View
159
Download
5
Category
Preview:
Citation preview
Marina Krotofil
PHDays, Moscow, Russia29.06.2015
Damn Vulnerable Chemical Process, vol.2
ENCS
Who I am
(Ex)Academic
Have been teaching security topics for 10 semesters
Prefer physics over web technologies
Most frequently asked question: HOW DID I LEARN ALL THESE THINGS??
What this talk about
ENCS
Industrial Control Systems
Physical application
Curtesy: Compass Security Germany GmbH
Control loop
Actuators
Control system
Physical process
Sensors
Measure process state
Computes control commands for
actuators
Adjust themselves to influence
process behavior
Converts analog signal into digital Sensors pre-process the measurements May send data directly to actuators IP-enabled (part of the “Internet-of-Things”)
Computational element
Sensor
Smart instrumentation
Old generation temperature sensor
Cyber-physical systems are IT systems “embedded” in an application in the physical world
Cyber-Physical Systems
Attack goals:o Get the physical system in a state
desired by the attackero Make the physical system perform
actions desired by the attacker
Promise from the vendors:
Expect instruments of the future to have multiple communication channels, each one with built-in security (LOL), much like a present-day Ethernet switch. These channels will be managed with IP adressing and server technology, allowing the instrument to become a true data server
Vendors
Instrumentation of the future
Chemical plants
Source: simentari.com
Here’s a plant. Go hack it.
Damn Vulnerable Chemical Process, vol. 1
Compliance violation
Safety
Pollution
Contractual agreements
Production damage
Product quality and product rate
Operating costs
Maintenance efforts
Equipment damage
Equipment overstress
Violation of safety limits
Purity Price, EUR/kg
98% 1
99% 5
100% 8205
Paracetamol
Source: http://www.sigmaaldrich.com/
Here’s a plant. Go hack it.
Attack scenario: persistent economic damage
Plants for sale
From LinkedIn
Vinyl Acetate Monomer plant
Stages of cyber-physical attacks
ENCS
Attack objective
Evil motivation
Cyber-physical payload
Stages of SCADA attack
Control
Access
DiscoveryCleanup
Damage
Jason Larsen „Breakage“. Black Hat Federal, 2007
Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack
Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack
Access
ENCS
Traditional IT hacking
• 1 0day• 1 Clueless user
• AntiVirus and Patch Management• Database Links• Backup Systems
Invading field devices
Jason Larsen at Black Hat’15 “Miniaturization”o Inserting rootkit into firmware
Water flow
Shock wave
Valve PhysicalReflected shock wave
Valve closes Shockwave Reflected wave
Pipe
movement
Attack scenario: pipe damage with water hammer
Discovery
ENCS
Process discovery
What and how the process is producing
How it is build and wired
How it is controlledEspionage
Espionage, reconnaissance
Espionage, reconnaissance
Process discovery
Know the equipment
Stripping columnStripper is...
RefinementReaction
Max economic damage?
Final product
Available controls
fixed
Understanding points and logic
Piping and instrumentation diagram
Ladder logicProgrammable Logic Controller
Pump on the plantCourtesy: Jason Larsen
Available controls
Available controls
Obtaining control is not being in control
Obtained control might not be useful for attack goal
Attacker might not necessary be able to control obtained controls
WTF???
Control
ENCS
Physics of process control
Once hooked up together, physical components they become related to each other by the physics of the process
If we adjust one a valve what happens to everything else?o Adjusting temperature also increases pressure and flowo All the downstream effects need to be taken into account
How much does the process can be changed before releasing alarms or it shutting down?
Process control challenges
Controller Process
Transmitter
Final control element
Set point
LoadOperator practice Control strategy
TuningAlgorithm
Configuration
SizingDead band
Flow properties Equipment designProcess design
Sampling frequencyFiltering
Process control challenges
Process dynamic is highly non-linear (???)
Behavior of the process is known to the extent of its modellingo So to controllers. They cannot control the process beyond their
control model
UNCERTAINTY!
