up the burner and crank it all the way up and bad things will happen. Well, this isn't actually what happens. So usually what you're going to do is just exercise the shutdown logic of the process. Once you hook everything in the process together, they're actually related in a physics relationship. So if you crank
11:40
up the temperature, you're also going to change the pressure and the flows and everything else that's going to happen downstream. So in order to actually control the
12:00
process, you need to remain in the control of the process and you need to work in terms of control theory and not in terms of hacker food like SQL injections, process scripting and ROM. So when the attack transforms in the OT domain, the attacker and the operator, they're competing for the
12:20
controls over the process and the attacker wants to win. So the security properties in the IT domain are actually controlability, observability and operability. And operability here states something like we will say availability, which describes the state of the process. So just to remember, CIA, is it for information security? CO2 for the process
12:44
control security. And I know that the guys who grew up with the CIA state of mind, they will hate it, but just shake it off. So when the attacker goes and hits the process, he
13:06
can take one of a few approaches. So he can either take control of the process and reliably control it through the entire life cycle of the attack. And this is what we'll talk about later. He can take control of the process and
13:21
control it into a state that then puts it in the failure and just kind of let it go and let bad things happen. That's what I talked about a few days ago at DEF CON. Or he can make the process unusable by just simply messing with the controls. And I'm going to talk a little bit about that right now. So let's consider a car and a driver. So the
13:41
attacker is hacked into the car and he's got control of the brakes. And so if he comes over there and grabs the left front brake, then the driver is going to compensate and go to the left. Well, the attacker is just going to let go of the left brake and grab the right brake and he's going to compensate back the other way until they're going back and forth and back and forth, trying to keep the car under control. And so since the attacker is a
14:02
computer, the attacker will always be able to anticipate and win this one. So we call these actually multi-adaptive algorithms. And so in the case of the car, the human is actually called the hidden actor in the process. And so any subset of a process can be modeled as a hidden actor. So
14:21
if you have a refining phase or whatever else, you can consider that the hidden actor and apply multi feedback or multi-adaptive algorithms to the feedback loops to just try and grab the feedback loops and run them back and forth and trying to get things to run out of control. And so this is actually a single set of algorithms that's based on the
14:42
algorithms we use to automatically tune process control variable loops. Except we're applying them to remove the variation to add more and more variation over time. And so you can grab those and apply them to a car or you can apply them to a boiler and they work just as well either way. All right. So we are ready to start. So whenever you
15:10
want, like, before you even start hacking something, you need something like a playground. You need to learn like the object. How do I hack that object? And also you need something where you can test your attack. So it's
15:23
actually really possible to buy a chemical plant. Note down the link. The problem is that plants are extremely expensive. Also you cannot relocate them easily. And you need more than two people to run them. Moreover, if you will hack it
15:43
to the desk, you will need more money to fix it. So hacking the real plant is actually not sustainable. And actually in the industry, in the chemical processing industry or like in R&D, it's more common to use actually the model of the processes. So this is really in this research we've
16:01
been using the realistic model of the plant. It's a plant which produces a commodity chemical, which is then used to produce chemical adhesive, plastic and so on. So and actually like with this talk we also released two models of chemical plants which were transformed into the framework
16:22
for cyber physical exercises. We actually wanted to show you quickly how it looks like. Oh, we are good. So this is a
16:46
mat lab and this is how much far we can get to the open source. So modeling is extremely expensive. All chemical like all processing industry models their processes but it's a proprietary information. Yeah. So, yeah. So,
17:15
the problem with, so we've been in the simulate model of the vanilla acetate plant and what you see on the, what size
17:22
is it? On the left side is actually the set points into the process. So if we will kick in a little bit inside. So this is the plan. This is the source code which actually schedules all the routine of the support in CCC processes. I have something for you. How are they doing? So it is not easy
17:54
to get accepted as speakers at DEF CON and you two have accomplished this. Congratulations and thank all of you for
18:01
staying, you know, late and seeing them. So give yourselves a round of applause. Thank you. You all know the drill. Here's the DEF CON. Good job. Now I just want to see you
18:25
