Marina Krotofil
D1 - Marina Krotofil - Hacking Chemical Plants for Competition and Extortion
D1 - Marina Krotofil - Hacking Chemical Plants for Competition and Extortion
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Rocking the Pocket Book: Hacking Chemical<br />
Plants for CompeCCon and ExtorCon<br />
<strong>Marina</strong> <strong>Krotofil</strong><br />
HITB Singapore<br />
14.10.2015
Industrial Control Systems aka SCADA<br />
Physical<br />
applicaCon
Industrial Control Systems aka SCADA<br />
Data flow<br />
Physical process
Cyber-physical systems<br />
Cyber-physical systems are IT systems “embedded” in an<br />
applicaCon in the physical world<br />
Interest of the aQacker is in the<br />
physical world
The world is not the same anymore<br />
Pity!!<br />
James Bond 007 –<br />
Casino Royale<br />
James Bond 007 – Skyfall
Cyber-physical hack<br />
James Bond 007: Skyfall
Control systems<br />
security
Control equipment vulnerabiliCes<br />
ICSA-15-099-01A:<br />
Siemens SIMATIC HMI<br />
Devices VulnerabiliCes<br />
(Update A)<br />
ICSA-13-274-01: Schneider<br />
Electric Telvent SAGE RTU<br />
DNP3 Improper Input<br />
ValidaCon Vulnerability<br />
ICSA-11-307-01:<br />
Schneider Electric Vijeo<br />
Historian Web Server<br />
MulCple VulnerabiliCes<br />
ICSA-13-274-01: Siemens<br />
SCALANCE X-200<br />
AuthenCcaCon Bypass<br />
Vulnerability<br />
ICSA-15-111-01:<br />
Emerson AMS Device<br />
Manager SQL InjecCon<br />
Vulnerability<br />
ICSA-12-320-01 : ABB<br />
AC500 PLC Webserver<br />
CoDeSys Vulnerability<br />
ICS-ALERT-14-323-01:<br />
Advantech EKI-6340<br />
Command InjecCon<br />
ICSA-15-048-03:<br />
Yokogawa HART Device<br />
DTM Vulnerability
ICS-CERT recommendaCon<br />
ICSA-13-274-01: Siemens SCALANCE X-200 AuthenCcaCon Bypass Vulnerability<br />
IMPACT<br />
Successful exploita1on of this vulnerability may allow a:ackers to perform<br />
administra1ve opera1ons over the network without authen1ca1on.<br />
Impact to individual organiza2ons depends on many factors that are unique<br />
to each organiza2on. ICSCERT recommends that organiza2ons evaluate the<br />
impact of this vulnerability based on their opera2onal environment,<br />
architecture, and product implementa2on.
Typical idea about post exploitaCon
TCP/IP based communicaCon<br />
Industrial switch<br />
Ethernet, my old friend<br />
(hack meeee!!!)<br />
Modbus, DNP, IEC850 are common protocols
Hear is the plant. What is the plan?<br />
Source: simentari.com
Timing of the DoS aQack<br />
2820<br />
Reactor Pressure<br />
2850<br />
Reactor Pressure<br />
2810<br />
2800<br />
Ordinary<br />
glitch<br />
kPa gauge<br />
2800<br />
2790<br />
2780<br />
2770<br />
Without attack<br />
Under attack<br />
2760<br />
0 10 20 30 40 50 60 70<br />
Hours<br />
kPa gauge<br />
2750<br />
2700<br />
2650<br />
2600<br />
2550<br />
2500<br />
Without attack<br />
Under attack<br />
2450<br />
0 10 20 30 40 50 60 70<br />
Hours<br />
Economic<br />
inefficiency<br />
Near miss<br />
(almost<br />
safety<br />
accident)<br />
kPa gauge<br />
2950<br />
2900<br />
2850<br />
2800<br />
2750<br />
Reactor Pressure<br />
Without attack<br />
Under attack<br />
2700<br />
0 10 20 30 40 50 60 70<br />
Hours<br />
kPa gauge<br />
3000<br />
2950<br />
2900<br />
2850<br />
2800<br />
Without attack<br />
Under attack<br />
Reactor Pressure<br />
2750<br />
0 5 10 15 20 25 30<br />
Hours<br />
Safety<br />
shutdown<br />
Impact of 8h long a:ack on reactor pressure at<br />
random 1me
Impact evaluaCon<br />
