Marina Krotofil

Rocking the Pocket Book: Hacking Chemical 

Plants for CompeCCon and ExtorCon 

Marina Krotofil 

HITB Singapore 

14.10.2015

Industrial Control Systems aka SCADA 

Physical 

applicaCon


Data flow 

Physical process

Cyber-physical systems 

Cyber-physical systems are IT systems “embedded” in an 

applicaCon in the physical world 

Interest of the aQacker is in the 

physical world

The world is not the same anymore 

Pity!! 

James Bond 007 – 

Casino Royale 

James Bond 007 – Skyfall

Cyber-physical hack 

James Bond 007: Skyfall

Control systems 

security

Control equipment vulnerabiliCes 

ICSA-15-099-01A: 

Siemens SIMATIC HMI 

Devices VulnerabiliCes 

(Update A) 

ICSA-13-274-01: Schneider 

Electric Telvent SAGE RTU 

DNP3 Improper Input 

ValidaCon Vulnerability 

ICSA-11-307-01: 

Schneider Electric Vijeo 

Historian Web Server 

MulCple VulnerabiliCes 

ICSA-13-274-01: Siemens 

SCALANCE X-200 

AuthenCcaCon Bypass 

Vulnerability 

ICSA-15-111-01: 

Emerson AMS Device 

Manager SQL InjecCon 

Vulnerability 

ICSA-12-320-01 : ABB 

AC500 PLC Webserver 

CoDeSys Vulnerability 

ICS-ALERT-14-323-01: 

Advantech EKI-6340 

Command InjecCon 

ICSA-15-048-03: 

Yokogawa HART Device 

DTM Vulnerability

ICS-CERT recommendaCon 

ICSA-13-274-01: Siemens SCALANCE X-200 AuthenCcaCon Bypass Vulnerability 

IMPACT 

Successful exploita1on of this vulnerability may allow a:ackers to perform 

administra1ve opera1ons over the network without authen1ca1on. 

Impact to individual organiza2ons depends on many factors that are unique 

to each organiza2on. ICSCERT recommends that organiza2ons evaluate the 

impact of this vulnerability based on their opera2onal environment, 

architecture, and product implementa2on.

Typical idea about post exploitaCon

TCP/IP based communicaCon 

Industrial switch 

Ethernet, my old friend 

(hack meeee!!!) 

Modbus, DNP, IEC850 are common protocols

Hear is the plant. What is the plan? 

Source: simentari.com

Timing of the DoS aQack 

2820 

Reactor Pressure 

2850 


2810 

2800 

Ordinary 

glitch 

kPa gauge 

2800 

2790 

2780 

2770 

Without attack 

Under attack 

2760 

0 10 20 30 40 50 60 70 

Hours 

kPa gauge 

2750 

2700 

2650 

2600 

2550 

2500 


Under attack 

2450 

0 10 20 30 40 50 60 70 

Hours 

Economic 

inefficiency 

Near miss 

(almost 

safety 

accident) 

kPa gauge 

2950 

2900 

2850 

2800 

2750 



Under attack 

2700 

0 10 20 30 40 50 60 70 

Hours 

kPa gauge 

3000 

2950 

2900 

2850 

2800 


Under attack 


2750 

0 5 10 15 20 25 30 

Hours 

Safety 

shutdown 

Impact of 8h long a:ack on reactor pressure at 

random 1me

Impact evaluaCon 

q What exactly the a:acker can do with the vulnerability? 

q Any further necessary condi1ons required? 

q How severe the poten1al physical impact? 

