Rocking the pocket book: hacking chemical plant for competition and extortion

Video in TIB AV-Portal: Rocking the pocket book: hacking chemical plant for competition and extortion

Formal Metadata

Rocking the pocket book: hacking chemical plant for competition and extortion
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Fear of cyber-attacks with catastrophic physical consequences easily capture public imagination. The appeal of hacking a physical process is dreaming about physical damage attacks lighting up the sky in a shower of goodness. Let's face it, after such elite hacking action nobody is going to let one present it at a public conference. As a poor substitute, this presentation will use a simulated plant for Vinyl Acetate production for demonstrating a complete attack, from start to end, directed at persistent economic damage to a production site while avoiding attribution of production loss to a cyber-event. Such an attack scenario could be useful to a manufacturer aiming at putting competitors out of business or as a strong argument in an extortion attack. Designing an attack scenario is a matter of art as much as economic consideration: the cost of an attack can quickly exceed damage worth. The talk will elaborate on multiple factors which constitute attack costs and how to optimize them.

Related Material

Cybersex Computer virus Group action Pattern recognition Code Flash memory Expert system Numbering scheme Line (geometry) Process (computing) Software Personal digital assistant Right angle Information security Fingerprint
Computer virus Presentation of a group Code Mass Mereology Graph coloring Computer Computer programming Information technology consulting Hacker (term) Operator (mathematics) Videoconferencing Endliche Modelltheorie Physical system Cybersex Nuclear space Planning Instance (computer science) Line (geometry) Flow separation Type theory Process (computing) Integrated development environment Factory (trading post) System programming Game theory Spectrum (functional analysis) Window
Domain name Dataflow Category of being Trail Greatest element State of matter System programming Contrast (vision) Cartesian coordinate system Physical system Computer architecture
Type theory Latent heat Group action State of matter Hacker (term) Reflection (mathematics) System programming Utility software Cartesian coordinate system Family Twitter
Computer virus Domain name Cybersex State of matter Executive information system Cellular automaton Prisoner's dilemma Physicalism Sound effect Drop (liquid) Computer Event horizon Mechanism design Software Information security Physical system
Metropolitan area network Group action Latent heat Mathematics Process (computing) External rotation Bit Information security Storage area network Control system Vulnerability (computing)
Metropolitan area network Proxy server Chemical equation Lattice (order) Mass Word Latent heat Arithmetic mean Process (computing) Hypermedia Operator (mathematics) Authorization Musical ensemble Self-organization Gamma function Hacker (term) God Vulnerability (computing)
Robot Metropolitan area network Dialect State of matter Information systems Multiplication sign Connectivity (graph theory) Maxima and minima Planning Existence Type theory Latent heat Ideal (ethics) Pressure Physical system Computer worm Vulnerability (computing)
Performance appraisal Process (computing) Operator (mathematics) Modal logic Planning Port scanner Vector potential Graph coloring Physical system Control system Condition number
Point (geometry) Metropolitan area network Game controller Different (Kate Ryan album) Set (mathematics) Statistics Measurement Loop (music) Physical system Physical system Control system
Metropolitan area network Game controller Mathematics Latent heat Game controller Operator (mathematics) Sound effect Control system
Metropolitan area network Game controller Dataflow Real number Multiplication sign Binary file Measurement Event horizon Computer Sequence Demoscene Category of being Order (biology) Digital photography Loop (music) Personal digital assistant Logic Reduction of order output Pressure Condition number
Dataflow Game controller State of matter Differential (mechanical device) Connectivity (graph theory) Computer Vibration Information technology consulting Mechanism design Operator (mathematics) Endliche Modelltheorie Nichtlineares Gleichungssystem Error message Condition number Physical system Game controller Metropolitan area network Dependent and independent variables Algorithm Database Port scanner Measurement Demoscene Database normalization Process (computing) Software Logic Video game Right angle Summierbarkeit Object (grammar) Coefficient Reverse engineering
Metropolitan area network Dependent and independent variables Game controller Touchscreen State of matter Multiplication sign Operator (mathematics) Mereology Measurement Number Arithmetic mean Process (computing) Operator (mathematics) Control system
Software engineering Group action Link (knot theory) State of matter Execution unit Mass Arm Computer programming Hacker (term) Hypermedia Physical system Metropolitan area network Theory of relativity Arm Regulator gene Cellular automaton Stress (mechanics) Physicalism Ext functor Port scanner Process (computing) Personal digital assistant Telecommunication Order (biology) System programming Utility software
Group action Multiplication sign Materialization (paranormal) Maxima and minima Control flow Water vapor Mass Parameter (computer programming) Food energy Information technology consulting Field (computer science) Product (business) Hypermedia Endliche Modelltheorie Traffic reporting Social class Metropolitan area network Theory of relativity Digitizing Planning Port scanner Software maintenance Category of being Integrated development environment Personal digital assistant Irreversibler Prozess Quicksort Directed graph
Metropolitan area network Type theory Causality Natural number Different (Kate Ryan album) Multiplication sign Expression Sound effect Login Extension (kinesiology) Social class Task (computing)
Area Metropolitan area network Building Observational study Block (periodic table) Control engineering Computer file Planning Sound effect Medical imaging Software Personal digital assistant Order (biology) Endliche Modelltheorie Object (grammar) Resultant Physical system
Vector space State of matter Moment <Mathematik> Iteration Hydraulic jump
Presentation of a group Backup Game controller Link (knot theory) Database Bit Local area network Computer Connected space Compiler Data management Antivirus software Software System programming Right angle Office suite Information security Backup Physical system Control system Vulnerability (computing)
Axiom of choice Domain name Game controller Control engineering Database Electronic mailing list Port scanner Radius Internetworking Internetworking Quicksort Monster group Modem Control system Vulnerability (computing)
Domain name Point (geometry) Information Modal logic Multiplication sign Moment (mathematics) Computer-aided design State of matter Sampling (statistics) Physicalism Parameter (computer programming) Streaming media Semantics (computer science) Arm Integrated development environment Hacker (term) Telecommunication Operator (mathematics) System programming Figurate number Condition number
Point (geometry) Metropolitan area network Type theory Operator (mathematics) Maxima and minima Diagram Contrast (vision) output Mereology Statistics Product (business) Product (business)