q What exactly the a:acker can do with the vulnerability?<br />
q Any further necessary condi1ons required?<br />
q How severe the poten1al physical impact?<br />
Answering these quesCons requires understanding how the<br />
aQacker interacts with the control system and the process
Process control
Process control automaCon<br />
Set point<br />
Running downstairs to turn on the<br />
furnace every 1me it gets cold is<br />
1ring, so you automate it with a<br />
thermostat
Control loop<br />
Actuators<br />
Physical process<br />
Sensors<br />
%<br />
Adjust themselves<br />
to influence<br />
process behavior<br />
63.8<br />
63.6<br />
63.4<br />
63.2<br />
63<br />
D feed<br />
Control<br />
system<br />
Computes control<br />
commands for<br />
actuators<br />
kg/h<br />
3750<br />
3700<br />
3650<br />
Measure process<br />
state<br />
D Feed<br />
62.8<br />
62.6<br />
62.4<br />
0 10 20 30 40 50 60 70 80<br />
3600<br />
3550<br />
0 10 20 30 40 50 60 70 80<br />
Hours<br />
Hours
CC<br />
1<br />
PC<br />
TC<br />
LC<br />
2<br />
3<br />
LC 4<br />
PC<br />
5<br />
6<br />
TC<br />
7<br />
LC<br />
8<br />
TC<br />
9<br />
TC<br />
11<br />
LC<br />
12<br />
TC<br />
14<br />
TC<br />
16<br />
CC<br />
CC 17<br />
18<br />
TC<br />
19<br />
CC<br />
LC<br />
25<br />
20<br />
TC<br />
21<br />
TC<br />
LC<br />
LC<br />
24<br />
22<br />
23<br />
26<br />
15<br />
13<br />
10<br />
Understanding control structure<br />
Control<br />
loop
Process interdependencies<br />
%mol<br />
0.0752<br />
0.075<br />
0.0748<br />
0.0746<br />
O2 in Reactor Feed<br />
0.0744<br />
0 2 4 6 8<br />
Hours<br />
%mol<br />
C2H6 in Gas Recycle<br />
0.258<br />
0.256<br />
0.254<br />
0.252<br />
0.25<br />
0.248<br />
0.246<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
158<br />
Heater Exit Temperature<br />
156<br />
154<br />
97.2<br />
FEHE Cold Exit Temperature<br />
C<br />
152<br />
97.15<br />
150<br />
148<br />
146<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
C<br />
97.1<br />
97.05<br />
97<br />
0.85<br />
Organic Flow Rate<br />
96.95<br />
0 2 4 6 8<br />
Hours<br />
Kmol/min<br />
0.84<br />
0.83<br />
160<br />
159.8<br />
Reactro Exit Temperature<br />
0.82<br />
0.81<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
159.6<br />
C<br />
159.4<br />
159.2<br />
159<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
0.503<br />
HAc Tank Level<br />
0.502<br />
%<br />
0.501<br />
0.5<br />
0 1 2 3 4 5 6 7 8<br />
Hours
Control equipment<br />
q In large –scale opera1ons control logic gets more complex<br />
than a thermostat<br />
q The control is typically done by a programmable logic<br />
controller (PLC)
Plant floor<br />
Sensors<br />
Actuators
Field communicaCon<br />
Wires are run from sensors and<br />
actuators into wiring cabinets
PLC internals<br />
Sensors<br />
1. Copy data from inputs to temporary storage<br />
2. Run the logic<br />
3. Copy from temporary storage to outputs<br />
Actuators<br />
Outputs<br />
Inputs
Control logic<br />
q Defines what should (not) happen to the process:<br />
condi1ons, order, 1me<br />
(Programmed graphically most<br />
of 1me. Nope, no python or<br />
java)<br />
If tank pressure in PLC 1 > 1800<br />
reduce inflow in PLC 3
Interlocks<br />
q Process safety increasingly depends on the logic in the<br />
controllers<br />
q Ladder logic can tell you a lot about what the engineer that<br />
designed the process was worried about<br />
q Search for the master stop<br />
The motor should not be running when the valve is closed
Process interdependencies<br />
%mol<br />