continue. Yeah. So, for example, the advantage of the simulate models is they're easy to understand and it's
18:41
extremely easy to add attacks with just a few mouse clicks. So for example, if I go here, here we integrated the blocks where we can, for example, model different attacks on the controller signals. Here's the different parameters. We can select the different attacks and so on. And here if we will go one layer inside, this is the controller which
19:05
handles like, if you can see this is the attack values and here is fake signals and so on. Just to give you a feeling like what we've been working in and we've built all of this. So if you will go one layer here. So this is the entire control
19:21
structure of the plant with all of the controllers. Transmitters are sensors. And this is the controllers and as you can see there's a lot of parameters inside and everything that we have been introducing you in this beginning, the attacker cannot hack the process if he doesn't understand the principle of control loops, how do you tune
19:41
them and so on. So that was just a quick demo just to give you a feeling what we've been working with. Okay. And the stages of cyber physical attacks. So just like a buffer
20:03
overflow needs shell code, then when you're attacking a process you need a final payload that you deliver to the process. And this carries a set of instructions that are going to be carried out on the target process. And final payloads are always bespoke. You can't take the final payload for one vinyl acetate plant and then play it on
20:23
another vinyl acetate plant. But in general, attackers go through several stages of hacking. And so an attacker that's remotely attacking a process isn't immediately gifted with complete knowledge of the process and all the things he has to manipulate before he gets to deliver this final
20:41
payload to the process. So in general you run through the attacks and stages, but your knowledge is never complete. So once you first get into a process you have the fog of war. You don't know anything about it. And then you start figuring out stuff and you move through the stages of them. And then you have to circle back and say, oh, well,
21:01
I need to know more about the process before I can start controlling the process and continue on from there. So the first stage of hacking process is access. So you have the guy in the coffee shop in France and he's running over and hacking in the process. And in general, networks have
21:22
a traditional IT network where you get in and send your favorite flash out exploit to some clueless user and have them click onto it, onto the business network, done. So generally process control networks have firewalls and additional protections away from the business network. So
21:41
there you have to get across antiviruses, database links, patch management systems, et cetera, and into the process control network. But once you're into the process control network then you stop having to use hacker tools because most of the things in the process control network will just respond to any properly formatted command. So if you take a
22:01
Modbus controller and say, hey, go turn that pump on and you throw it at the Modbus controller, it will just take that command and then run on it. So you can move freely about the network with most impunity once you get inside of it. So if you don't have a whole bunch of stuff already all stuck together, then now there's people that will sell
22:22
you exploit packs. You can run out into the network, apply a bunch of credit cards to the problem, you're all done, you have a bunch of exploits for the network. So there is an alternative approach, the approach that was taken by Aaron Leverett using showdown. So one of the things you can do nowadays if you don't really care who you're hacking into is
22:42
you can just run out into showdown and say show me all of the industrial controllers out on the internet, there's way more than there should be, go grab a bunch of exploits, go pop, pop, pop, pop, pop, pop, and then see where they lead. So a third approach you can get is that sensors now are getting smarter and smarter. They're getting IP stacks,
23:02
they have CPUs and operating systems and are all getting to be part of the internet. So if you looked at my presentation from S4 in 2014, I describe how to take a skid attack and miniaturize it down all the way to fit into the middle of
23:22
one of these sensors. You just have to get the sensor into the middle of the process and it can unpack itself and keep on going. So after that you have discovery. Okay. So you are in. So how much do you know about the plant? Well, I'm in some plant. You really need to
23:41
understand lots of things about it. So do you know what stripper is? No. It's not exotic dancer. It's a stripping column. So you really need to understand the equipment when
24:00
you try to hack a plant. So in general the attacker needs to understand how much information about the plant, what and how the process is produced. So even if it is a plant, the actual chemistry and kinetics of the process are proprietary. How the process is controlled and wired. So it means what is the location of the control valves, how the control loops
24:21
are tuned, what is the control strategy applied, how the plant is built and how the sensors are connected to the PLCs. And very important, what are the physical constraints of the plants. This stage of the attack starts very long time in advance with old-fashioned reconnaissance attacks. And for