Logical constant Slide rule Game controller Server (computing) Service (economics) Link (knot theory) Multiplication sign Maxima and minima Client (computing) Mereology Field (computer science) Product (business) Template (C++) Revision control Diagram Endliche Modelltheorie Descriptive statistics Metropolitan area network Extrapolation Mapping Point (geometry) Sampling (statistics) Login Particle system Commitment scheme Logic Vertex (graph theory) Right angle Communications protocol
Game controller Arithmetic mean Wave Multiplication sign Endliche Modelltheorie Loop (music) Metadata Field (computer science) Control system
Domain name Dataflow Dependent and independent variables Link (knot theory) Connectivity (graph theory) Set (mathematics) Physicalism Sound effect Density of states Mereology Process (computing) Hooking Software Liquid Communications protocol Information security Metropolitan area network Physical system
Presentation of a group Group action State of matter Differential (mechanical device) Multiplication sign Range (statistics) Survival analysis Parameter (computer programming) Mereology Order of magnitude Explosion Type theory Radio-frequency identification Set (mathematics) Negative number Endliche Modelltheorie Extension (kinesiology) Pole (complex analysis) Physical system Metropolitan area network Constraint (mathematics) Data recovery Sound effect Degree (graph theory) Category of being Type theory Arithmetic mean Process (computing) Hash function PRINCE2 Quicksort Arithmetic progression Resultant Asynchronous Transfer Mode Point (geometry) Slide rule Asynchronous Transfer Mode Game controller Dependent and independent variables Connectivity (graph theory) Real number Event horizon Musical ensemble Energy level Conditional-access module Loop (music) Linear map Form (programming) Fingerprint Game controller Dependent and independent variables Order of magnitude Line (geometry) Existence Word Hausdorff space Window
Game controller Service (economics) Mountain pass Execution unit Perturbation theory Parameter (computer programming) Discrete element method Food energy Mach's principle Confluence (abstract rewriting) Medical imaging Inference Different (Kate Ryan album) Endliche Modelltheorie output Traffic reporting Physical system Control system Metropolitan area network Standard deviation Information State of matter Expert system Electronic mailing list Order of magnitude Parameter (computer programming) Control flow Product (business) Degree (graph theory) Type theory Permanent Order (biology) output Hacker (term)
Dataflow Game controller Multiplication sign Control flow Parameter (computer programming) Discrete element method Graph coloring Product (business) Mach's principle Operator (mathematics) Physical system Information Knowledge base Concentric Content (media) Sound effect Parameter (computer programming) Hecke operator Measurement Type theory Process (computing) Telecommunication Order (biology) Different (Kate Ryan album) Right angle Hacker (term)
Group action Game controller Multiplication sign Maxima and minima Bit rate Mass Icosahedron Computer Number Different (Kate Ryan album) Proxy server Mathematical optimization Physical system Metropolitan area network Information systems Sampling (statistics) Code Sound effect Special unitary group Grand Unified Theory Price index Measurement Type theory Telecommunication Order (biology) Different (Kate Ryan album) Software testing Procedural programming
Metropolitan area network Game controller Integrated development environment Concentric Ferry Corsten Heat transfer Field (computer science) Product (business) Number Vector potential Control system Mach's principle
Game controller Metropolitan area network Slide rule Game controller Scheduling (computing) Standard deviation Group action Arm Multiplication sign Workstation <Musikinstrument> Operator (mathematics) Physicalism Planning Ext functor Line (geometry) Port scanner Software maintenance Shift operator Uniformer Raum Bit rate Different (Kate Ryan album) Right angle Physical system
Metropolitan area network Group action Maxima and minima Set (mathematics) Mass Semantics (computer science) Mathematics Frequency Process (computing) Metric system Simulation Identity management Task (computing)
Computer icon State of matter Executive information system Multiplication sign State of matter Instance (computer science) Port scanner Arm Type theory Internetworking Different (Kate Ryan album) Term (mathematics) Hacker (term) Control system Physical system Computer worm Task (computing)
Metropolitan area network Dynamic Host Configuration Protocol System call
safety is barely more than a fantasy and even if assistance of disconnected claimed to be highly secure such as nuclear enrichment facilities for military sectors there is always a way in especially for institutions are groups with the right amount of money want to make a major impact in June
2010 small our security company discovered an unknown computer virus they called Stuxnet virus used USB flash drives and LAN networks to spread globally by monitoring the activities of Stuxnet the experts found out that 70 % of the infection occurred and I ran with Stuxnet sophisticated cyber weapons who or what was the intended target buried deep in the 10 thousand + lines of code experts found the answer working like a fingerprint recognition process the virus was looking for specifically configured Siemens modules exactly the same module scheme which is used to control the uranium enrichment centrifuges s and the target
the secret and remove enrichment facilities and the chance the virus manipulating the centrifuges was able to destroy 2011 income needed today it's known that Stuxnet was a cyber weapon initiated by the USA and Israel under an operation called Olympic Games this sophisticated attack succeeded in slowing down I'm really nuclear program for decades now out in the open because code can be used as a blueprint for future attacks these attacks could happen to almost any power plant any factory any essay can be found close your own home target rich environment are not just in the Middle East with massive infrastructure system in the US Europe Japan Australia and South Asia are also prime targets the question for us now is not if there is an example of but when and where so you probably all of you probably all know about the Stuxnet and legislative really awesome video and the problem the fact that that we know how that occurs what you might call the broke into their Windows system the user 0 there's consultants or local all of the spectrum data just like all pressure into future so that they just below what we don't know yet but how exactly that hackers design their people would did they know what are the parts of the protease work to break so I prior to this work I have done a lot of like a lot of exploiting but it was like instances of attacks and I was still thinking like probably what I need to do if I want to perform that type from beginning to end like entering the plant and like finalizing the what what should be done that what should be given to the prevalent in and out I used to work with several chemical plants like models of the plans and then I have extremely complex plant owned when you let data and I never knew like even what that to start was like we can he had planned like color Hackett so and then like poses challenging myself and this is what is this presentation is about so to start with is