0.0752<br />
0.075<br />
0.0748<br />
0.0746<br />
O2 in Reactor Feed<br />
0.0744<br />
0 2 4 6 8<br />
Hours<br />
%mol<br />
C2H6 in Gas Recycle<br />
0.258<br />
0.256<br />
0.254<br />
0.252<br />
0.25<br />
0.248<br />
0.246<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
158<br />
Heater Exit Temperature<br />
156<br />
154<br />
97.2<br />
FEHE Cold Exit Temperature<br />
C<br />
152<br />
97.15<br />
150<br />
148<br />
146<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
C<br />
97.1<br />
97.05<br />
97<br />
0.85<br />
Organic Flow Rate<br />
96.95<br />
0 2 4 6 8<br />
Hours<br />
Kmol/min<br />
0.84<br />
0.83<br />
160<br />
159.8<br />
Reactro Exit Temperature<br />
0.82<br />
0.81<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
159.6<br />
C<br />
159.4<br />
159.2<br />
159<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
0.503<br />
HAc Tank Level<br />
0.502<br />
%<br />
0.501<br />
0.5<br />
0 1 2 3 4 5 6 7 8<br />
Hours
PID control<br />
q PID: proporConal, integral, derivaCve – most widely used control<br />
algorithm on the planet<br />
q The sum of 3 components makes the final control signal<br />
q PI controllers are most oXen used<br />
Jacques Smuts „Process Control for Prac11oners“
Time constants<br />
Requires reconnaissance on live process<br />
Jacques Smuts „Process Control for Prac11oners“
Process control vulnerability<br />
11.2<br />
Time constant of 60 min<br />
15.1<br />
114.5<br />
96.0
PLC cannot do it alone<br />
q PLC does not have the complete picture and 1me trends<br />
q Human operators watch the process 7/24<br />
q Most important task: resolving of alarms
Operator is not almighty<br />
Sanity checks
Industrial Control Systems aka SCADA<br />
DefiniCon of real Cme (Cme constant)<br />
Physical process
Why to hack SCADA
Industrial Control Systems<br />
Industry means big business<br />
Big business == $$$$$$$
Why to aQack ICS<br />
Industry means big business<br />
Big business == $$$$$$$<br />
Alan Paller of SANS (2008):<br />
In the past two years, hackers have successfully penetrated and<br />
extorted mul1ple u1lity companies that use SCADA systems.<br />
Hundreds of millions of dollars have been extorted, and possibly<br />
more. It's difficult to know, because they pay to keep it a secret.<br />
This kind of extorCon is the biggest untold story of the<br />
cybercrime industry.
AQack payload<br />
AQack<br />
objecCve<br />
Cyber-physical<br />
payload
What can be done to the process<br />
Equipment damage<br />
q Equipment overstress<br />
q ViolaCon of safety limits<br />
ProducCon damage<br />
q Product quality and<br />
product rate<br />
q OperaCng costs<br />
q Maintenance efforts<br />
Compliance violaCon<br />
q Safety<br />
q PolluCon<br />
q Contractual agreements<br />
Paracetamol<br />
Purity RelaCve price, EUR/kg<br />
98% 1<br />
99% 5<br />
100% 8205<br />
Source: h:p://www.sigmaaldrich.com/
AQack consideraCons<br />
q Equipment damage<br />
o Comes first into anybody’s mind (+)<br />
o Irreversible ( )<br />
o Unclear collateral damage (-)<br />
o May transform into compliance<br />
viola1on, e.g. if it kills human (-)<br />
±<br />
Equipment damage<br />
ProducCon damage<br />
Compliance violaCon<br />
q Compliance violaCon<br />
o Must be reported to the authori1es ( )<br />
o Will be inves1gated by the responsible agencies (-)<br />
o Compliance regula1ons are public knowledge (+)<br />
o Unclear collateral damage (-)<br />
±
ProducCon damage aQack<br />
AQack goal: persistent economic damage
Get the party started!