24:41
example, for many information you will need also to hack into the third parties. For example, most of the equipment is designed by third parties and chemistry is developed by third parties. And actually the attacker has understood the necessity of the stage a long time ago because the attacks again the industry started a long time ago with the samples
25:02
dated to 2003. And just to quote you, the description of one of the APTs is that the goal of the attacker is to collect intellectual property such as design documents, formulas and manufacturing processes so the attacker knows what to do. So they will be looking something like chemical formulas,
25:24
instrumentation diagrams, instrumentation list, wiring diagrams. And after the attacker figures this out, he will understand how the plant is built and operates. He will start thinking, okay, what can I do to cause persistent
25:43
economic damage. So at this stage you already understand how the plant works. So in general, the easiest way to cause economic damage would be to destroy the pipe which carries the final product into the vessels. That is easy works
26:02
but easily detectable, easily fixable. So it's not persistent. The rest of the plant can be divided into two parts, reactions and refinement. Refinement is a large part of the process. It's just approximately one kilometer long. So the attacker has a lot of opportunities to mess up with the things but the operator also has a lot of
26:22
opportunities to notice and to correct things. Moreover, you can always recycle product back and try to refine it again. In contrast, if you mess up with the reaction process in the reactor, you reliably produce less product. So that is a good scenario for the persistent economic damage. And
26:42
important to understand that even this simple analysis is not possible without input of the experts. So after we resolve to attack the reactor unit, then the attacker has to start and needs to figure out how the plant is building
27:01
wired. So this is one of the most time-consuming and difficult parts of the SCADA hacking. So the hacker has to figure out the relationship between the tags and the PLC equipment and how that all looks on the diagrams. So most of the processes operate on their points, logic, abstract
27:22
layer. So everything can be measured, basically all sensors and set. So those are points. The plant may have 10,000 points. Where do they go? What do they do? So the attacker has to perform all of this mapping. It's a lot of work and interestingly enough, I don't remember the year, but
27:47
first the attackers to actually map and mind the equipment in the field. So the attackers are already this far. So in this stage, we already could figure out all of the mapping
28:02
between equipment and controllers. So we are back to the plan. We need to figure out the location of the control loops. Once we have that, the attacker needs to understand how those control loops are tuned. This is
28:22
extremely important. The good place to go for that is instrument engineering applications because they will have everything that you need. I grabbed the screen shot from the internet. So for example, you will be looking for something like, well, this is a pressure transmitter and it
28:41
serves the reactor control loop. We have here will be the tag. The next we have, it's actually a model number of the equipment. There are all the parameters how instrument is scaled and how it is used within the process. And what
29:02
is also very interesting, we have also has a user who is allowed to modify this equipment. So we now know which account details we need to obtain. So what else the attacker needs to do is flows. In chemical plans, the things
29:20
do not nicely flow from left to right. They flow all kinds of directions. So for example, in this case, in vanilla acetate, it flows from the tank to the reactor section and to the refinement section. It's too bad for us because we need to operate the valve and that means that we will have to also watch the process in the refinement section. We would
29:42
not like to do that because we need to make more devices, but well. So this is the attacker will need to find this information on the flow diagrams. So at this stage, we already know everything about the control configuration and location of the control valves. So in the contents of the
30:03
matlab models, the controllers are called as variables. Because we later will be using it on one table. What is very difficult to understand for the IT hackers is that obtaining control is not being in control. So first of all, the
30:22
obtained control might not be useful to attack goal. And secondly, the attacker might not be able to control obtained control. And what does it mean? We go into the control stage of the attack. So until now, the attacker was discovered in the
30:42
static information of the process. But physical processes have their dynamics, so the change over the time. And if you apply any input to it, it will change. So the attacker needs to understand how much he can control the process. How much he can control the process. So as I
31:06
mentioned together earlier, once you hook all the stuff together into a process, they're related to each other with the physics of the process. So if we adjust a valve over here, what happens to everything else downstream?