important to understand like so the land of vocabularies the What is industrial control system so it's a bunch of computers which will come together to control the physical parts of of the physical process would be what the treatment facility power generation from the line linking the cities in and out of
on and yeah so this is something like this and if you're the
typical architecture is looks like this have and the physical properties of the bottom and a lot of a lot of layers of IT system on top of and the data flow of goals from bottom to top and the entire purpose of having the IT infrastructure is still getting the data about the state of the protease and protect them from making the upper layers of the infrastructure and then to decide like how to control the physical properties and the size systems
also called cyber-physical systems because it is a systems deeply embedded into the application of physical world and in contrast to the traditional IT domain in the interest of the track and not the the data it as such and not the data the interest of the
type that is in the physical world that want to do something to our physical applications the Britain to bring it into the specific state want to make performance specific actions and I but continuing on the topic of movies in all of
edges probably like 1 of reflections all of them were like called trends on what is happening like in the modern world in there wasn't like the transition that we used to have all of this region goes as and then in the last in the sky falls in the last agendas 1 more utility have high accuracy so which is of course for me is a little bit and in that family we still have a hacking and steroid gene on and
if you want to know that in the sky for they have this the event the and uh uh see 1 he's sitting in this pre themselves in then they will they begin they will go up his computer to them I find a network and then on his computer virus from with computer and then my 5 network and then it's what the thing already problem that might like to opened his prison cell so he could escape so this is example of cyber-physical hack you launch an attack in the same domain to achieve certain specific desired effects in the physical world so you see that the physical security of cyber-physical mechanism becoming like popular and and his own reduce it
to all that the goal is to understand like so yes we need to penetrate into the cyber like systems but then we need to program our best at the physical physical promoting you to put specific instructions which will bring the physical system into the desired state so the the drop which
and even today this idea in the stock also black had so I think that chemical plant a specific uh chemical process and as I actually use so it turns out that that is actually has to go to school specific stages simply because of tilting on on each day that I will need to complete his accomplice specific actions are and this is what I will present in this for so
to start to lose a little bit also like what is like what is the with control systems security and so what you know
by now it's just like that to be secure that isn't vulnerabilities are discovered the impacts of change in the fifties every day but instead of going already it's not interested in the more of what
is the problem the truly the problem so the responsible authorities issued advisories like OK guys are visible in the ability to operating cancer certain uh and asked for patch of the word advisedly standing you like OK the impact of that vulnerability specific to your organization and so old and your job goal and understand what exactly does that mean to you and unfortunately the operators don't know how to evaluate it so for example 1 of them like listen cruel and highly publicized noted meetings walk around in the industrial features in the mass media it was like publicize like 0 my god Atticus can do whatever they want because they have now extends to our nuclear facilities in around the globe so as all OK here's
plant so now let's assume that you have access to some sleech inside of it so happens that you going to make to put this place on fire roughly once pathways so the typical understanding about
prospects flotation instead of just like this
movie dialect months you have been there will be some red button which oppressed and like the system will fail in exactly the way you needed to fail the tools elizabethan doesn't exist and that type
is actually have to do was about so to build this payload understanding
examples of also believed that after my presentation and and typically get a question like where the last 1 being that complicated you can do some into the system well 1st of all that that is a relational that that has a specific goal in mind pedicle not hack into complex facilities just to do something and the 2nd for example even if she wants to fend yielded long still he needs to understand what exactly where the vulnerability in the protease in the treatment which can exploit which will be a lot of prior protease to fail so long as seen here on the sense of signals of the reactor pressure so that that typically is the most sensitive component at each plant so for example this is like the example of for text at a random time random so just like you know much about system I'll try to attack and consider effect start from like well I don't care if it's just the BH tool that it can economic inefficiencies like you almost reach safety accident but he did not like it actually can we make chance crossed safety shutdown also been about safety should not mean that the segmental going to the same state and that's not explode so they can see if you really want to do something specific to prevent you need to understand your plan and therefore when we
try to evaluate the impact although solar abilities and I've done so already works explaining how will you be evaluating this impact you need to know exactly so that operators of the facilities need to know exactly how well that works well that I can do with that specifically the ability what kind of attack can be launched is anything necessary conditions are required so that might be also example that I can I have a perfect plan but the control system will block command because OK this is a stupid command I'm not going to follow it because there are a lot of safety precautions in the control systems and also you need to understand how the city of the potential impact so I'm doing all of those questions the gland the standard colors talk and interact with the control system and process and this is followed by now it is the largest history of 21st century nobody knows so this is exactly what is never about and on and on and understand all the necessary like next steps like all that will be performed in such attacks on the basics of the process control because without them I mean it's important roles who knows and used it in 2 weeks from now on I'm going to give you all the
necessary basics for we will understand so what is