Plants for sale<br />
From LinkedIn<br />
More plants offers:<br />
h:p://www.usedplants.com/
Vinyl Acetate Monomer plant (model)
Stages of cyber-physical aQacks
Hacking Chemical Plant for CompeCCon & ExtorCon<br />
Access<br />
Cleanup<br />
Discovery<br />
Damage<br />
Control
Stages of SCADA aQack<br />
Access<br />
Cleanup<br />
Discovery<br />
Damage<br />
Control
Stages of SCADA aQack<br />
Access<br />
Cleanup<br />
Discovery<br />
Damage<br />
Control
Access
TradiConal IT hacking<br />
• 1 0day<br />
• 1 Clueless user<br />
• Repeat unCl done<br />
• No security<br />
• Move freely<br />
Exploit pack<br />
• AnCVirus and patch management<br />
• Database links<br />
• Backup systems
Modern IT hacking<br />
q Select a vulnerability from the list of<br />
ICS-CERT advisories<br />
q Scan Internet to locate vulnerable<br />
devices<br />
q Exploit<br />
• E. Levere:, R. Wightman. Vulnerability Inheritance in Programmable Logic Controllers (GreHack‘13)
Discovery
Know the equipment<br />
Stripping column aka stripper
Process discovery<br />
What and how the<br />
process is producing<br />
How it is<br />
controlled<br />
How it is build<br />
and wired<br />
OperaCng and<br />
safety<br />
constraints<br />
Espionage, reconnaissance<br />
Target plant and third par1es
Espionage<br />
q Industrial espionage has started LONG Cme ago<br />
(malware samples dated as early as 2003)
Process discovery
Max economic damage?<br />
ReacCon<br />
Refinement<br />
Final<br />
product<br />
Requires input of subject ma:er experts
CC<br />
1<br />
PC<br />
TC<br />
LC<br />
2<br />
3<br />
LC 4<br />
PC<br />
5<br />
6<br />
TC<br />
7<br />
LC<br />
8<br />
TC<br />
9<br />
TC<br />
11<br />
LC<br />
12<br />
TC<br />
14<br />
TC<br />
16<br />
CC<br />
CC 17<br />
18<br />
TC<br />
19<br />
CC<br />
LC<br />
25<br />
20<br />
TC<br />
21<br />
TC<br />
LC<br />
LC<br />
24<br />
22<br />
23<br />
26<br />
15<br />
13<br />
10<br />
Understanding control structure<br />
Control<br />
loop
Control loop configuraCon
Understanding points and logic<br />
Programmable Logic Controller<br />
Ladder logic<br />
Piping and instrumentaCon diagram<br />
Pump in the plant
Understanding points and logic<br />
Programmable Logic Controller<br />
Ladder logic<br />
HAVEX: Using OPC, the malware<br />
component gathers any details about<br />
connected devices and sends them<br />
back to the C&C.<br />
Piping and instrumentaCon diagram<br />
Pump in the plant
Obtaining control != being in control<br />
Control Loop<br />
XMV{1}<br />
q Obtained controls might not be<br />
useful for a:ack goal<br />
q A:acker might not necessary be<br />
able to control obtained controls<br />
XMV{2}<br />
???<br />
XMV{3}
Control<br />
Every acCon has a reacCon
Physics of process control<br />
Once hooked up together, physical components become related<br />
to each other by the physics of the process<br />
q How much does the process can be changed before<br />
releasing alarms or it shupng down?
