Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Damn Vulnerable Chemical Process


Published on

Damn Vulnerable Chemical Process

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Damn Vulnerable Chemical Process

  1. 1. Marina Krotofil PHDays, Moscow, Russia 29.06.2015 Damn Vulnerable Chemical Process, vol.2 ENCS
  2. 2. Who I am (Ex)Academic  Have been teaching security topics for 10 semesters  Prefer physics over web technologies  Most frequently asked question: HOW DID I LEARN ALL THESE THINGS??
  3. 3. What this talk about ENCS
  4. 4. Industrial Control Systems Physical application Curtesy: Compass Security Germany GmbH
  5. 5. Control loop Actuators Control system Physical process Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior
  6. 6.  Converts analog signal into digital  Sensors pre-process the measurements  May send data directly to actuators  IP-enabled (part of the “Internet-of-Things”) Computational element Sensor Smart instrumentation Old generation temperature sensor
  7. 7.  Cyber-physical systems are IT systems “embedded” in an application in the physical world Cyber-Physical Systems  Attack goals: o Get the physical system in a state desired by the attacker o Make the physical system perform actions desired by the attacker
  8. 8. Promise from the vendors: Expect instruments of the future to have multiple communication channels, each one with built-in security (LOL), much like a present- day Ethernet switch. These channels will be managed with IP adressing and server technology, allowing the instrument to become a true data server Vendors Instrumentation of the future
  9. 9. Chemical plants Source:
  10. 10. Here’s a plant. Go hack it.
  11. 11. Damn Vulnerable Chemical Process, vol. 1 Compliance violation  Safety  Pollution  Contractual agreements Production damage  Product quality and product rate  Operating costs  Maintenance efforts Equipment damage  Equipment overstress  Violation of safety limits Purity Price, EUR/kg 98% 1 99% 5 100% 8205 Paracetamol Source:
  12. 12. Here’s a plant. Go hack it. Attack scenario: persistent economic damage
  13. 13. Plants for sale From LinkedIn
  14. 14. Vinyl Acetate Monomer plant
  15. 15. Stages of cyber-physical attacks ENCS
  16. 16. Attack objective Evil motivation Cyber-physical payload
  17. 17. Stages of SCADA attack Control Access DiscoveryCleanup Damage Jason Larsen „Breakage“. Black Hat Federal, 2007
  18. 18. Control Access DiscoveryCleanup Damage Stages of SCADA attack
  19. 19. Control Access DiscoveryCleanup Damage Stages of SCADA attack
  20. 20. Access ENCS
  21. 21. Traditional IT hacking • 1 0day • 1 Clueless user • AntiVirus and Patch Management • Database Links • Backup Systems
  22. 22. Invading field devices  Jason Larsen at Black Hat’15 “Miniaturization” o Inserting rootkit into firmware Water flow Shock wave Valve PhysicalReflected shock wave Valve closes Shockwave Reflected wave Pipe movement Attack scenario: pipe damage with water hammer
  23. 23. Discovery ENCS
  24. 24. Process discovery What and how the process is producing How it is build and wired How it is controlledEspionage Espionage, reconnaissance Espionage, reconnaissance
  25. 25. Process discovery
  26. 26. Know the equipment Stripping column Stripper is...
  27. 27. RefinementReaction Max economic damage? Final product
  28. 28. Available controls fixed
  29. 29. Understanding points and logic Piping and instrumentation diagram Ladder logic Programmable Logic Controller Pump on the plant Courtesy: Jason Larsen
  30. 30. Available controls
  31. 31. Available controls  Obtaining control is not being in control  Obtained control might not be useful for attack goal  Attacker might not necessary be able to control obtained controls WTF???
  32. 32. Control ENCS
  33. 33. Physics of process control  Once hooked up together, physical components they become related to each other by the physics of the process  If we adjust one a valve what happens to everything else? o Adjusting temperature also increases pressure and flow o All the downstream effects need to be taken into account  How much does the process can be changed before releasing alarms or it shutting down?
  34. 34. Process control challenges Controller Process Transmitter Final control element Set point Load Operator practice Control strategy Tuning Algorithm Configuration Sizing Dead band Flow properties Equipment design Process design Sampling frequency Filtering
  35. 35. Process control challenges  Process dynamic is highly non-linear (???)  Behavior of the process is known to the extent of its modelling o So to controllers. They cannot control the process beyond their control model UNCERTAINTY!
  36. 36. Control loop ringing Caused by a negative real controller poles Amount of chemical entering the reactor
  37. 37. Types of attacks Step attack Periodic attack Magnitude of manipulation Recovery time
  38. 38. Outcome of the control stage Sensitivity Magnitude of manipulation Recovery time High XMV {1;5;7} XMV {4;7} Medium XMV {2;4;6} XMV {5} Low XMV{3} XMV {1;2;3;6} Reliably useful controls
  39. 39. Alarm propagation Alarm Steady state attacks Periodic attacks Gas loop 02 XMV {1} XMV {1} Reactor feed T XMV {6} XMV {6} Rector T XMV{7} XMV{7} FEHE effluent XMV{7} XMV{7} Gas loop P XMV{2;3;6} XMV{2;3;6} HAc in decanter XMV{2;3;7} XMV{3}
  40. 40. Damage ENCS
  41. 41. “It will eventually drain with the lowest holes loosing pressure last” “It will be fully drained in 20.4 seconds and the pressure curve looks like this” Technician Engineer Technician vs. engineer „SCADA triangles: reloaded“. Jason Larsen, S4.
  42. 42. Process observation Analyzator Analyzator Analyzator Analyzator • Reactor exit flowrate • Reactor exit temperature FT TT Chemical composition FT
  43. 43. Technician answer Reactor with cooling tubes 0,00073 0,00016
  44. 44. Engineering answer Vinyl Acetate production
  45. 45. Product loss Product per day: 96.000$ ,
  46. 46. Outcome of the damage stage Product loss, 24 hours Steady-state attacks Periodic attacks High, ≥ 10.000$ XMV {2} XMV {4;6} Medium, 5.000$ - 10.000$ XMV {6;7} XMV {5;7} Low, 2.000$ - 5.000$ - XMV {2} Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful
  47. 47. Clean-up ENCS
  48. 48. Socio-technical system Operator Controller • Maintenance stuff • Plant engineers • Process engineers • …… Cyber-physical system
  49. 49. Creating forensics footprint  Process operators may get concerned after noticing persistent decrease in production and may try to fix the problem  If attacks are timed to a particular maintenance work, plant employee will be investigated rather than the process 1. Pick several ways that the temperature can be increased 2. Wait for the scheduled instruments calibration 3. Perform the first attack 4. Wait for the maintenance guys being screamed at and recalibration to be repeated 5. Play next attack 6. Go to 4
  50. 50. Creating forensics footprint Four different attacks
  51. 51. Defeating chemical forensics
  52. 52. Conclusion ENCS
  53. 53. Defense opportunities  Better understanding the hurdles the attacker has to overcome o Understanding what she needs to do and why o Eliminating low hanging fruits o Making exploitation harder  Wait for the attacker o Certain access/user credentials need to be obtained o Certain information needs to be gathered  Building attack-resilient processes o Put mechanical protections (e.g. manual valve) o By design (slow vs. fast valves) o Hardening (adjusting control cycle and/or parameters)
  54. 54. TE: VAM: Marina Krotofil ENCS Damn Vulnerable Chemical Process