the protease control the easiest way to understand protease control is an example of the heating system so I have been for example I like in the early eighties he used to have like this manual about how you control their how much fuel goes into your furniture and like you just like physically feel like is called the world in my house and then we manually adjusted the income of fuel so contingent interchanges centered automated in so you now have a tumor start and you start with a set point you start like OK which temperature do you want to have and then assume that measure the temperature and then control their food aid influence of the fuel into the furnace that it also
happens in the control so you have your in the sense of measured temperature and the role and then there's a data into to the control system the control system compute the difference between the desired temperature is around current temperature and based on this difference it computes the control command to the uh fuel so control in India cyber-physical systems across the aircraft happens in control so there are many control in the
chemical plants are and that thing about them but they are all interrelated so for example if you just sensing in 1 control loop example here this is in red and else changes in that act is actually has to date care effects into account
I in real like in the large production so that any of the operations are much more complex than just controlling the heating so typically that is already you need a specific control equipment which is called programmable logic controllers and they typically look like this is like Allen-Bradley so then
I like the treatment facility and it's like real photograph taken by me are you have sensors you have up to 8 hours in this in
this case it is a common and the bias from the sense of dental and
actuators assembled into the wider depending on where you have your appeal fees and the entire
control still happens in this controlled sold the signals measurements that measurements that are taken by the sense of going to let people see that property into the input buffers the scenes accused control logic in computer control commands and send them to the actuators so that is control logic control logic it's the problem the problem inside the loop you'll see it defines the logical sequence of the events what should happen to the protease at what time under which conditions for example in the pressure in these people feel like which controls for example of the reactor is larger than Mount all the account kilopascals then reduce influence appeal since we that just defined the logical sequence all the events are loaded also that
defines what should not happen when the cost and so we typically in their life maybe 15 years ago you had a lot of redundant system the proteases like agent-based scenes many evolved from a ruptured this but maintaining this mechanical safety precautions they're extremely expensive Yale allowed tried to optimize run it faster and more cheaper so safety measures are not alike moved into their software and so on and the letter a letter rendered you will have this in the control logic you will have the so called interlocks and also stock so in fact Apple even if you may be for example you can bring another if it will be run in without oil but uh in the condition like the model is running and there is no while the system will stop because it's unsafe operation seemingly that are composed of the sums into the system the system will not allow attracted to do that unless the attacker has to be get the next steps and like reverse-engineer the logic and the right to lodge but the
control it doesn't compute control commands so this is like this dynamic response of the process it's not depends on the control logic it depends on the control of voice so the control algorithm is what we need to compute the command to them but to the actuators and it looks like for IT people like defined it in objective and this is typically when quality people say well it looks at the I don't want to have physical processes so if you think only have still is that when you have these methods a way you like this is the state apparatus of the state the control what their problems and compute the error and then conclude the command to let database since we are components of the differentiation all equations which is called proportional integral the integral and derivative of and the response will depend on these are coefficients in actually finding the right coefficients to control the protease is actually 1 of the hardest task possible and typically it is done by consultants which owns flows of money and so and for the that I of all of this is extremely important important and all of this data in an efficient
amplitude because this is what we find the response of the process of being
a little silly to not do all the job of its own you still need the human and the control because the PLC they don't have the entire picture of the prox state and also appeal sees they don't have time transistors what is observed uh by the human operators in the control of a control loop our how well the more than 10 12 measurements in each plant so that this is a great in the mean and did not like money to all of them so typically like things going wrong in the plants that the time so if the operator has a lot of alarms flashing on his screen and his main job is just to respond to alarms that she's not actually if you eat a lot is not good enough to not number those parts of the process so this is actually not only and what you need to know or of a cyber-physical hurricane
so the next question probably with interest you like why do I want to have the state of systems like that is any from me so the 1st and
foremost a simple cybercriminals because like most of the hackers those of other criminals and the try so they had in order to monetize their patch an industry it's a lot a lot a lot of money if you will learn how you can monetize your attractive in the community of practice but in on 1 of the arms stand like which happens in light of what is actually extortion so you you will demonstrate the presence of like facility only that you actually can do something to process and then we explored by you can see that link is still in and which is link which is useful to cells in a there was a lot of relations follow you are handled by accident data and most of the accident data are actually are classified knowledge therefore almost seen not seen in the mass media for us it's very difficult to observe all like more exactly what is happening them but before those regulations the place you could really see that muscles accident cases are like kind of from its earlier and so let's say this and the criminals and we want to do something the protease I actually just was also given a talk and program was explained in a given topic explains a lot higher actually you can monetize gave that because of a lot of Snyder's them but to start with the attack it you actually need to understand like what can you do to the protease like what can I make of process and all that acts on flight physical electron the for example the injustice can be divided roughly into 3 groups the 1st and you can for example demonstrates the me this is breakage of toxic can easily but for example what equipment of stress and this is what happens in Stuxnet audio we can break it by violating 50 units of college should operate the equipment but the