Process interdependencies<br />
%mol<br />
0.0752<br />
0.075<br />
0.0748<br />
0.0746<br />
O2 in Reactor Feed<br />
0.0744<br />
0 2 4 6 8<br />
Hours<br />
%mol<br />
C2H6 in Gas Recycle<br />
0.258<br />
0.256<br />
0.254<br />
0.252<br />
0.25<br />
0.248<br />
0.246<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
158<br />
Heater Exit Temperature<br />
156<br />
154<br />
97.2<br />
FEHE Cold Exit Temperature<br />
C<br />
152<br />
97.15<br />
150<br />
148<br />
146<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
C<br />
97.1<br />
97.05<br />
97<br />
0.85<br />
Organic Flow Rate<br />
96.95<br />
0 2 4 6 8<br />
Hours<br />
Kmol/min<br />
0.84<br />
0.83<br />
160<br />
159.8<br />
Reactro Exit Temperature<br />
0.82<br />
0.81<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
159.6<br />
C<br />
159.4<br />
159.2<br />
159<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
0.503<br />
HAc Tank Level<br />
0.502<br />
%<br />
0.501<br />
0.5<br />
0 1 2 3 4 5 6 7 8<br />
Hours
Process interdependencies<br />
%mol<br />
0.0752<br />
0.075<br />
0.0748<br />
0.0746<br />
O2 in Reactor Feed<br />
0.0744<br />
0 2 4 6 8<br />
Hours<br />
%mol<br />
C2H6 in Gas Recycle<br />
0.258<br />
0.256<br />
0.254<br />
0.252<br />
0.25<br />
0.248<br />
0.246<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
158<br />
Heater Exit Temperature<br />
156<br />
154<br />
97.2<br />
FEHE Cold Exit Temperature<br />
C<br />
152<br />
97.15<br />
150<br />
148<br />
146<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
C<br />
97.1<br />
97.05<br />
97<br />
0.85<br />
Organic Flow Rate<br />
96.95<br />
0 2 4 6 8<br />
Hours<br />
Kmol/min<br />
0.84<br />
0.83<br />
160<br />
159.8<br />
Reactro Exit Temperature<br />
0.82<br />
0.81<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
159.6<br />
C<br />
159.4<br />
159.2<br />
159<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
0.503<br />
HAc Tank Level<br />
0.502<br />
%<br />
0.501<br />
0.5<br />
0 1 2 3 4 5 6 7 8<br />
Hours
Understanding process response<br />
• Control algorithm<br />
• Controller tuning<br />
• Sizing<br />
• Dead band<br />
• Flow proper1es<br />
• Equipment design<br />
• Process design<br />
• Control loops coupling<br />
• Opera1ng prac1ce<br />
• Control strategy<br />
Set point<br />
Controller<br />
Final control<br />
element<br />
Process<br />
Disturbance<br />
Transmi:er<br />
• Type<br />
• Dura1on<br />
• Sampling frequency<br />
• Noise profile<br />
• Filtering
Control loop ringing<br />
Vaporizer Pressure<br />
psia<br />
128<br />
127.99<br />
Amount of chemical entering<br />
the reactor<br />
0 0.02 0.04 0.06 0.08<br />
Hours<br />
Caused by a nega1ve real<br />
controller poles<br />
Makes process unstable and<br />
uncontrollable<br />
Ringing impact<br />
raCo 1: 150
Process control challenges<br />
q Process dynamic is highly non-linear (???)<br />
UNCERTAINTY!<br />
q Behavior of the process is known<br />
to the extent of its modelling<br />
o So to controllers. They cannot<br />
control the process beyond<br />
their control model<br />
C<br />
159.25<br />
159.2<br />
159.15<br />
159.1<br />
159.05<br />
Reactor exit temperature<br />
159<br />
0 1 2 3 4 5 6 7 8<br />
Hours<br />
This triggers alarms<br />
Non-liner response
Types of aQacks<br />
0.53<br />
Fresh O2 Feed<br />
Kmol/min<br />
0.52<br />
0.51<br />
Step aQack<br />
0.5<br />
0 5 10 15 20<br />
Hours<br />
Recovery Cme<br />
Magnitude of manipulaCon<br />
Deg C<br />
158<br />
156<br />
154<br />
152<br />
150<br />
148<br />
Periodic aQack<br />
Heater Exit Temperature<br />
146<br />
0 5 10 15 20<br />
Hours
Outcome of the control stage<br />
I am 163cm tall<br />
We should automate this process<br />
(work in progress)
Outcome of the control stage<br />