Answering these quesCons requires understanding how the 

aQacker interacts with the control system and the process

Process control

Process control automaCon 

Set point 

Running downstairs to turn on the 

furnace every 1me it gets cold is 

1ring, so you automate it with a 

thermostat

Control loop 

Actuators 

Physical process 

Sensors 

% 

Adjust themselves 

to influence 

process behavior 

63.8 

63.6 

63.4 

63.2 

63 

D feed 

Control 

system 

Computes control 

commands for 

actuators 

kg/h 

3750 

3700 

3650 

Measure process 

state 

D Feed 

62.8 

62.6 

62.4 

0 10 20 30 40 50 60 70 80 

3600 

3550 

0 10 20 30 40 50 60 70 80 

Hours 

Hours

CC 

1 

PC 

TC 

LC 

2 

3 

LC 4 

PC 

5 

6 

TC 

7 

LC 

8 

TC 

9 

TC 

11 

LC 

12 

TC 

14 

TC 

16 

CC 

CC 17 

18 

TC 

19 

CC 

LC 

25 

20 

TC 

21 

TC 

LC 

LC 

24 

22 

23 

26 

15 

13 

10 

Understanding control structure 

Control 

loop

Process interdependencies 

%mol 

0.0752 

0.075 

0.0748 

0.0746 

O2 in Reactor Feed 

0.0744 

0 2 4 6 8 

Hours 

%mol 

C2H6 in Gas Recycle 

0.258 

0.256 

0.254 

0.252 

0.25 

0.248 

0.246 

0 1 2 3 4 5 6 7 8 

Hours 

158 

Heater Exit Temperature 

156 

154 

97.2 

FEHE Cold Exit Temperature 

C 

152 

97.15 

150 

148 

146 

0 1 2 3 4 5 6 7 8 

Hours 

C 

97.1 

97.05 

97 

0.85 

Organic Flow Rate 

96.95 

0 2 4 6 8 

Hours 

Kmol/min 

0.84 

0.83 

160 

159.8 

Reactro Exit Temperature 

0.82 

0.81 

0 1 2 3 4 5 6 7 8 

Hours 

159.6 

C 

159.4 

159.2 

159 

0 1 2 3 4 5 6 7 8 

Hours 

0.503 

HAc Tank Level 

0.502 

% 

0.501 

0.5 

0 1 2 3 4 5 6 7 8 

Hours

Control equipment 

q In large –scale opera1ons control logic gets more complex 

than a thermostat 

q The control is typically done by a programmable logic 

controller (PLC)

Plant floor 

Sensors 

Actuators

Field communicaCon 

Wires are run from sensors and 

actuators into wiring cabinets

PLC internals 

Sensors 

1. Copy data from inputs to temporary storage 

2. Run the logic 

3. Copy from temporary storage to outputs 

Actuators 

Outputs 

Inputs

Control logic 

q Defines what should (not) happen to the process: 

condi1ons, order, 1me 

(Programmed graphically most 

of 1me. Nope, no python or 

java) 

If tank pressure in PLC 1 > 1800 

reduce inflow in PLC 3

Interlocks 

q Process safety increasingly depends on the logic in the 

controllers 

q Ladder logic can tell you a lot about what the engineer that 

designed the process was worried about 

q Search for the master stop 

The motor should not be running when the valve is closed


%mol 

0.0752 

0.075 

0.0748 

0.0746 


0.0744 

0 2 4 6 8 

Hours 

%mol 


0.258 

0.256 

0.254 

0.252 

0.25 

0.248 

0.246 

0 1 2 3 4 5 6 7 8 

Hours 

158 


156 

154 

97.2 


C 

152 

97.15 

150 

148 

146 

0 1 2 3 4 5 6 7 8 

Hours 

C 

97.1 

97.05 

97 

0.85 


96.95 

0 2 4 6 8 

Hours 

Kmol/min 

0.84 

0.83 

160 

159.8 


0.82 

0.81 

0 1 2 3 4 5 6 7 8 

Hours 

159.6 

C 

159.4 

159.2 

159 

0 1 2 3 4 5 6 7 8 

Hours 

0.503 


0.502 

% 

0.501 

0.5 

0 1 2 3 4 5 6 7 8 

Hours

PID control 

q PID: proporConal, integral, derivaCve – most widely used control 

algorithm on the planet 

q The sum of 3 components makes the final control signal 

q PI controllers are most oXen used 

Jacques Smuts „Process Control for Prac11oners“

Time constants 

Requires reconnaissance on live process 

Jacques Smuts „Process Control for Prac11oners“

Process control vulnerability 

11.2 

Time constant of 60 min 

15.1 

114.5 

96.0

PLC cannot do it alone 

q PLC does not have the complete picture and 1me trends 

q Human operators watch the process 7/24 

q Most important task: resolving of alarms

Operator is not almighty 

Sanity checks


DefiniCon of real Cme (Cme constant) 

Physical process

Why to hack SCADA

Industrial Control Systems 

Industry means big business 

Big business == $$$$$$$

Why to aQack ICS 

Industry means big business 

Big business == $$$$$$$ 

Alan Paller of SANS (2008): 

In the past two years, hackers have successfully penetrated and 

extorted mul1ple u1lity companies that use SCADA systems. 

