This document summarizes a presentation given by Marina Krotofil on cyber-physical hacking of industrial control systems. Some key points include:
- Exploiting vulnerabilities in industrial equipment like switches and PLCs can allow attacks like denial of service to disrupt process control.
- Sensor spoofing and signal manipulation can also impact process observability and control by deceiving operators or controllers.
- Process dynamics and correlations between sensor signals can be analyzed to identify manipulated data and detect attacks.
- Data processing and filtering can potentially hide attack indicators or process impairments from operators and control systems.
4. Who I am
(Ex)Academic
❑ Self-taught cyber-physical
researcher
❑ Bits & pieces of knowledge
from all over the world
❑ Collaborations around the
world
Thank you everybody
7. Cyber-physical systems are IT systems “embedded” in an
application in the physical world
Cyber-physical systems
8. IT – centric security
ICSA-13-274-01: Siemens
SCALANCE X-200
Authentication Bypass
Vulnerability
ICSA-13-274-01: Schneider
Electric Telvent SAGE RTU
DNP3 Improper Input
Validation Vulnerability
ICSA-15-099-01A:
Siemens SIMATIC HMI
Devices Vulnerabilities
(Update A)
ICSA-12-320-01 : ABB
AC500 PLC Webserver
CoDeSys Vulnerability
ICSA-15-048-03:
Yokogawa HART Device
DTM Vulnerability
ICSA-15-111-01:
Emerson AMS Device
Manager SQL Injection
Vulnerability
ICS-ALERT-14-323-01:
Advantech EKI-6340
Command Injection
ICSA-11-307-01:
Schneider Electric Vijeo
Historian Web Server
Multiple Vulnerabilities
9. ICS-CERT recommendation
IMPACT
Successful exploitation of this vulnerability may allow attackers to perform
administrative operations over the network without authentication.
Impact to individual organizations depends on many factors that are unique
to each organization. ICS-CERT recommends that organizations evaluate the
impact of this vulnerability based on their operational environment,
architecture, and product implementation.
ICSA-13-274-01: Siemens SCALANCE X-200 Authentication Bypass
10. My first “testbed”
Frozen PLC, lost connection, project does not compiles, etc., etc. …
Depression. Fatigue. Apathy.
NEVER TOUCH a WORKING CONTROL SYSTEM
20. 0 10 20 30 40 50 60 70
2780
2790
2800
2810
2820
Hours
kPagauge
Sensor signal
When to attack?
Set point
0 10 20 30 40 50 60 70
2760
2770
2780
2790
2800
2810
2820
Hours
kPagauge
Reactor Pressure
Without attack
Under attack
0 10 20 30 40 50 60 70
2700
2750
2800
2850
2900
2950
Hours
kPagauge
Reactor Pressure
Without attack
Under attack
0 10 20 30 40 50 60 70
2450
2500
2550
2600
2650
2700
2750
2800
2850
Hours
kPagauge
Reactor Pressure
Without attack
Under attack
0 5 10 15 20 25 30
2750
2800
2850
2900
2950
3000
HourskPagauge
Reactor Pressure
Without attack
Under attack
To decrease process value
To increase process value
M. Krotofil, A. Cardenas, J. Larsen, D. Gollmann. Vulnerabilities of cyber-physical systems to stale data—Determining the
optimal time to launch attacks (IJCIP, 2014)
22. Vulnerability of control equipment
Stale data is a feature!