SensiCvity Magnitude of manipulaCon Recovery Cme<br />
High XMV {1;5;7} XMV {4;7}<br />
Medium XMV {2;4;6} XMV {5}<br />
Low XMV{3} XMV {1;2;3;6}<br />
Reliably useful controls
Alarm propagaCon<br />
To persist we shall not bring about alarms<br />
Alarm Steady state aQacks Periodic aQacks<br />
Gas loop 02 XMV {1} XMV {1}<br />
Reactor feed T XMV {6} XMV {6}<br />
Rector T XMV{7} XMV{7}<br />
FEHE effluent XMV{7} XMV{7}<br />
Gas loop P XMV{2;3;6} XMV{2;3;6}<br />
HAc in decanter XMV{2;3;7} XMV{3}<br />
The aQacker needs to figure out the marginal aQack<br />
parameters which (do not) trigger alarms
Fingerprints of plant dynamic behavior
Jason Larsen at S4x15: new triangles<br />
Process State Uncertainty<br />
B<br />
C<br />
Falling Slopes<br />
A<br />
Rising Slopes<br />
D<br />
B<br />
C<br />
A<br />
Falling Dead Time<br />
1A2A2B1B2C2D<br />
3A2A2B2C2D2A<br />
2B1C1D3B3C3D<br />
Process fingerprint<br />
Rising Dead Time<br />
Slopes: Most<br />
confident<br />
correlation
Damage
How to break things?<br />
AQacker needs one or more aQack scenarios to deploy<br />
in final payload<br />
q The least familiar stage to IT hackers<br />
o In most cases requires input of<br />
subject ma:er experts<br />
q Accident data is a good star1ng point<br />
o Governmental agencies<br />
o Plants’ own data bases
Why control before damage?<br />
Ethylene<br />
Reactants<br />
q Life1me 1-2 years<br />
q Low per-pass conversion<br />
o 15-35% for CH₃COOH and 8-10% for C2H4<br />
q Selec1vity ≈ 94,8% (C2H4)<br />
Product<br />
On purpose low<br />
Subjected to constant<br />
improvement<br />
Catalyst
Catalyst killers<br />
q Hot spots above 200C -> permanent deac1va1on<br />
o Lower ac1vity at T > 180C<br />
We were not able to rise temperature in<br />
the reactor and maintain it for long enough<br />
to cause damage to the catalyst<br />
Reactor with<br />
cooling tubes
Hacker unfriendly process<br />
q Target plant may not have been designed in a hacker<br />
friendly way<br />
o There may no sensors measuring exact values needed for<br />
the a:ack execu1on<br />
o The informa1on about the process may spread across<br />
several subsystems making hacker invading more devices
Measuring the process<br />
Chemical<br />
composiCon<br />
Analyzer<br />
Analyzer<br />
FT<br />
TT<br />
FT<br />
Analyzer<br />
• Reactor exit flowrate<br />
• Reactor exit temperature<br />
• No analyzer<br />
Analyzer<br />
Measuring<br />
here is too late
Technician vs. engineer<br />
Technician<br />
Engineer<br />
“It will eventually<br />
drain with the<br />
lowest holes loosing<br />
pressure last”<br />
“It will be fully<br />
drained in 20.4<br />
seconds and the<br />
pressure curve<br />
looks like this”
Technician answer<br />
Usage of proxy sensor<br />
160.5<br />
Reactor Exit Temperature<br />
C<br />
160<br />
159.5<br />
159<br />
158.5<br />
0 5 10 15 20 24<br />
Hours<br />
Reactor with cooling<br />
tubes<br />
q Only tells us whether reac1on rate increases or decreases<br />
q Is not precise enough to compare effec1veness of different a:acks
Quest for engineering answer<br />
q Code in the controller<br />
q Op1miza1on applica1ons<br />
q Test process/plant<br />
0,00073; 0,00016; 0,0007…
Engineering answer<br />
160.5<br />
Reactor Exit Temperature<br />
C<br />
160<br />
159.5<br />
159<br />
158.5<br />
0 5 10 15 20 24<br />
Hours<br />
0.9<br />
Vinyl Acetate producCon<br />
VAC Concentration<br />
Kmol/min<br />
0.85<br />
0.8<br />
0.75<br />
0.7<br />
0 500 1000 1500<br />
Minutes
Product loss<br />
Product per day: 96.000$<br />
Product loss per day: 11.469,70$<br />
Average Outflow [Kmol/min]<br />
12<br />
10<br />
8<br />
6<br />
4<br />
2<br />
0<br />
Reactor: Loss137.21 Kmol (11469.70 $)<br />
Normal reaction<br />
Under attack<br />
O2 Co2 C2H4 C2H6 VAc H2O HAc<br />