31:23
So adjusting the temperature can also adjust the pressure and all the downstream effects need to be taken into account. And so one of the things we need to understand is how much of the process can we change before all the alarms and automatic shutdown routines kick in and start shutting down the process. So this is an example to illustrate the
31:46
concept. So in the red square, you have the plot. I just adjusted some valve. I just changed something. As you can see, everything downstream has changed. And it changed in different scales. The response has different shape. And what is
32:02
more interesting, for example, in one case, something goes up and something goes down. This is the responses of the process to the manipulations cannot be predicted by the attack. And this is what he needs to figure out. And for example, as
32:22
you can see, why things go different in different control loops. Not only because of the physics of the process, but also because there are millions of parameters which influence the process response. So this is a control loop we wouldn't show before. So there are many parameters at each stage that will be influencing the response of the process to
32:43
the manipulation. And the attacker needs to take into account all of them. What is more important, when the attacker changes something, he cannot understand whether the response is a response to the attack or it's because of the
33:00
configuration of the process. So just to give an example, in my earlier works, when I've been designing exploits and processes, I've been working with, I've been considering several of those parameters. And I have to really encode into my exploit the ways how I will be dealing with them. So
33:22
one of the most difficult parts of hacking continuous processes is process non-linearity. Most of the physical processes are non-linear. What does it mean? In short, it means that the response of the process is not proportional to the input
33:41
into the process. For example, if the process is heated, how the process behaves when being heated from 140 degrees to 150 degrees is completely different when it's heated to 160 degrees. And if you never model the behavior of the process in that range, you don't know how the process will behave. So the behavior of processes is known to
34:02
control us as well to the extent of the modeling. So if the control algorithm has never been tested and designed to deal with the processes that controls in that range, it will not be able to control it. The problem of the attacker, he will move the process outside of the optimal envelope.
34:21
So he has to deal with all of those strange behaviors of the processes. And it's not easy. So just to give you an example of what is non-linearity, you see it's a simple response and you change something and the response is definitely non-linear. And all of those spikes are extremely annoying to
34:40
the attacker because they cause alarms. Because it just hits some like maximum values. Another problem like one of the issues which we have to deal while hacking this particular process was that this was a very badly configured plan and all the controls were purely controlled. So whenever we've
35:00
been trying to change something to our benefits, many control loops had a ringing effect. And if you will see this like look at the blue circle, you can see well, but that's like fluctuations just kind of tiny little like why do we even bother? The problem is that the tiny little fluctuation in one
35:20
control loop cause enormous effect impact on the other control loops. So unfortunately most of the control loops were causing alarm so we couldn't really stay like end of the radar because we did not want to cause any alarm. So it took us around a couple of weeks to find a way how to deal with that. So in general, we start
35:43
like we apply two types of attacks. Step attacks and periodic attacks. Step attacks is when you bring the process to some state and leave it there. And periodic attacks when you attack the process, let it recover, attack the process again, let it recover and so on. So we have to test all of
36:02
those control loops which we've been identifying in the reactor section. We tested them for multiple parameters and actually the end, this was our mental model of the dynamic behavior of the process. So obviously this was our first attempt to, you
36:37
see like this is the first public talk on the complete attack from start to end. So obviously this was the first
36:42
attempt to understand the dynamic behavior of the process. So we were not obviously optimal so we're now trying to find a way to optimize it so it would fit in a small payload like exploitable payload. So the outcome of the control stages, the attacker will need to classify the available control loops like how they're useful for him, how well he
37:04
can control them. So we basically found those factors which would be like for example we use the sensitivity of control loops. So highly sensitive loops are not reliably controllable so you probably don't want to use them in your final payload. Also another outcome of the control
37:22
stage is the alarm propagation, you want to know what are the marginal parameters of the attack which still do not cause the alarms. So now we know what we can control to which extent and we can actually start designing the real attacks.
