SlideShare a Scribd company logo

Quimicefa for hackers: Attacking (and trying to defend) chemical processes

Talk in Euskalhack 2017 Security Congress, in 2017-06-24. Explains the problematic of physical exploitation and protection of industrial processes, focusing on the chemical process use-case. A live demo was conducted using DVCP-TE and several live attacks.

1 of 37
Download to read offline
Quimicefa for hackers: Attacking (and trying to
defend) chemical processes
Mikel Iturbe
$ whoami
● Mikel Iturbe
– Researcher at the Intelligent Systems for Industrial
Systems (ISIS SISI) Group of Mondragon
Unibertsitatea.
– Work mainly in ICS Security
● Intrusion (Anomaly) detection
– Among other things
● Data analysis
What I’ll talk about
● Intro to ICS/PCS/SCADA/IN/Industrial… security
● Process-level security
● Attacks on chemical plants
– Demo
● Countermeasures
– Example
● Conclusions
Control Systems
CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz
Control Systems
● ICS/IACS/IN/SCADA/DCS...
© 2016 Little Bobby All Rights Reserved
A bit of history
● Trans-Siberian pipeline explosion (1982)
– Source unconfirmed (myth?)
– Two hypotheses on the cause:
● Operator mistake
● Malicious and leaked software caused the explosion
Ad

Recommended

BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
MIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityMIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityCharles Guillemet
 
Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Jaap van Ekris
 
2015 05-07 - vu amsterdam - testing safety critical systems
2015 05-07 - vu amsterdam - testing safety critical systems2015 05-07 - vu amsterdam - testing safety critical systems
2015 05-07 - vu amsterdam - testing safety critical systemsJaap van Ekris
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 

More Related Content

Similar to Quimicefa for hackers: Attacking (and trying to defend) chemical processes

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
Monitoring - deeper dive
Monitoring  - deeper diveMonitoring  - deeper dive
Monitoring - deeper diveRobert Kubiś
 
First SCADA LAB International Workshop
First SCADA LAB International WorkshopFirst SCADA LAB International Workshop
First SCADA LAB International WorkshopScadaLab Project
 
[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel Linares[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel LinaresTI Safe
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systemsJaap van Ekris
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)TI Safe
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)shanshicn
 
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxCPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxMahendraShukla27
 
2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systems2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systemsJaap van Ekris
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
Embedded Basics
Embedded Basics Embedded Basics
Embedded Basics Electro 8
 
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systemsJaap van Ekris
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Functional safety by FMEA/FTA
Functional safety by FMEA/FTAFunctional safety by FMEA/FTA
Functional safety by FMEA/FTAmehmor
 

Similar to Quimicefa for hackers: Attacking (and trying to defend) chemical processes (20)

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
Monitoring - deeper dive
Monitoring  - deeper diveMonitoring  - deeper dive
Monitoring - deeper dive
 
First SCADA LAB International Workshop
First SCADA LAB International WorkshopFirst SCADA LAB International Workshop
First SCADA LAB International Workshop
 
[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel Linares[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel Linares
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
 
2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)
 
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxCPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
 
2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systems2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systems
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2
 
Embedded Basics
Embedded Basics Embedded Basics
Embedded Basics
 
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
 
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Functional safety by FMEA/FTA
Functional safety by FMEA/FTAFunctional safety by FMEA/FTA
Functional safety by FMEA/FTA
 

Recently uploaded

The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfDomotica daVinci
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Product School
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsInflectra
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Product School
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Product School
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 

Recently uploaded (20)

The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdf
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 