Chemicals
Outcome of the damage stage<br />
Product per day: 96.000$<br />
Product loss, 24 hours Steady-state aQacks Periodic aQacks<br />
High, ≥ 10.000$ XMV {2} XMV {4;6}<br />
Medium, 5.000$ - 10.000$ XMV {6;7} XMV {5;7}<br />
Low, 2.000$ - 5.000$ - XMV {2}<br />
Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2}<br />
SCll might be useful
Clean-up
Socio-technical system<br />
Operator<br />
• Maintenance stuff<br />
• Plant engineers<br />
• Process engineers<br />
• ….<br />
Controller<br />
Cyber-physical system
CreaCng forensics footprint<br />
q Process operators may get concerned aXer no1cing<br />
persistent decrease in produc1on and may try to fix<br />
the problem<br />
q If a:acks are 1med to a par1cular employee<br />
shiX or maintenance work, plant employee<br />
will be inves1gated rather than the process
CreaCng forensics footprint<br />
1. Pick several ways that the temperature can be<br />
increased<br />
2. Wait for the scheduled instruments calibra1on<br />
3. Perform the first a:ack<br />
4. Wait for the maintenance guy being<br />
yelled at and recalibra1on to be<br />
repeated<br />
5. Play next a:ack<br />
6. Go to 4
CreaCng forensics footprint<br />
163<br />
162<br />
Four different aQacks<br />
Reactor Temperature<br />
C<br />
160<br />
158<br />
157<br />
0 10 20 30 40<br />
Hours
DefeaCng chemical forensics<br />
q If reactor deemed malfunc1oning, chemical forensics will be<br />
asked to assist<br />
q Change aQack paQerns according to debugging<br />
efforts of plant personnel<br />
Efficiency [%]<br />
88<br />
86<br />
84<br />
82<br />
Reactor Average Efficiency Loss: 4.36 %<br />
Normal reaction<br />
Under attack<br />
Outflow [Kmol/min]<br />
0.8<br />
0.6<br />
0.4<br />
0.2<br />
Decanter<br />
Total Product: 429.04 Kmol (35865.28 $)<br />
VAc<br />
H2O<br />
HAc<br />
80<br />
0 200 400 600 800<br />
Time [minutes]<br />
0<br />
0 200 400 600 800<br />
Time [minutes]<br />
Selectivity [%]<br />
89<br />
88<br />
87<br />
86<br />
Reactor Average Selectivity Loss: 2.73 %<br />
Normal reaction<br />
Under attack<br />
Conversion [%]<br />
40<br />
30<br />
20<br />
10<br />
Reactor Average Conversion Rates O2 30.67%;C2H4 9.81;HAc 29.06%<br />
O2<br />
C2H4<br />
HAc<br />
85<br />
0 200 400 600 800<br />
Time [minutes]<br />
0<br />
0 200 400 600 800<br />
Time [minutes]
Data synchronizaCon and processing
ICCP<br />
Regulatory<br />
reporCng<br />
Just-in-Cme<br />
manufacturing<br />
Wireless<br />
links<br />
Access<br />
Operator’s<br />
screens<br />
Regulatory<br />
filings<br />
Point<br />
database<br />
Safety<br />
briefs<br />
Discovery<br />
Historian<br />
Small<br />
changes to<br />
the process<br />
RealCme<br />
data from<br />
sensors<br />
Safety<br />
systems<br />
Minimal<br />
process<br />
model<br />
Control<br />
Accident<br />
data<br />
SEC filings<br />
Process<br />
experts<br />
Custom<br />
research<br />
Custom<br />
operator<br />
spoofs<br />
WaiCng for<br />
unusual<br />
events<br />
Log<br />
tampering<br />
Forensic<br />
footprint<br />
Cleanup<br />
Damage<br />
Final Payload
A{erword
State-of-the-art of ICS security<br />
TCP/IP
Food for thought<br />
q Cost of aQack can quickly exceed cost of damage<br />
o Hacking into large number of devices<br />
o Suppression of alarms and process data spoofing<br />
o Badly behaved control loops , synchroniza1on of ac1ons<br />
q Each process is unique, but…<br />
o There are instances of a:acks applicable to wide range of<br />
scenarios<br />
o SCADA payloads for Metasploit is just a maQer of Cme
Thank you<br />
marina.krotofil@tuhh.de<br />
@marmusha<br />
Damn Vulnerable Chemical Process<br />
TE: h:p://github.com/satejnik/DVCP-TE<br />
VAM: h:p://github.com/satejnik/DVCP-VAM<br />
Thanksgiving:<br />
Jason Larsen for all collaboraCons