Control loop ringing
0 0.02 0.04 0.06 0.08
127.99
128
Hours
psia
Vaporizer Pressure
Caused by a negative real controller poles
Amount of chemical entering the reactor
Types of attacks
Step attack
Periodic attack
Magnitude of manipulation
Recovery time
Outcome of the control stage
Sensitivity Magnitude of manipulation Recovery time
High XMV {1;5;7} XMV {4;7}
Medium XMV {2;4;6} XMV {5}
Low XMV{3} XMV {1;2;3;6}
Reliably useful controls
Alarm propagation
Alarm Steady state attacks Periodic attacks
Gas loop 02 XMV {1} XMV {1}
Reactor feed T XMV {6} XMV {6}
Rector T XMV{7} XMV{7}
FEHE effluent XMV{7} XMV{7}
Gas loop P XMV{2;3;6} XMV{2;3;6}
HAc in decanter XMV{2;3;7} XMV{3}
Damage
ENCS
“It will eventually drain with the lowest holes loosing pressure last”
“It will be fully drained in 20.4 seconds and the pressure curve looks like this”
Technician Engineer
Technician vs. engineer
„SCADA triangles: reloaded“. Jason Larsen, S4.
Process observation
Anal
yzat
or
Anal
yzat
or
Anal
yzat
or
Anal
yzat
or
• Reactor exit flowrate• Reactor exit temperature
FTTT
Chemical composition
FT
Technician answer
0 5 10 15 20 24158.5
159
159.5
160
160.5Reactor Temperature
Hours
C
Reactor with cooling tubes
0,000730,00016
Engineering answer
0 5 10 15 20 24158.5
159
159.5
160
160.5Reactor Temperature
Hours
C
0 500 1000 15000.7
0.75
0.8
0.85
0.9VAM Concentration
Minutes
Km
ol/m
in
Vinyl Acetate production
Product loss
O2 Co2 C2H4 C2H6 VAc H2O HAc0
2
4
6
8
10
12Reactor: Loss137.21 Kmol (11469.70 $)
Chemicals
Ave
rag
e O
utfl
ow
[Km
ol/m
in]
Normal reactionUnder attack
Product per day: 96.000$
,
Outcome of the damage stage
Product loss, 24 hours Steady-state attacks Periodic attacks
High, ≥ 10.000$ XMV {2} XMV {4;6}
Medium, 5.000$ - 10.000$
XMV {6;7} XMV {5;7}
Low, 2.000$ - 5.000$ - XMV {2}
Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2}
Product per day: 96.000$
Still might be useful
Clean-up
ENCS
Socio-technical system
Operator
Controller
• Maintenance stuff• Plant engineers• Process engineers• ……
Cyber-physical system
Creating forensics footprint
Process operators may get concerned after noticing persistent decrease in production and may try to fix the problem
If attacks are timed to a particular maintenance work, plant employee will be investigated rather than the process
1. Pick several ways that the temperature can be increased2. Wait for the scheduled instruments calibration3. Perform the first attack4. Wait for the maintenance guys being screamed at and
recalibration to be repeated5. Play next attack6. Go to 4
0 10 20 30 40157
158
160
162
163Reactor Temperature
Hours
C
Creating forensics footprint
Four different attacks
Defeating chemical forensics
0 200 400 600 80080
82
84
86
88Reactor Average Efficiency Loss: 4.36 %
Time [minutes]
Effic
ien
cy [%
]
Normal reactionUnder attack
0 200 400 600 80085
86
87
88
89Reactor Average Selectivity Loss: 2.73 %
Time [minutes]
Se
lect
ivity
[%]
Normal reactionUnder attack
0 200 400 600 8000
0.2
0.4
0.6
0.8
Decanter Total Product: 429.04 Kmol (35865.28 $)
Time [minutes]
Ou
tflo
w [K
mo
l/min
]
VAcH2OHAc
0 200 400 600 8000
10
20
30
40Reactor Average Conversion Rates O2 30.67%;C2H4 9.81;HAc 29.06%
Time [minutes]
Co
nve
rsio
n [%
]
O2C2H4HAc
Conclusion
ENCS
Defense opportunities
Better understanding the hurdles the attacker has to overcome o Understanding what she needs to do and whyo Eliminating low hanging fruitso Making exploitation harder
Wait for the attackero Certain access/user credentials need to be obtainedo Certain information needs to be gathered
Building attack-resilient processes o Put mechanical protections (e.g. manual valve)o By design (slow vs. fast valves)o Hardening (adjusting control cycle and/or parameters)
TE: http://github.com/satejnik/DVCP-TEVAM: http://github.com/satejnik/DVCP-VAM
Marina Krotofil marina.krotofil@encs.eu
ENCS
Damn Vulnerable Chemical Process
Recommended