37:41
And with that we transition to the damage stage. So in the damage stage you're trying to figure out, okay, I know all this stuff I can do about the process, what am I actually going to do about it? So the damage stage is actually the least familiar stage to IT hackers. There's a lot of good starting points when you go and start looking
38:02
at the damage stage. So one of the good basic principles is if things happened in the real world by accident, you can probably make them happen by malicious intent. So you can go to all the places where these are recorded to, government databases, the plant's own databases, like the chemical safety board, et cetera, and read about all the things that
38:22
have actually gone horribly wrong. And they're out there on the internet for you to go and read. So the target plant may not have been designed in a hacker friendly way. So you really, really want to know what this particular value is,
38:41
but there may be no sensor there or no sensor close to it. And the information may be spread out across the process. And the control loops could be designed to control different parameters than the ones you want to actually reach in and control. It's like, oh, I would really like to change the pressure here, but there's no pressure control loop, so I
39:00
won't do it. So in this case, oh, sorry. So the application, in this case, since we want to read, so we decided to mess up with the production of vanilla acetate. So we want to actually make the plant produce less. To measure the impact of our attacks, we need
39:21
to actually measure how much molecules of the vanilla acetate are there in the reactor exit. The concentration of chemicals is usually measured by the analyzers. There are four analyzers in the vanilla acetate plant in this plant, and none of them in the reactor exit. There are only flow and temperature. In order to compute the volume, we need
39:44
actually the concentration and the flow. The only available place where we could get those numbers is the exit of the plant. But measuring there is too late because the values are available like in eight hours. So then you will have to attack something and wait eight hours until you can
40:01
measure it. It's certainly not sustainable. So we've been actually in desperation because it seems like how do we proceed? We don't have numbers. We can't evaluate how effective our attacks could be. And this is at that point, I remember the presentation of Jason actually from another conference where he'd been talking about proxy sensors. So
40:23
the concept behind that is following. So in general, there are two answers to like to measure something. It's technician and engineer answer. Technician will tell you that something is decreasing or increasing, and engineer will tell you by how much. So by using proxy sensors, you
40:42
actually can obtain at least a technician answer. And the proxy sensor is something that changes with respect to another parameter which you are interested in. So in our case, the proxy sensor is temperature in the reactor exit. So if temperature is decreasing, it means that less reaction is
41:01
happening in the reactor. So with that, at least we can see whether our attack is effective or not. That was already a good start, but it still doesn't allow us to compare the effectiveness between different attacks. So we desperately needed the engineering answer. And this is where we started to
41:21
think further. Actually, process algorithms are extremely complex, and there are a lot of optimization applications running in each plan. We'll try to optimize like how the performance of the plans. And there will be a lot of internal like intermediate computation. So we decided to give a shot, like maybe there will be some numbers computed in between which
41:43
can be useful to us. So we started looking into the code, and we knew that we need to look into some, to find some ugly differential equation. And eventually we found the piece of the code which seems like, well, it seems like computing what we need. The problem was that the numbers which were, these numbers, intermediate numbers, were
42:03
extremely weird. We couldn't do really anything with them. They did not sum up to zero, to one, to 100. They are just too small. So we didn't know what to do with that, but still we got feeling told that was the right number. So we spent actually two weeks trying to play with those numbers until we
42:21
actually could figure it out. So eventually we could compute the concentration of the vanilla in the reactor exit. And with that we actually can finally measure the effect of our attacks in dollars. So the outcome of the damage state is a portfolio of attacks which you classify with respect to the
42:44
damage potential. And then you just apply those attacks at the opportune time. So you would think that this is all, and we're already done because we have our attacks, we can code it, so let's just go and hack it. But that's not all.
43:02
So the final stage of hacking a control system is cleanup. So in most IT scenarios you go hack into something, it's like, oh, I've got the databases, I've got all this stuff, and when I'm done I erase all the logs and I'm just gone. I was never really there. But in hacking process control systems if you leave the big smoking plant then somebody will
43:22
investigate the big smoking plant. So you have to convince the people that are actually investigating this that the big smoking plant was the result of operator error, misconfigure equipment, all of those types of things. So having a human
43:43
in the control loop turns this from just a purely cyber system into a sociotechnical system. And so since there's real people that are out there playing with the process and real people that are going to analyze the process when it's all bad and gone, then we can go and attack the system.
