The document discusses cybersecurity risks in industrial control systems used in chemical plants. It begins with an introduction to industrial control systems and their components. It then outlines the stages of a potential cyber-physical attack against such a system - gaining initial access, discovering details of the physical process, gaining control of systems, causing damage through manipulation of the process, and covering tracks. Specific attack scenarios are described, such as using water hammer effects to damage pipes. The talk aims to illustrate vulnerabilities to help drive improvements in the security of industrial control systems.

1. Marina Krotofil
PHDays, Moscow, Russia
29.06.2015
Damn Vulnerable Chemical Process, vol.2
ENCS

2. Who I am
(Ex)Academic
 Have been teaching security topics
for 10 semesters
 Prefer physics over web
technologies
 Most frequently asked question:
HOW DID I LEARN ALL THESE
THINGS??

3. What this talk about
ENCS

4. Industrial Control Systems
Physical
application
Curtesy: Compass Security Germany GmbH

5. Control loop
Actuators
Control
system
Physical process
Sensors
Measure process
state
Computes control
commands for
actuators
Adjust themselves
to influence
process behavior

6.  Converts analog signal into digital
 Sensors pre-process the measurements
 May send data directly to actuators
 IP-enabled (part of the “Internet-of-Things”)
Computational
element
Sensor
Smart instrumentation
Old generation
temperature sensor

7.  Cyber-physical systems are IT systems “embedded” in an
application in the physical world
Cyber-Physical Systems
 Attack goals:
o Get the physical system in a state
desired by the attacker
o Make the physical system perform
actions desired by the attacker

8. Promise from the vendors:
Expect instruments of the future
to have multiple communication
channels, each one with built-in
security (LOL), much like a present-
day Ethernet switch. These
channels will be managed with IP
adressing and server technology,
allowing the instrument to
become a true data server
Vendors
Instrumentation of the future

9. Chemical plants
Source: simentari.com

10. Here’s a plant. Go hack it.

11. Damn Vulnerable Chemical Process, vol. 1
Compliance violation
 Safety
 Pollution
 Contractual agreements
Production damage
 Product quality and
product rate
 Operating costs
 Maintenance efforts
Equipment damage
 Equipment overstress
 Violation of safety limits
Purity Price, EUR/kg
98% 1
99% 5
100% 8205
Paracetamol
Source: http://www.sigmaaldrich.com/

12. Here’s a plant. Go hack it.
Attack scenario: persistent economic damage

13. Plants for sale
From LinkedIn

14. Vinyl Acetate Monomer plant

15. Stages of cyber-physical attacks
ENCS

16. Attack objective
Evil
motivation
Cyber-physical
payload

17. Stages of SCADA attack
Control
Access
DiscoveryCleanup
Damage
Jason Larsen „Breakage“. Black Hat Federal, 2007

18. Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack

19. Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack

20. Access
ENCS

21. Traditional IT hacking
• 1 0day
• 1 Clueless user
• AntiVirus and Patch Management
• Database Links
• Backup Systems

22. Invading field devices
 Jason Larsen at Black Hat’15 “Miniaturization”
o Inserting rootkit into firmware
Water flow
Shock wave
Valve PhysicalReflected shock wave
Valve closes Shockwave Reflected wave
Pipe
movement
Attack scenario: pipe damage with
water hammer

23. Discovery
ENCS

24. Process discovery
What and how the
process is producing
How it is build and
wired
How it is controlledEspionage
Espionage,
reconnaissance
Espionage,
reconnaissance

25. Process discovery

26. Know the equipment
Stripping column
Stripper is...

27. RefinementReaction
Max economic damage?
Final
product

28. Available controls
fixed

29. Understanding points and logic
Piping and instrumentation diagram
Ladder logic
Programmable Logic Controller
Pump on the plant
Courtesy: Jason Larsen

30. Available controls

31. Available controls
 Obtaining control is not being in
control
 Obtained control might not be
useful for attack goal
 Attacker might not necessary be
able to control obtained controls
WTF???