Quimicefa for hackers: Attacking (and trying to defend) chemical processes

  • 1. Quimicefa for hackers: Attacking (and trying to defend) chemical processes Mikel Iturbe
  • 2. $ whoami ● Mikel Iturbe – Researcher at the Intelligent Systems for Industrial Systems (ISIS SISI) Group of Mondragon Unibertsitatea. – Work mainly in ICS Security ● Intrusion (Anomaly) detection – Among other things ● Data analysis
  • 3. What I’ll talk about ● Intro to ICS/PCS/SCADA/IN/Industrial… security ● Process-level security ● Attacks on chemical plants – Demo ● Countermeasures – Example ● Conclusions
  • 4. Control Systems CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz
  • 5. Control Systems ● ICS/IACS/IN/SCADA/DCS... © 2016 Little Bobby All Rights Reserved
  • 6. A bit of history ● Trans-Siberian pipeline explosion (1982) – Source unconfirmed (myth?) – Two hypotheses on the cause: ● Operator mistake ● Malicious and leaked software caused the explosion
  • 7. A bit of history ● Maroochy Water Breach (2004) – 142 pumping stations ● Ex-employee attacks the system with stolen equipment ● >1m liters of sewage water spilled with no control.
  • 8. A bit of history ● Stuxnet (2010) – Designed to disrupt Iran’s nuclear program – 4 zero-days – Sabotaged uranium centrifuges by spinning them faster
  • 9. A bit of history ● German Steel Mill Incident (2014) – Not much known (who,where…) – Spear-Phishing > IT network > OT network – A blast furnace could not be shut down properly. “Massive” losses.
  • 14. Ok! Let’s start then ● Realistic environment for research ● Conducting attacks with physical impact requires large domain knowledge – Process (what is this?) – Control (how it behaves?) – Objective (what do I want to achieve?)
  • 15. Ok! Lets start then ● http://www.ippe.com/Plants ● http://usedplants.com ●
  • 16. Ok! Let’s start then ● Realistic environment for research ● Let’s not break the bank
  • 19. Ok! Let’s start then ● Realistic environment for research ● Let’s not break the bank ● Let’s not get ourselves killed
  • 20. Simulation: DVCP ● Damn Vulnerable Chemical Process – Presented by Krotofil and Larsen – Two variants ● Tennessee-Eastman (TE) ● Vinyl Acetate Monomer (VAM) – Developed over Matlab & Simulink ● Process in C ● Control/Execution in Simulink
  • 22. Attacking chemical processes ● Necessary to have wide domain knowledge – Knowledge of the process and its control ● Main types of attacks – Equipment damage (break stuff...) – Economic damage (make it expensive...)
  • 23. Equipment attacks ● Pipe damage (Clogging, water hammer) ● Reactor damage. (kabooom)
  • 25. Economic attacks ● Produce product of inferior quality (huge impact) ● Increase cost of operation ● More stealthy than equipment attacks
  • 27. Countermeasures ● Monitoring variable values ● Signal noise analysis for replay attacks ● Predictive approaches ● Non-predictive approaches
  • 28. Multivariate Statistical Proc. Control ● Previously used for fault detection/quality control ● By using PCA, it transforms the original variable space into a new subspace ● Two statistics are computed, D and Q and these are monitored ● Once an anomaly is detected, by using contribution plots we diagnose its cause Teodora Kourti. Process analysis and abnormal situation detection: from theory to practice Control Systems, IEEE, IEEE, 2002, 22, 10-25
  • 29. Example Mikel Iturbe, José Camacho, Iñaki Garitano, Urko Zurutuza, Roberto Uribeetxeberria. On the Feasibility of Distinguishing Between Process Disturbances and Intrusions in Process Control Systems Using Multivariate Statistical Process Control 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), IEEE, 2016, 155-160
  • 30. Example Row 1 Row 2 Row 3 Row 4 0 2 4 6 8 10 12 Column 1 Column 2 Column 3
  • 34. Doing now ● I first wrote MSPC over Apache Spark – Replicating functionalities from existing Matlab toolbox – Yeah, you know, “Big Data” ● Rewriting it in pure Python ● Finishing a Modbus bridge for DVCP-TE
  • 35. Conclusions ● ICS and IT security are different – Specially when exploiting systems ● Current protection approaches disregard process dynamics – I think this will change ● There are PoC for intrusion detection at the process level ● This field requires a multidisciplinary point of view
  • 36. Still much to do!!!!!!! ● This field is still underdeveloped when compared to other sec fields ● Much to do, much to learn. Not many resources though, :-/ – Formal training: control theory, chemical engineering, academic papers. – Con talks (Marina Krotofil, Jason Larsen...)
  • 37. Eskerrik asko ● mikel@hamahiru.org ● miturbe@mondragon.edu ● Twitter: @azken_tximinoa ● https://iturbe.info