(and we shamelessly take advantage of it)
❑ Missing process updates are OK; report-by-exception
o Freeze all points for a particular TCP/IP session with a UDP
packet by advancing the sequence number
o Session is kept alive and by sending a UDP packet every 30
seconds to any interface
(This vendor is not vulnerable)
2
M. Krotofil, J. Larsen. What You Always Wanted and Now Can: Hacking Chemical Processes. Hack in the Box, Amsterdam (2015)
23. ❑ Eireann Leverett showed bugs in industrial switches
o Monitor process data
o Pass only ACK messages to show link as healthy
o Drop packets with process data
Vulnerability of communication equipment 3
(Illustrative sample of equipment)
E. Leverett. Switches Get Stitches .31C3 (2014)
35. Process data flow (PLC)
0 10 20 30 40 50 60 72
3600
3650
3700
3750
Hours
kg/h
D feed
0 10 20 30 40 50 60 72
2780
2790
2800
2810
2820
Hours
kPagauge
Reactor pressure
0 10 20 30 40 50 60 72
8.6
8.8
9
9.2
9.4
9.6
9.8
A and C feed
Hours
kscmh
(C)IA of data in storage and transit
Courtesy:B.Green,LancasterUniversity,UK
36. 0 10 20 30 40 50 60 72
3600
3650
3700
3750
Hours
kg/h
D feed
0 10 20 30 40 50 60 72
2780
2790
2800
2810
2820
Hours
kPagauge
Reactor pressure
0 10 20 30 40 50 60 72
8.6
8.8
9
9.2
9.4
9.6
9.8
A and C feed
Hours
kscmh
Attack vectors
Data trustworthiness or veracity
Secure delivery of insecure data
Courtesy:B.Green,LancasterUniversity,UK
37. NEVER TRUST YOUR INPUTS
Lesson #3: IT and OT have common problems
38. InTech, ISA magazine, April 2014
HIMA presentation, October 2014
Instruments calibration
39. ❑ Worst accident in the recent USA history
(2005)
❑ 15 killed, 180 injured
❑ Wrong calibration the splitter tower
level indicator
o It showed that the tower level was
declining when it was actually overfilling
with flammable liquid hydrocarbons
❑ The further chain of events eventually
led to an explosion
BP Texas city refinery accident
http://www.csb.gov/bp-america-refinery-explosion/
40. 0 1000 2000 3000 4000 5000 6000 7000
8.9
9
9.1
9.2
9.3
9.4
9.5
0 1000 2000 3000 4000 5000 6000 7000
8.9
9
9.1
9.2
9.3
9.4
9.5
Sensor signals spoofing on field device
0 20 40 60 72
8.8
9
9.2
9.4
9.6
9.8
A and C feed
Hours
kscmh
0 20 40 60 72
8.8
9
9.2
9.4
9.6
9.8
A and C feed
Hours
kscmh
Find X differences
M. Krotofil, J. Larsen, D. Gollmann. The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems (ASIACCS, 2015)
43. Detection
Spoofed signals appears genuine at first glance.
But they are not be correlated with the rest of the signals in the
cluster of related sensors
0 10 20 30 40 50 60 70
0
1
2
3
4
5
6
Time-window cluster entropy
Hours
Entropy[bits]
0 20 40 60 72
25
30
35
40
45
50
55
Sensors {5;6;23}
Hours
46. Data processing and loss of equipment
http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-how-to-hack-a-chemical-plant-and-its-implication-to-actual-
issues-at-a-nuclear-plant/
❑ Two identically build nuclear power plants
o One had flow-induced vibrations issues, another did not
❑ Excessive vibrations exhibited themselves in high frequency
sensor signals noise
o In once plant noise was filtered out at source, resulting in loss
of view into vibrations indications
❑ „Filtered“ plant operated at full power, operating
equipment in unsafe conditions
o This lead to loss of equipment
47. ❑ Make data unusable; deceive about process state
❑ Smooth out attack traces (spikes, etc.)
❑ Mislead forensics people
o Also: Time sync attack
Data processing as attack vector
48. State estimation and sensor placement
https://sites.google.com/a/mix.wvu.edu/pse-deb/research/state-estimation-and-sensor-placement
❑ Sensor placement is determined by process feasibility,
safety and economic objectives
o Very active research area
❑ Attack indications (process impairment) might be
unobservable to control system
o Or unclear to operator
Spread process information over
multiple sensor/systems
Use home court
advantage
49. ❑ For most reactors optimal operating
(economic) efficiency is achieved at upper
shutdown pressure limit
o Attacker can achieve disruptive goal fast
❑ Maintaining safety margin of at least
100 kPa (out of 3000 kPa) is equivalent
to a 5% increase in costs (TE process)
Lesson #4: OT security and economy also conflict
❑ Security adds additional constraint on cost optimization
function
o Time to detect and react
o Additional controls and/or safety protections
51. T2 Laboratories accident
❑ Thermal run away reaction
(December 19, 2007)
❑ 4 killed, 28 insured
❑ Failed cooling system, no
redundancy
❑ 10 min between the failure and
explosion
http://www.csb.gov/t2-laboratories-inc-reactive-chemical-explosion/
52. Human in the loop
❑ Process & control designs are a function of physics, economy
and human factor
http://www.controlglobal.com/articles/2015/a-lasting-plan-for-managing-alarms
53. Abnormal situation management
❑ Alarm floods
❑ Abnormal communication patterns
❑ Abnormal data flows
Network monitoring strategy?