44:03
So creating a forensics footprint. So if you come over there and you create a persistent problem in the plant and the production is going down, somebody is going to notice and say why are we making money and try to fix it. But you can do things like timing the attacks when a
44:22
particular employee is on shift and then after a while they'll say whenever Bill is on shift then things go horribly wrong and we don't make money so let's go beat Bill a little bit. He must be the problem. And so the employee can end up getting investigated instead of the process. So in this particular case we're going to show you
44:44
one where we pick several ways that the temperature can be increased. And so our plan is we'll just wait for the next scheduled instrument calibration. We'll perform the first attack making it inefficient and then we'll wait for the maintenance guy to be yelled at and say oh, you tuned it wrong. Please go tune it again. And then
45:01
we'll just perform the next one and then he'll go back and tune it again and we'll just pull forward the next one and the next one and the next one. So here we see four different attacks on the reactor temperature and the results and you can see they're very different. So if the lines in there and the changes are timed with the
45:21
recalibrations then it really just looks like the guy is messing up and not getting the calibrations right. So if eventually they will start thinking okay, probably the reactor is not performing well. They will call the chemical forensics guys to investigate. It is not possible actually to see into the reactor. So how the
45:42
forensic guys investigate, they have a matrix to compute in which they can understand what is happening with the reactor. So the attacker has to understand how they do it in order to fool them. So these four plots are just like some of the metrics which we've been computing for the reactor
46:01
performance. And although they look similar, they all tell completely different things strangely. So then just change attack patterns according to the debugging efforts of the plant personnel and they will just keep thinking that they're not doing a good job. So in general, we go through all of
46:21
the stages and we plan all this stuff out, some of which can be totally offline and some of which is interactive with the process. But we take all this stuff and we wrap it up into what we call the final payload. And that's what we're going to stick inside of our attack and send into the process. So if all things go well, then our attack works and we make lots of money and everybody is happy. Well, I
46:42
guess everybody on the attacker side is happy. There is a big problem right now. So like the plants really go through tremendous modernization. So most of this really old sensors are now substituted with the smart sensor which speaks IP and they're now part of the
47:02
Internet of Things. The plants are now connected to the Internet and Internet can now talk to the plants. So the attackers are already in the plants. And although like the argument like why we cannot improve the state of the security of the industrial control system is that like
47:21
well, we don't see many of those attacks. The problem of that according to the recent laws, all of those accidents are not available like classified information and they're not allowed to be public. But it does not mean that we have to do nothing. Cyber physical exploitation can be actually started and we should do it. So by understanding what the
47:44
attacker needs to do and how, we can actually make exploitation harder, wait for the attacker where he has to go and actually create really those network monitoring solutions which works because we know what to look for. And for that, that was for the defenders, but food for thought
48:02
if you're an attacker. So most of the things when you actually get into breaking a process are about cost. And so one of the reasons that we study cyber physical attack is because all the other people that are probably out making money right now are studying cyber physical attack. And so for
48:23
most attackers, then the cost of an attack can quickly exceed the cost of the damage or the cost of the benefit they get there. So if you actually make it harder and the attacker has to hack into a large number of devices or suppress a large number of alarms and spoof a large amount of data, his cost
48:41
goes way up and his testing goes way up and his chance of failure goes way up. And so each process is unique, but if we look at a wide range of scenarios, then we can start seeing all the patterns. On the other hand, the opposite is true, too. As we figure out how to deal with all the uniquenesses and all of the processes, probably attackers are going to
49:03
get better at their job, too, and figure out algorithms that can be applied in a lot of different ways. So payloads for something that looks like a meta display are probably only a matter of time. So I guess in the end, if you want to be the evil James Bond villain and make millions of dollars and
49:23
start building your evil lair, then hacking chemical and process control systems is probably not a bad place to start, but it is very complex and it's a very challenging field of hacking. So anybody that wants to come and join us and study hacking processes and physical damage, then they
49:45
should come and do so. So just go and check more stuff there and you can actually get some trainings there running right now as well. So with that, that's the end of our talk.