It is possible to physically damage equipment through purely cyber means. Most of the time the attacker takes advantage of something specific to the CyberPhysical System (CPS) thats being targeted. As an example mixing in a cleaning agent during a production cycle can cause an unwanted chemical reaction. Attacking software has been described as "unexpected computation". Attacking a process is all about "unexpected physics."
Finding and exploiting process-specific flaws generally takes subject matter expertise in the victim process. However, there are some generic attacks that can be applied in a wide range of scenarios. I call these bread and butter attacks. They take advantage of common configurations of valves, pumps, pipe, etc. to achieve damage to the process. These scenarios can be used as a basis for a first look in a process audit. During a full audit, a subject matter expert will still need to be consulted.Nearly the entire budget for security processes from cyber attack is spent attempting to keep an attacker from gaining code execution in the process control network. This is roughly equivalent to the early 2000s where the industry attempted to find every possible buffer overflow in code. In 2015 were still finding them regularly. It wasn't until ALSR and DEP were introduced that defenders started making attacker work harder. In process control networks, defending the network is still key, but adding a few physical controls can greatly reduce the effectiveness of an attacker. It is hoped that this presentation can help stimulate discussion on how attacker can be mitigated after code execution is already achieved.