2nd group of the tactics production them at so you basically made plants this profitable so you can for example messed up was a product quality or make plans produce unless I you can mention that so that the cost of production will increase for example the usage of energy or left the from are materials from the perch in this class of attacks in this group is maintenance of 4 make protease behavior so that the guys will need run in trouble so that all the time maybe by a lake external consultants and so on like maybe war our this 2 groups of that that's will never make into their uh like in the newspapers because the companies don't must not report that report them and they will not support because it is your repudiation and actually if you will reproduce actually may even pay some penalty because you are not maintaining your plant in the right way so this is what is like the most cases the companies from what it was reported to the sort of thing you want to see if they have the like of the plan capital with into the mass media like them into petition you would want to will make the uh the plan non-compliance so most of the industries like almost all the heavily regulated and actually the Galatians a publicly known so you can make plans non-compliance in the mountain region talk of course will be safety which is Occupational Safety of humans in an environment where a safety like for example large field for all for I was a lot of those 11 genotype would be pollution which is like environmental pollution for example our contamination of soil or water water like constitutional mental seeing them on the in the uh in the relations and this is like contractual agreement so most of the industries they are obliged to deliver the product is specific time and look at every day of non delivery like cost a lot of money and so for example let's assume that that I can also understand all of this so how to choose like which that will what they like to to launch and this is how that that that would be that led
think what is what this will do solution sinking can properties for example equipment damage is something that comes into the our mind 1st like little break something along with all the downside of the brain which is that it's irreversible so if you want to use that as extortionate occupant and which so nobody will be your next time I then it is said that it isn't clear that that collateral damage is unclear if some single best and there will be humanly seen it deepened then you compare this human and then that that I will become and compliance attacked so that is good about this this will become compliance with the relative quiet and this is like this is what I'm talking about this argument is that the compliance of that's not reported to it is and if it is important to the so it is a very serious guys will run off to you unless you completely sure that there will not be able to trace you you would not want to launch in compliance attack on that maybe if you really want to buy a company to come to the headline select we then digitization than you want actually to lunch complaints of because like if there will be a multiple violation in the plant like repeatable than they actually will be shut down on among entities again this unclear collateral damage because for example if you will try to look like let's say make plans contaminated the local water if it will also kill the fish suddenly become safety issue and again exceeded the guys who are enough to you so unless you're not so that you can hide well there you don't want it so it seems like a model that uses this production damage is actually the the most effective because it must be reported you do not have anybody and so it's only safe harbor so that was exactly the case which
I choose for myself for like I want to put people like design that from the beginning to end and this was my text and I want to cause persistent economic damage for example this text tonight it would be useful as an expression underwent an extension of time where if from I want to pick out some competitors out of the market and actually this type of attack university-business happens at the times larger company higher like hard-pressed to hack into the smaller and medium companies to kind of industry the competitive advantage of achievements in this persistent because of the difference between 90 attacks inside the physical attack that you cause effect from the physical and you can't find time and I think you're raising the logs like known enormous and happens so the dice will notice that task is then to make 1st before motorized allowance because of the class will start watching and secondly makes introduces so there like and I concession was there will not attributed to assign they learned by simply it's like nature the behavior of the plant so this is what is important to take in mind
so now ready to start
1 of the difficulty and what we do not see a lot of research done in this area is that in order to like to learn how to access the science and you need to have that system in hand like that in imageability computer software you have it and so what you actually for example can buy a plant and like trying to test like exercises skills but the problem is that they are plans it's extremely expensive secondly you need an army of people running it for you and certainly if you will bring the plant as a result of successful attack you will need a lot of new money to be paid so it's kind of looks like a sustainable approach that form like the entire research in The Protestant so technical engineering control engineering is happening all models on the realistic model of the physical objects so this is what I have
done I took a model of them where it's a very accurate and realistic model of when you looked at the plan I went up date the commodity chemicals it used for like building blocks for a lot alike payments have serious plastids reasons and so on so this is what this is a case study for this effect
so and then mention very attracted mostly CDs of stages before he is ready to offer analyze the final pre so this
is the stages and I will go through all of them you and found at each stage the torque is like and that that is not able to actually like know is like the in the 1st iteration vector is going through stages but then I think you might want to previous stages if you've got some sense so it's actually like kind of tightly interconnected in my jump between the stages or sometimes repeated exercise of the states of stage again and again so let's go through them in excess of his her
arm and so I 1st 5 because it's a very intense presentations what to say and I cannot take out any sense so bear with me so access stages the most familiar to already hackers so for example
this is a typical layout of the industrial control systems so I you know for example if you start from the outside you just like for for example find 0 there is some computer the office network then you use any interest connection to the control network for example you get in in uh was the updates or ways database it would basically so back-up system for anything and then once in a control system you can move freely because there is no security there are only a single still need to explore the industrial devices and if you don't have experienced in that uh no problem because there already explored facts which you can buy so every publicly known vulnerability is already a compiler for you into exploit packs just by it's not free it's still not Metasploit but you can buy on basically so from now on most companies already started getting this right so it might be a little bit more difficult to you you will see this 1 was passed no problem I you
