Cyber-physical attacks: Hacking a chemical plant

When it comes to hacking chemical plants, for an attacker to go hackedity-hack-hack and then the plant goes boom fortunately only happens in the movies. But “if you plan to improve your financial posture” now and at least in the five years is a good time for security researchers to jump into cyber-physical systems security where you will be most concerned about attacks that cause physical damage.

Granted, you and attackers may know a lot about the IT world, and even Industrial Control Systems (ICS) aka SCADA, but hacking a chemical plant means also needing to know some physics, chemistry and engineering. The Damn Vulnerable Chemical Process was developed to help you master new skills; it’s the “first open source framework for cyber-physical experimentation based on two realistic models of chemical plants.”

At Def Con 23, Marina Krotofil, senior security consultant at the European Network for Cyber Security, and Jason Larsen, principal security consultant at IOActive, presentedRocking the pocket book: Hacking chemical plants for competition and extortion; you can grab a copy of their presentation (pdf) and slides (pdf) as the duo delved into a complete attack, from start to finish, on a simulated plant for Vinyl Acetate production. Pulling off an operational technology hack that affects a physical thing in the real work is an extremely complex process with many stages that range from learning to leaving false forensic footprints to get away with the attack.

Cyber-physical attacks “go through several stages before the evil goals can be achieved;” most attackers have no idea about the complete process and how to manipulate it. If an attacker remotely tweaked one thing, turned a valve for example, how would that affect something else like reactor temperature? “Cyber attacks on process networks may allow the attacker to obtain sensor readings, to manipulate sensor measurements sent to controllers and instructions sent to actuators. To appreciate the effect of such manipulations the attacker has to understand the physical part of her target.” You need only look at one of several diagrams to grasp how much an attacker would need to understand.



. . . . . . . .

Print Friendly, PDF & Email

Leave a Reply