Hundreds of millions of dollars have been extorted, and possibly 

more. It's difficult to know, because they pay to keep it a secret. 

This kind of extorCon is the biggest untold story of the 

cybercrime industry.

AQack payload 

AQack 

objecCve 

Cyber-physical 

payload

What can be done to the process 

Equipment damage 

q Equipment overstress 

q ViolaCon of safety limits 

ProducCon damage 

q Product quality and 

product rate 

q OperaCng costs 

q Maintenance efforts 

Compliance violaCon 

q Safety 

q PolluCon 

q Contractual agreements 

Paracetamol 

Purity RelaCve price, EUR/kg 

98% 1 

99% 5 

100% 8205 

Source: h:p://www.sigmaaldrich.com/

AQack consideraCons 

q Equipment damage 

o Comes first into anybody’s mind (+) 

o Irreversible ( ) 

o Unclear collateral damage (-) 

o May transform into compliance 

viola1on, e.g. if it kills human (-) 

± 

Equipment damage 

ProducCon damage 

Compliance violaCon 

q Compliance violaCon 

o Must be reported to the authori1es ( ) 

o Will be inves1gated by the responsible agencies (-) 

o Compliance regula1ons are public knowledge (+) 

o Unclear collateral damage (-) 

±

ProducCon damage aQack 

AQack goal: persistent economic damage

Get the party started!

Plants for sale 

From LinkedIn 

More plants offers: 

h:p://www.usedplants.com/

Vinyl Acetate Monomer plant (model)

Stages of cyber-physical aQacks

Hacking Chemical Plant for CompeCCon & ExtorCon 

Access 

Cleanup 

Discovery 

Damage 

Control

Stages of SCADA aQack 

Access 

Cleanup 

Discovery 

Damage 

Control

Stages of SCADA aQack 

Access 

Cleanup 

Discovery 

Damage 

Control

Access

TradiConal IT hacking 

• 1 0day 

• 1 Clueless user 

• Repeat unCl done 

• No security 

• Move freely 

Exploit pack 

• AnCVirus and patch management 

• Database links 

• Backup systems

Modern IT hacking 

q Select a vulnerability from the list of 

ICS-CERT advisories 

q Scan Internet to locate vulnerable 

devices 

q Exploit 

• E. Levere:, R. Wightman. Vulnerability Inheritance in Programmable Logic Controllers (GreHack‘13)

Discovery

Know the equipment 

Stripping column aka stripper

Process discovery 

What and how the 

process is producing 

How it is 

controlled 

How it is build 

and wired 

OperaCng and 

safety 

constraints 

Espionage, reconnaissance 

Target plant and third par1es

Espionage 

q Industrial espionage has started LONG Cme ago 

(malware samples dated as early as 2003)

Process discovery

Max economic damage? 

ReacCon 

Refinement 

Final 

product 

Requires input of subject ma:er experts

CC 

1 

PC 

TC 

LC 

2 

3 

LC 4 

PC 

5 

6 

TC 

7 

LC 

8 

TC 

9 

TC 

11 

LC 

12 

TC 

14 

TC 

16 

CC 

CC 17 

18 

TC 

19 

CC 

LC 

25 

20 

TC 

21 

TC 

LC 

LC 

24 

22 

23 

26 

15 

13 

10 

Understanding control structure 

Control 

loop

Control loop configuraCon

Understanding points and logic 

Programmable Logic Controller 

Ladder logic 

Piping and instrumentaCon diagram 

Pump in the plant

Understanding points and logic 

Programmable Logic Controller 

Ladder logic 

HAVEX: Using OPC, the malware 

component gathers any details about 

connected devices and sends them 

back to the C&C. 