32. Control
ENCS

33. Physics of process control
 Once hooked up together, physical components they
become related to each other by the physics of the process
 If we adjust one a valve what happens to everything else?
o Adjusting temperature also increases pressure and flow
o All the downstream effects need to be taken into account
 How much does the process can be changed before releasing
alarms or it shutting down?

34. Process control challenges
Controller Process
Transmitter
Final control
element
Set point
Load
Operator practice
Control strategy
Tuning
Algorithm
Configuration
Sizing
Dead band
Flow properties Equipment design
Process design
Sampling frequency
Filtering

35. Process control challenges
 Process dynamic is highly non-linear (???)
 Behavior of the process is known to the extent of its modelling
o So to controllers. They cannot control the process beyond their
control model
UNCERTAINTY!

36. Control loop ringing
Caused by a negative real
controller poles
Amount of chemical entering
the reactor

37. Types of attacks
Step attack
Periodic attack
Magnitude of manipulation
Recovery time

38. Outcome of the control stage
Sensitivity Magnitude of manipulation Recovery time
High XMV {1;5;7} XMV {4;7}
Medium XMV {2;4;6} XMV {5}
Low XMV{3} XMV {1;2;3;6}
Reliably useful controls

39. Alarm propagation
Alarm Steady state attacks Periodic attacks
Gas loop 02 XMV {1} XMV {1}
Reactor feed T XMV {6} XMV {6}
Rector T XMV{7} XMV{7}
FEHE effluent XMV{7} XMV{7}
Gas loop P XMV{2;3;6} XMV{2;3;6}
HAc in decanter XMV{2;3;7} XMV{3}

40. Damage
ENCS

41. “It will eventually
drain with the
lowest holes loosing
pressure last”
“It will be fully
drained in 20.4
seconds and the
pressure curve
looks like this”
Technician Engineer
Technician vs. engineer
„SCADA triangles: reloaded“. Jason Larsen, S4.

42. Process observation
Analyzator
Analyzator
Analyzator
Analyzator
• Reactor exit flowrate
• Reactor exit temperature
FT
TT
Chemical composition
FT

43. Technician answer
Reactor with cooling
tubes
0,00073
0,00016

44. Engineering answer
Vinyl Acetate production

45. Product loss
Product per day: 96.000$
,

46. Outcome of the damage stage
Product loss, 24 hours Steady-state attacks Periodic attacks
High, ≥ 10.000$ XMV {2} XMV {4;6}
Medium, 5.000$ -
10.000$
XMV {6;7} XMV {5;7}
Low, 2.000$ - 5.000$ - XMV {2}
Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2}
Product per day: 96.000$
Still might be useful

47. Clean-up
ENCS

48. Socio-technical system
Operator
Controller
• Maintenance stuff
• Plant engineers
• Process engineers
• ……
Cyber-physical system

49. Creating forensics footprint
 Process operators may get concerned after noticing persistent
decrease in production and may try to fix the problem
 If attacks are timed to a particular maintenance work, plant
employee will be investigated rather than the process
1. Pick several ways that the temperature can be increased
2. Wait for the scheduled instruments calibration
3. Perform the first attack
4. Wait for the maintenance guys being screamed at
and recalibration to be repeated
5. Play next attack
6. Go to 4

50. Creating forensics footprint
Four different attacks

51. Defeating chemical forensics

52. Conclusion
ENCS

53. Defense opportunities
 Better understanding the hurdles the attacker has to
overcome
o Understanding what she needs to do and why
o Eliminating low hanging fruits
o Making exploitation harder
 Wait for the attacker
o Certain access/user credentials need to be obtained
o Certain information needs to be gathered
 Building attack-resilient processes
o Put mechanical protections (e.g. manual valve)
o By design (slow vs. fast valves)
o Hardening (adjusting control cycle and/or parameters)

54. TE: http://github.com/satejnik/DVCP-TE
VAM: http://github.com/satejnik/DVCP-VAM
Marina Krotofil
marina.krotofil@encs.eu
ENCS
Damn Vulnerable Chemical Process