The appeal of hacking a physical process is dreaming about physical damage attacks lighting up the sky in a shower of goodness. Let’s face it, after such elite hacking action nobody is going to let one present it even at a conference like DEF CON. As a poor substitute, this presentation will get as close as using a simulated plant for Vinyl Acetate production for demonstrating a complete attack, from start to end, directed at persistent economic damage to a production site while avoiding attribution of production loss to a cyber-event. Such an attack scenario could be useful to a manufacturer aiming at putting competitors out of business or as a strong argument in an extortion attack.
Picking up a paper these days it’s easy to find an article on all the “SCADA insecurity” out there associated with an unstoppable attacker with unsophisticated goal of kicking up another apocalypse. Sorry to disappoint excited crowd but formula “Your wish is my command” does not work for control systems. The target plant is not designed in a hacker friendly way. Hopefully by the end of the presentation, the audience will understand the difference between breaking into the system and breaking the system, obtaining control and being in control. An attacker targeting a remote process is not immediately gifted with complete knowledge of the process and the means to manipulate it. In general, an attacker follows a series of stages before getting to the final attack. Designing an attack scenario is a matter of art as much as economic consideration. The cost of attack can quickly exceed damage worth. Also, the attacker has to find the way to compare between competing attack scenarios.
In traditional IT hacking, a goal is to go undetected. In OT (operational technologies) hacking this is not an option. An attack will change things in the real world that cannot be removed by simply erasing the log files. If a piece of equipment is damaged or if a plant suddenly becomes less profitable, it will be investigated. The attacker has to create forensic footprint for investigators by manipulating the process and the logs in such a way that the analysts draw the wrong conclusions.
Exploiting physical process is an exotic and hard to develop skill which have so far kept a high barrier to entry. Therefore real-world control system exploitation has remained in the hands of a few. To help the community mastering new skills we have developed „Damn Vulnerable Chemical Process“ – first open source framework for cyber-physical experimentation based on two realistic models of chemical plants. Come to the session and take your first master class on complex physical hacking.
Marina is Senior Security Consultant at European Network for Cyber Security. Through her life she has accumulated vast hands-on experience in several engineering fields. Most recently she completed her doctoral degree in ICS security at Hamburg University of Technology, Germany. Her research over the last few years has been focused on the bits and peac.hes of the design and implementation of cyber-physical attacks aiming at both physical and economic damage. Marina used her pioneering destructive knowledge for designing process-aware defensive solutions and risk assessment approaches. During her PhD she collaborated with several industrial partners, participated in EU projects and collaborated with cool dudes from the hacking community. She has written more than a dozen papers on the subject of cyber-physical exploitation. Marina gives workshops on cyber-physical exploitation and is a frequent speaker at the leading ICS security and hacking venues around the world. She holds MBA in Technology Management, MSc in Telecommunications and MSc in Information and Communication Systems.
Jason Larsen is a professional hacker that specializes in critical infrastructure and process control systems. Over the last several years he has been doing focused research into remote physical damage. Jason graduated from Idaho State University where he worked doing Monte Carlo and pharmacokinetic modeling for Boron-Neutron Capture Therapy. He was one of the founding members of the Cyber-Security department at the Idaho National Labs, which hosts the ICS -CERT and the National SCADA Tested .Jason has audited most of the major process control and SCADA systems as well as having extensive experience doing penetration tests against live systems. His other activities include two years on the Window 7 penetration testing team, designing the anti-malware system for a very large auction site, and building anonymous relay networks. He is currently a Principle Security Consultant for IOActive in Seattle.