can go directly into the control system because now they put all of the best control devices out onto the internet so what you do is just going to there ICS sort advisory database you select the vulnerability of the choices that you use short on any of the engine to locate vulnerable devices exploded you in so this is the modern way of doing that but that's so the excess data that is the last stage which that has anything to do with radius from now on you have to start thinking of the Protestant geochemical engineer control engineer and so on not a completely new domain so the discovery of the
1st and most need to understand like what is this plant is doing and how to do and how it is building what equipment to there and so on by the monster but no it's not magic might
interested in columns and this is what happened to me when I 1st Google start but you don't really need to know the specific equipment and it is out of our like expertise of traditional IT people and I'm coming from IT domain from telecommunications so that I need to figure
out what the practice is doing and how argument that at moment that he's in the when you look at the big that chemistry and semantics of the protease is unique to each plant and that I can use to figure it out and I wanted to use this information is not in possession of the plant owners this is done by the parties some subsidizing companies so that I think is actually like before this reconnaissance so the lexical from this point is then that needs to know how the proteases controlled on how it is built environment and of course operating and safety conditions of the necessity of this stage of attack is well understood by the Tigris and this stage or send physical hacking started long long long time ago usually about as espionage attacks and the time like a really exist some companies and they already going on for years and was like really was that are all the samples all their Monday's from to solvents stream so that that is interesting is something like this can chemical formula this piping and instrumentation diagrams on this is for example instrumentation least
on my diagram so all of this is necessary for the tracker to reconstruct the layout of the plant and 1 letter little the
start understanding how the plant works and build it start making the 1st assumption what kind of attack he can lunch so we want to call of persistent economic damage on 1 of the easiest like the 1st way to do it is for example you can distort the pipe which carries the final product this is larry affecting the problems that can be noticed quickly repaired quickly you cannot persist for this type of attack this is the rest of the plant can be divided roughly into 2 parts reaction and refinement refinement of the largest part of the fact that it's like couple kilometers long so you don't you need a bicycle to work from 1 part to another so that don't have a lot of opportunities to do something about the process of and you go but also they operator has a lot of opportunities in notice some and actually this point and actually if you for example if the product will be not pure enough you can just actually find it back so it's kind of tricky could you should be attacked usually would be treated in contrast if you will mess up with adaptive itself and make for example that the producing less than actually you already have lot of you have much less products so this really sounds like a good thing there are attached to that of a persistent economic damage from because like if you produce less and then you just don't have that so there is nothing new that operator can do but how do do that so how will we make up the reactor producing less that is the end of this will come already at later so 1st that I need to get this that that that is still not ready to design their damage type because the attackers still does not know what is she's capabilities to control the plant so that will still have to in this basic that tackle keep discovered the plant like so to understand what is his capabilities and 1 of the
most difficult part of a lake of taking part of this stage is to reconstruct the ability to understand to map between for example of this is the bump on piping instrumentation diagram and it is a pump and the plant and find the link between it is a problem that is that are located somewhere in the PLC somewhere in the control logic that that need to reconstruct the ceiling and this is 1 of the most time consuming and difficult part because there is no direct direct mapping between all the stages vertical need tools like excellent to the left of the pigmentation in need a lot of ingenuity in their knowledge to perform this mapping and the product of this extremely difficult our work can and interesting enough that we already have
a mind violence which already tries to be that for their time and 1 of the ways to perform such making use that to hack into the PC URIs so any commitment in the field like constant sense of so speak some proprietary protocols and the equipment that equipment on upper layer of the speakers were not so is actually a kind of link which lot of this dual roles to speak to each other so that in the last year like there was the habits model where which was trying to match the purposes service clients and servers and on this description of the heart of Treaty of the slide it's not entirely correct because the description was given by the IT company which and maybe not so fluent in the terminology so that must include that wasn't just discovered all the equipment in the field but the trying already and it was kind of extrapolations for the where the money that was built and making money right is already doing but did not catch the samples that might well it's like a potentially the template and we announced that making devices in the field but in this version of particles just really discovered although PC servers clients versions and so on preparing for the next stages so this is not that talkers at least this far and they also understand all of the stages so don't want to control the actual
wave you need to find the controls basic to activate which are around the reactor like the pounds all the models all of the models so and this the magnetic metadata and this is the control of which you can which you are able to locate on this extremely well this is just the name of the variables but if you think that this is like correlating done now and how the control of the stock control the deprived of the problem is that optimal control and they're like engaged in engineering fields like having control is not meaning that you can control systems in the process mean if you will try to control the Protestant must it might miss the world and it will not necessarily comply to all of your commands it's benefit to people that are difficult to understand the concept that I will explain it to you to you so with this week and turns
it into the control stage so discovery stage was about stated discovered of the plant everything with expected with time of the in the control stage you start understanding then meaning behavior of the plant because it has been reported to the planned it causes effects in downstream and upstream on so
