Damn Vulnerable Chemical Process
•Télécharger en tant que PPTX, PDF•
2 j'aime•22,711 vues
Damn Vulnerable Chemical Process
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Damn Vulnerable Chemical Process
Similaire à Damn Vulnerable Chemical Process (20)
Plus de Positive Hack Days
Plus de Positive Hack Days (20)
Dernier
Dernier (20)
Damn Vulnerable Chemical Process
- 1. Marina Krotofil PHDays, Moscow, Russia 29.06.2015 Damn Vulnerable Chemical Process, vol.2 ENCS
- 2. Who I am (Ex)Academic Have been teaching security topics for 10 semesters Prefer physics over web technologies Most frequently asked question: HOW DID I LEARN ALL THESE THINGS??
- 3. What this talk about ENCS
- 4. Industrial Control Systems Physical application Curtesy: Compass Security Germany GmbH
- 5. Control loop Actuators Control system Physical process Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior
- 6. Converts analog signal into digital Sensors pre-process the measurements May send data directly to actuators IP-enabled (part of the “Internet-of-Things”) Computational element Sensor Smart instrumentation Old generation temperature sensor
- 7. Cyber-physical systems are IT systems “embedded” in an application in the physical world Cyber-Physical Systems Attack goals: o Get the physical system in a state desired by the attacker o Make the physical system perform actions desired by the attacker
- 8. Promise from the vendors: Expect instruments of the future to have multiple communication channels, each one with built-in security (LOL), much like a present- day Ethernet switch. These channels will be managed with IP adressing and server technology, allowing the instrument to become a true data server Vendors Instrumentation of the future
- 10. Here’s a plant. Go hack it.
- 11. Damn Vulnerable Chemical Process, vol. 1 Compliance violation Safety Pollution Contractual agreements Production damage Product quality and product rate Operating costs Maintenance efforts Equipment damage Equipment overstress Violation of safety limits Purity Price, EUR/kg 98% 1 99% 5 100% 8205 Paracetamol Source: http://www.sigmaaldrich.com/
- 12. Here’s a plant. Go hack it. Attack scenario: persistent economic damage
- 13. Plants for sale From LinkedIn
- 14. Vinyl Acetate Monomer plant
- 15. Stages of cyber-physical attacks ENCS
- 17. Stages of SCADA attack Control Access DiscoveryCleanup Damage Jason Larsen „Breakage“. Black Hat Federal, 2007
- 20. Access ENCS
- 21. Traditional IT hacking • 1 0day • 1 Clueless user • AntiVirus and Patch Management • Database Links • Backup Systems
- 22. Invading field devices Jason Larsen at Black Hat’15 “Miniaturization” o Inserting rootkit into firmware Water flow Shock wave Valve PhysicalReflected shock wave Valve closes Shockwave Reflected wave Pipe movement Attack scenario: pipe damage with water hammer
- 23. Discovery ENCS
- 24. Process discovery What and how the process is producing How it is build and wired How it is controlledEspionage Espionage, reconnaissance Espionage, reconnaissance
- 26. Know the equipment Stripping column Stripper is...
- 29. Understanding points and logic Piping and instrumentation diagram Ladder logic Programmable Logic Controller Pump on the plant Courtesy: Jason Larsen
- 31. Available controls Obtaining control is not being in control Obtained control might not be useful for attack goal Attacker might not necessary be able to control obtained controls WTF???
- 32. Control ENCS
- 33. Physics of process control Once hooked up together, physical components they become related to each other by the physics of the process If we adjust one a valve what happens to everything else? o Adjusting temperature also increases pressure and flow o All the downstream effects need to be taken into account How much does the process can be changed before releasing alarms or it shutting down?
- 34. Process control challenges Controller Process Transmitter Final control element Set point Load Operator practice Control strategy Tuning Algorithm Configuration Sizing Dead band Flow properties Equipment design Process design Sampling frequency Filtering
- 35. Process control challenges Process dynamic is highly non-linear (???) Behavior of the process is known to the extent of its modelling o So to controllers. They cannot control the process beyond their control model UNCERTAINTY!
- 36. Control loop ringing Caused by a negative real controller poles Amount of chemical entering the reactor
- 37. Types of attacks Step attack Periodic attack Magnitude of manipulation Recovery time
- 38. Outcome of the control stage Sensitivity Magnitude of manipulation Recovery time High XMV {1;5;7} XMV {4;7} Medium XMV {2;4;6} XMV {5} Low XMV{3} XMV {1;2;3;6} Reliably useful controls
- 39. Alarm propagation Alarm Steady state attacks Periodic attacks Gas loop 02 XMV {1} XMV {1} Reactor feed T XMV {6} XMV {6} Rector T XMV{7} XMV{7} FEHE effluent XMV{7} XMV{7} Gas loop P XMV{2;3;6} XMV{2;3;6} HAc in decanter XMV{2;3;7} XMV{3}
- 40. Damage ENCS
- 41. “It will eventually drain with the lowest holes loosing pressure last” “It will be fully drained in 20.4 seconds and the pressure curve looks like this” Technician Engineer Technician vs. engineer „SCADA triangles: reloaded“. Jason Larsen, S4.
- 42. Process observation Analyzator Analyzator Analyzator Analyzator • Reactor exit flowrate • Reactor exit temperature FT TT Chemical composition FT
- 43. Technician answer Reactor with cooling tubes 0,00073 0,00016
- 44. Engineering answer Vinyl Acetate production
- 45. Product loss Product per day: 96.000$ ,
- 46. Outcome of the damage stage Product loss, 24 hours Steady-state attacks Periodic attacks High, ≥ 10.000$ XMV {2} XMV {4;6} Medium, 5.000$ - 10.000$ XMV {6;7} XMV {5;7} Low, 2.000$ - 5.000$ - XMV {2} Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful
- 47. Clean-up ENCS
- 48. Socio-technical system Operator Controller • Maintenance stuff • Plant engineers • Process engineers • …… Cyber-physical system
- 49. Creating forensics footprint Process operators may get concerned after noticing persistent decrease in production and may try to fix the problem If attacks are timed to a particular maintenance work, plant employee will be investigated rather than the process 1. Pick several ways that the temperature can be increased 2. Wait for the scheduled instruments calibration 3. Perform the first attack 4. Wait for the maintenance guys being screamed at and recalibration to be repeated 5. Play next attack 6. Go to 4
- 50. Creating forensics footprint Four different attacks
- 52. Conclusion ENCS
- 53. Defense opportunities Better understanding the hurdles the attacker has to overcome o Understanding what she needs to do and why o Eliminating low hanging fruits o Making exploitation harder Wait for the attacker o Certain access/user credentials need to be obtained o Certain information needs to be gathered Building attack-resilient processes o Put mechanical protections (e.g. manual valve) o By design (slow vs. fast valves) o Hardening (adjusting control cycle and/or parameters)
- 54. TE: http://github.com/satejnik/DVCP-TE VAM: http://github.com/satejnik/DVCP-VAM Marina Krotofil marina.krotofil@encs.eu ENCS Damn Vulnerable Chemical Process
Notes de l'éditeur
- If the exploitation is not “white-box”, the attacker needs to observe the process during exploitation
- If the exploitation is not “white-box”, the attacker needs to observe the process during exploitation
- If the exploitation is not “white-box”, the attacker needs to observe the process during exploitation
- If the exploitation is not “white-box”, the attacker needs to observe the process during exploitation
- If the exploitation is not “white-box”, the attacker needs to observe the process during exploitation