Too often researchers ignore the hard parts of SCADA hacking. Too many presentations could be described as "I got past the SCADA firewall so I win!!!" Little information is available on what to do after the attacker gains control of the process. As a challenge, consider the scenario where I just gave you control of a paint factory. Now what? The answer to that question is often specific to the process, but there are a number of generic techniques that can be discussed. Often, designing an attack leads to interesting hacking and computer science challenges.
Miniaturization is one of those problems. Suppose an attacker wanted to hide in a PLC. Suppose he wanted to hide all the way down in a pressure sensor. Is such a thing possible? The attack must be miniaturized to fit within the constraints of the embedded device and may need to be miniaturized into just a few kilobytes of memory. This is an interesting problem.
The sensor has only a few kilobytes of memory and the attacker has a number of tasks to perform. During the attack he must spoof the original process to keep the operator happy. He must estimate the state of the physical process by extracting artifacts from noisy sensor signals. He must also process those artifacts to extract the necessary constants to perform an attack.
In order to keep the presentation real and understandable, it will walk through setting up an optimal pressure transient in a chemical piping system. (Commonly referred to as a water hammer). A set of novel algorithms will be describe that would allow someone to pull off such an attack. A variant of "runs analysis" taken from statistics will be used to produce nearly perfect sensor noise without previous look at the sensor. An algorithm derived from 3D graphics will be used to extract artifacts from noisy sensor data. Finally scale-free geometry matching techniques will be used to process the artifacts into the time constants needed to pull off an attack.