this is an important concept once you hook up equipment together it's that's been going into each other not only by a protocols and 20 links but also by the physics the process so for example you can indeed elected Democrats accreditation effects which is like bubbles in the liquid in 1 part of the plants that will propagate and will prove that prevented them from the pressure sensor taking pressure measurements so even the school component the not talk to each other electronically and maybe even belong to different segments of the network they're still speak to each other as so the physics of the prox is therefore the security bounded in cyber-physical systems that are not in there and they're not limited to the set domain that propagate like the into the physical domain so that all of these effects and in the dependence is that I have to take into account so
you've seen already this picture and this is like a man you are for example I might put a like cooperated this wild and interestingly enough for example if you will see on like this to learn all physical like they use and what is also this is temperature and flow this is well this is temperature using that kind of response similarly in but in opposite ways so it's really funny why to this way the problem is that the new of
parameters which influence the behavior of the physical process so this is like it's in the slide slightly larger presentation or control mode so there are a lot of components which are involved into the control group and which has impact on how the process will response to sound command and on like when I was designed in my explodes you have to look like all of these levels taking into account and I have to actually called into my workflow have to take into account all of those affected and for example what we already have been talking today about for example controller tuning business which is really liked by it his importance as so you so example it was difficult for us us and this control of me I was not able to control actually this is example when you cannot control some control survivable from cooperating while it starts and it's called a parzen window impact impacted in effect which is caused by the negative real control course this is like the solution of the differentiation no occlusion does not exist you want to watch and even because because like this would in effect that so small like like widely like located the parameters of the solution impact propagates downstream and another controlled it calls already knew that which is extremely large and then all of these high points for closing allowance that he did lot so and since I don't want to hit the line that was wasn't way could come like parade this fall because the 2 of his so basically this control is not useful to me and this control and could not control and arrive the prince's behave typically in a very strange way because it is nonlinear all physical proteases complement the non linear when does that mean is that for example if you should know what from 70 to 80 degrees it being completely different as a value from that are heated deal for example 90 degrees and at the end of the behavior of the physical processes to the extent of the modeling model every physical phenomena and then this part of the world into the controllers and the controller control the physical properties according to the control model it has so the presence had never been expected to operate at 90 degrees the control of governments have unintelligible to control the degree in this temperature range it means that and it's in that article typically try to move back to somewhere and in the state of their mean that the optimal operational bond there is this is where the controller will not be able to control the protease so that I also cannot control the Croats and get ready in the form that was used in response to the uh to some control command and the constraints we need an all of this commercial because a lot so the challenge of the is also to understand mention manipulate the protease you observe the response and she does not know whether that is the effect of that time or at the property of the system design this is a huge challenge to that so and then when he was trying to understand the meaning of the word of the process he needs to take into account all of this and trying to kind of understand the facts so standard that of that step attacked when you bring Protestants and state in the Union there when you are trying to promote this letter to recover lunch another type latitude pollen someone so far and the outcome of the control stage is that of this is
that this was the result of the control of the rich so we try to kind of all of the results don't understand that's a mental picture of the dynamic behavior and the magnitude event and progress time to find a nice way hope to match the physical and then immediately the Protestant of some process as fingerprint kind of like a creative sort of a hash function only that that you can also read it back I mentioned that that also doing that and probably lines so there will be trading that in the black market so that outcome of
the control that you have to look at it that I've controlled intuition which are reliable and you can control and which of those unreliable and you cannot use them for that at design and also you have to understand the parameters which have of parameters the protease will cause alliance and which not so this is nothing to understand is just like we have to kind of be finished with a reliable control and understanding of their are a lot of activation so once you have
done the control of data can really start thinking about the damage uh like what kind of damage it can cause and
the allowing the service of text-based image and this is 1 of the most difficult stage is from the for that I could because you need expert knowledge like input from the user however the system failed and uh the master in his body and just like starting in the accident report that so if the system fails in run in this vein that is a good chance that the it it will fail in the same way again and all of that information is public can also find a lot of new and in and so on what I don't accurate inference again right going come after the control and for example and this this is represented beautiful and image attacks another like let's poison the catalyst and the reactor if you present it extremely expensive but that be a prior to the facility of there's this is in was expensive but you can only major are so schools in the yes and so the golden in in in order to change the catalyst in the actor you need to raise the temperature in the reactor about 200 degrees the prominence models are presented in the 1st set at the confluence of tried to implement this attack and the problem with and was not able to control the Knesset acquired control so I was not able to raise the temperature to 200 degrees long enough so that I could kill the catalyst so therefore like OK and if you will try to come up with all the different artists and writers but then you cannot implemented because the control system that allow you to do so all of your previous efforts we use lists the former start with the control the type to understand what you can control and then was lost control units and start designing which attracts sonatas and you will probably want to design several standard is because you will need to put selective 1 energy to put into your pillow because if 1 doesn't work then you can use the 2nd 1 so let's
