When it comes to hacking chemical plants, for an attacker to go hackedity-hack-hack and then the plant goes boom fortunately only happens in the movies. But “if you plan to improve your financial posture” now and at least in the five years is a good time for security researchers to jump into cyber-physical systems security where you will be most concerned about attacks that cause physical damage.
Granted, you and attackers may know a lot about the IT world, and even Industrial Control Systems (ICS) aka SCADA, but hacking a chemical plant means also needing to know some physics, chemistry and engineering. The Damn Vulnerable Chemical Process was developed to help you master new skills; it’s the “first open source framework for cyber-physical experimentation based on two realistic models of chemical plants.”
At Def Con 23, Marina Krotofil, senior security consultant at the European Network for Cyber Security, and Jason Larsen, principal security consultant at IOActive, presented Rocking the pocket book: Hacking chemical plants for competition and extortion; you can grab a copy of their presentation (pdf) and slides (pdf) as the duo delved into a complete attack, from start to finish, on a simulated plant for Vinyl Acetate production. Pulling off an operational technology hack that affects a physical thing in the real work is an extremely complex process with many stages that range from learning to leaving false forensic footprints to get away with the attack.
Cyber-physical attacks “go through several stages before the evil goals can be achieved;” most attackers have no idea about the complete process and how to manipulate it. If an attacker remotely tweaked one thing, turned a valve for example, how would that affect something else like reactor temperature? “Cyber attacks on process networks may allow the attacker to obtain sensor readings, to manipulate sensor measurements sent to controllers and instructions sent to actuators. To appreciate the effect of such manipulations the attacker has to understand the physical part of her target.” You need only look at one of several diagrams to grasp how much an attacker would need to understand.
“Blindly trying to destroy a process by overheating a tank will probably only result in exercising the emergency shutdown logic and the pressure relief valves,” they explained. When an attacker goes searching for answers, they likely understand the technician’s documentation but they also need to under the harder version – the engineer’s answers.
Stages of cyber-physical attacks
Access, discovery, control, damage and cleanup are the stages of cyber-physical attacks.
The construction of a successful attack has to go through several stages, some can be performed in parallel, some will be performed repeatedly, and some will require expertise on the physical part of the cyber-physical system, an expertise not commonly found in the IT security community.
While the access stage is most similar to a traditional IT hacker, the damage phase is the “least familiar” as it can require “input of subject matter experts to understand the full range of possibilities.”
Trying to hack a process and overheat a tank might simply trigger an emergency shutdown, so the discovery phase involves learning details such as from documentation; discovery could also be the goal of attackers who are interested in espionage and reconnaissance.
The control stage seems extremely complicated as attackers need to discover the dynamic behavior of the cyber-physical system as well as every part of its processes. “The control phase is mostly about mapping out the dependencies between each actuator and all of the downstream measurements.” Data has to be extracted from live processes and the researchers said this is where defenders have the best chance of noticing attackers.
Trying to pin the hack on someone else, such as making it look like a maintenance person made a big mistake, is part of the cleanup stage. Regarding cleanup, the researchers wrote:
In traditional IT hacking, a goal is to go undetected. In most process control scenarios, this is not an option. If a piece of equipment is damaged or if a plant suddenly becomes less profitable, someone will be sent to investigate. An attack will change things in the real world that cannot be removed by simply erasing the log files. The cleanup phase is about creating a forensic footprint for investigators by manipulating the process and the logs in such a way that the analyst draws the wrong conclusions. The goal is to get the attack blamed on operator error or equipment failure instead of a cyber event.
3 classes of cyber-physical attacks
They explained that there are three classes of cyber-physical attacks: Equipment damage, production damage and compliance violation.
An attack aimed at physical damage of equipment can be achieved by overstressing the equipment – such as was implemented in the second version of Stuxnet – and violation of safety limits, which is how researchers at Idaho National Labs remotely destroyed a power generator.
Attacks aimed at production damage change the product quality and production rate; this can affect the price of a product, increase operating costs, or impact production process by increasing maintenance workloads.
An attack aimed at compliance violation can result in fines for a company and bad publicity. Since an attack aimed at safety can cause environmental damage and lethal accidents, it has the most collateral damage. Other compliance violation type attacks might be aimed at environmental pollution or causing contractual agreements to be broken.
Damn Vulnerable Chemical Process
Krotofil and Larsen demonstrated an attack on “a simulation of a vinyl acetate monomer plant to give some glimpses on the detours an attacker may have to take to reach her goal. Studying the hurdles the attacker has to overcome allows [us] to understand what she needs to do and why. This knowledge [is] useful for eliminating low hanging fruits and making exploitation harder. Analyzing processes when maliciously manipulated enables process operators to discover the weaknesses of a process design in the presence of cyber attacks. The defenders in turn gain insights which additional controls might increase the resilience of physical processes to cyber assaults.”
They developed the Damn Vulnerable Chemical Process (DVCP), the first open-source framework for cyber-physical security experimentation; it combines two models, the Tennessee Eastmann (TE) and Vinyl Acetate Monomer (VAM) – both links lead to GitHub. Why in the world would they start with chemical plants? They said chemical plants make excellent case studies. DVCP lets people “study what it takes to convert a cyber attack in to successful cyber-physical attack. The frameworks are useful for working on individual attack instances and complex attacks.”
Below are just two of the several DVCP screenshots supplied by the researchers.
If delving into the subject starts to give you a headache, you might want to start with something a bit more basic. Luckily, at Black Hat USA, Larsen also presented Remote Physical Damage 101: Bread and Butter Attacks (pdf). It does include yet another cybersecurity acronym, CPS for CyberPhysical System. Larsen said, “Attacking software has been described as ‘unexpected computation’. Attacking a process is all about ‘unexpected physics’.” Although “finding and exploiting process-specific flaws takes subject matter expertise,” Larsen talked about “bread and butter attacks” that are “generic attacks that can be applied in a wide range of scenarios.”