http://www.asmconsortium.net
57. C1C3: Catalyst poisoning attack
Reactants
Product
Catalyst
❑ Lifetime 1-2 years
❑ Low per-pass conversion
o 15-35% for CH₃COOH and 8-10% for C2H4
❑ Selectivity ≈ 94,8% (C2H4)
Subjected to constant
improvement
On purpose low
M. Krotofil. Damn Vulnerable Chemical Process .31C3 (2014)
58. Catalyst killer
❑ Hot spots above 200C -> permanent deactivation
o Lower activity at T > 180C
Reactor with
cooling tubes
It was not possible to rise temperature in
the reactor and maintain it for long enough
to cause damage to the catalyst
61. Include physical environment
Once connected together, physical components become related
to each other by the physics of the process
❑ Physical environment is a communication media!
❑ Components can influence each other even if their control
loops do not communicate electronically
62. ❑ System remains SECURE if updated often
o E.g. installing patches, updating firmware
❑ System remains SAFE if untouched
o Any change in software or operational practices require
safety revision
Use case: Methyl chloride release at DuPont (1 killed)
o After a maintenance software update (without review)
alarm notifying on a hose change due date “disappeared”
Harmonization of safety & security lifecycles
o A hose used to transfer phosgene from a
cylinder to a process catastrophically failed
and sprayed a worker in the face
M. Krotofil, J. Larsen. Are you Threatening my Hazards? IWSEC (2014)
64. Hacking Chemical Plant for Competition & Extortion
Control
Access
DiscoveryCleanup
Damage
M. Krotofil. Hacking Chemical Plants for Competition and Extortion. Black Hat USA (2015)
J. Larsen. Breakage. Black Hat Federal (2007)
65. Current: Access centric
• 0days
• Clueless users
• AntiVirus and patch management
• Database links
• Backup systems
• (Vulnerable)
Internet facing
devices
• Supply chain
66. Needed: process centric
What and how the
process is producing
How it is build
and wired
How it is
controlled
Target plant and third parties (illegal)
Operating and
safety constraints
How much can attacker figure out about the facility and its
operations?
68. From inside
Piping and instrumentation diagram
Ladder logicProgrammable Logic Controller
Pump in the plant
69. From inside
Piping and instrumentation diagram
Ladder logicProgrammable Logic Controller
Pump in the plant
HAVEX: the server is queried for
tag name, type, access, and id
(ICS-CERT)
70. Sensor Safety time, h
A-feed min 22.22
max
E-feed min 4.29
max 2.83
Recycle flow min 4.39
max 9.17
Reactor
pressure
min 8.56
max
Reactor level min 2.37
max 2.73
Reactor
temperature
min 1.34
max 0.65
❑ The attacker is likely to design
her attack based on information
she can easily obtain or what is
easy to understand
o Protect what is most likely to
be attacked
Criticality vs. likelihood
Lesson #5: Still likelihood
M.Krotofil,A.Cardenas,J.Larsen,D.Gollmann.Vulnerabilitiesofcyber-physicalsystemsto
staledata—Determiningtheoptimaltimetolaunchattacks(IJCIP,2014)
72. Industrial Internet of Things (IIoT)
IIoT means you license a pump, and it phones home
regularly to make sure you made your monthly
payments.
Twitter @mtoecker
Your trust in an infrastructure is directly proportional to
how invisible it is to you as an end user.
Twitter @blackswanburst
Miniaturization.
J. Larsen