start with the damage 1 of the challenges so that for that type of that the process is actually not designing a heck of friendly way so for example that my name the sensors measuring the values which you need for your time what the information about the Protestant the spread spreading of multiple system and you have to look around and a break into a lot of them and maybe the control of the multiple and control the parameters which you need for your entire and so the
content of the knowledge base so we want to produce less of the products so we want to produce reduce the effect effectiveness of the reactor so in order to be able to manage the impact of this attack we need to mention that we need to be able to measure the production the concentration of when you look the molecules in the reactor and is it the concentration of chemical this is measured by their analyzes that are 4 of them that are independent but none of them in the reactor entered why because analyzes are extremely extremely extremely expensive and there are only those places that really really necessary for plant operations so on the and actually to to compute the color much less products our is produced we need to full and indeed concentration the only place where the communication is available is here at the end of the plant but this measurement will be available to that and after 8 hours which is too long you can't operate something that always and see what is happening so really we need to find the way to a fight measure this effect here but you can't because there is no analyzes so the only 2 measurements available to us flow and temperature for the do but we don't have analyzed and so on but it happened so you can always find the right so actually in the 2 types
of uncertainty in the practice engineering engineering and and answer depletion onset of 0 OK something is decreasing and engineering and is actually it tells you if the electron fast or in high much time so this is very useful concepts for us because
we actually induce a temperature uh measurement as a proxy measurement for us so actually so if n is less action happening in the reactor then the temperature in the end it will be lower so if you will look at that temperature low indicators how much reaction is happening in the reactant so basically is ruled by looking at the it and this measurement we can understand whether is our a type had impact or not but unfortunately it still and that would allow us to a tool size compare the effectiveness of different attacks so we really need to find the amount of chemicals so and this is where the spotlight for a couple of weeks because it seems like we don't have become procedures our time so then there must be something that I have several important so when I was going to a very fine so I kind of this I know the system's very well so and I know that inside of the of the is dialog from the intermediate computations happening also in the upper layer in the example in the optimization optimization of the places that a lot of computations are happening in between in order to compute the most effective control commands in and they were the challenges that the sun was like maybe there's something intermediate computations which will actually be helpful for us and to let a lot of hours of work that find a place in the course which could be useful to us able to extend this numbers is actually the beginning didn't tell us anything that the samples 0 0 to 1 . 208 and if you multiply this with 4 did not give us any useful numbers the basically after another 2 weeks of the crazy mass they were able to figure out uh compute
the concentrations so is that we actually could compute the concentrations of revenue looks taking the exit in an environment with 5 the
transfer of that number into amount of dollars in so on the outcome of the
demonstrates was and go and the controlled by the damage potential account much money the plant will be using the field will be attacked in specific control so little the outcome of the damage stage and so and then basically you will include your personal attacks and all those kind like on a couple of control loops on
end this station was abandoned yet as I told you the beginning that the low-cost physical that and he and he interpretable the the plant is producing less and will start investigating so you want to create a forensic footprint so that to mislead the what is happening with so this is a slide just
to so again that you have also human in the control
arm and hand here so how could would you do like what can be done for example mean up can for example a line just like for example only on the rainy days or only on the sunny days it can also for example I'm sure that's and a particular employees shift so that they will be investigated and not the protease so for example this is there would be that the action plan pixel several based on the right is the temperature in the reactor wait for the schedule instrument uh recalibration from the 1st attack rate for the maintenance that I've been yielded and the calibration to be repeated but the next that art and so on so all of this is for example this is the 1st different attacks minus which cross the deviation in the temperature of different amplitude and just like play them at the opportunity to run so if after some time they will
actually started out the reactor like OK what is really already noted but we found someone with the reactor the lecture by the professional friend the guys who will be investigated like what is happening with the reactor nobody can see what is happening the but identity is being analyzed by on the based on the set of metrics so that that they need to understand the semantics will be computed and then kind of pleasure that access to make such little misleading there will not be able to figure out what is happening with the reactants so this process army and like the nascent but this is just like different metrics of which are used to analyze their own and reactive on so that all
basically this is like a missing that presented to you just like if somebody gave at each stage that I need to that is a set of actions for the task which at a clinic to accomplish at each stage is a different examples and finally that will eventually bring into the final period Lord I and
so and then afterward well it's
really true that the systems being tested control systems that try to be vulnerable to all put on the internet and attacker can get access so of this is the state of the art nevertheless he still don't see a large hearts like something like blowing because it's extremely difficult it is extremely difficult and if you look at the like uh latest paper from some the precise targeted attacks which I described to you right now that would is like with most of them are difficult to accomplish so
of the consideration of the purpose of the different what you can do as well in terms of rise the cost of the time because for that I think the questions that I can quickly increase the damage Warsaw here and all that is also important to understand is that actually certain tasks which are that I can use to do that the same for different types of cyber-physical systems from the already designed several payloads always like attack instances which can be used in different types of cyber-physical systems so my personal opinion that are Metasploit for skater amount of time so on and
so forth to complement but thank you very much for your attention and younger and available for the questions later


  446 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)