Piping and instrumentaCon diagram 

Pump in the plant

Obtaining control != being in control 

Control Loop 

XMV{1} 

q Obtained controls might not be 

useful for a:ack goal 

q A:acker might not necessary be 

able to control obtained controls 

XMV{2} 

??? 

XMV{3}

Control 

Every acCon has a reacCon

Physics of process control 

Once hooked up together, physical components become related 

to each other by the physics of the process 

q How much does the process can be changed before 

releasing alarms or it shupng down?


%mol 

0.0752 

0.075 

0.0748 

0.0746 


0.0744 

0 2 4 6 8 

Hours 

%mol 


0.258 

0.256 

0.254 

0.252 

0.25 

0.248 

0.246 

0 1 2 3 4 5 6 7 8 

Hours 

158 


156 

154 

97.2 


C 

152 

97.15 

150 

148 

146 

0 1 2 3 4 5 6 7 8 

Hours 

C 

97.1 

97.05 

97 

0.85 


96.95 

0 2 4 6 8 

Hours 

Kmol/min 

0.84 

0.83 

160 

159.8 


0.82 

0.81 

0 1 2 3 4 5 6 7 8 

Hours 

159.6 

C 

159.4 

159.2 

159 

0 1 2 3 4 5 6 7 8 

Hours 

0.503 


0.502 

% 

0.501 

0.5 

0 1 2 3 4 5 6 7 8 

Hours


%mol 

0.0752 

0.075 

0.0748 

0.0746 


0.0744 

0 2 4 6 8 

Hours 

%mol 


0.258 

0.256 

0.254 

0.252 

0.25 

0.248 

0.246 

0 1 2 3 4 5 6 7 8 

Hours 

158 


156 

154 

97.2 


C 

152 

97.15 

150 

148 

146 

0 1 2 3 4 5 6 7 8 

Hours 

C 

97.1 

97.05 

97 

0.85 


96.95 

0 2 4 6 8 

Hours 

Kmol/min 

0.84 

0.83 

160 

159.8 


0.82 

0.81 

0 1 2 3 4 5 6 7 8 

Hours 

159.6 

C 

159.4 

159.2 

159 

0 1 2 3 4 5 6 7 8 

Hours 

0.503 


0.502 

% 

0.501 

0.5 

0 1 2 3 4 5 6 7 8 

Hours

Understanding process response 

• Control algorithm 

• Controller tuning 

• Sizing 

• Dead band 

• Flow proper1es 

• Equipment design 

• Process design 

• Control loops coupling 

• Opera1ng prac1ce 

• Control strategy 

Set point 

Controller 

Final control 

element 

Process 

Disturbance 

Transmi:er 

• Type 

• Dura1on 

• Sampling frequency 

• Noise profile 

• Filtering

Control loop ringing 

Vaporizer Pressure 

psia 

128 

127.99 

Amount of chemical entering 

the reactor 

0 0.02 0.04 0.06 0.08 

Hours 

Caused by a nega1ve real 

controller poles 

Makes process unstable and 

uncontrollable 

Ringing impact 

raCo 1: 150

Process control challenges 

q Process dynamic is highly non-linear (???) 

UNCERTAINTY! 

q Behavior of the process is known 

to the extent of its modelling 

o So to controllers. They cannot 

control the process beyond 

their control model 

C 

159.25 

159.2 

159.15 

159.1 

159.05 

Reactor exit temperature 

159 

0 1 2 3 4 5 6 7 8 

Hours 

This triggers alarms 

Non-liner response

Types of aQacks 

0.53 

Fresh O2 Feed 

Kmol/min 

0.52 

0.51 

Step aQack 

0.5 

0 5 10 15 20 

Hours 

Recovery Cme 

Magnitude of manipulaCon 

Deg C 

158 

156 

154 

152 

150 

148 

Periodic aQack 


146 

0 5 10 15 20 

Hours

Outcome of the control stage 

I am 163cm tall 

We should automate this process 

(work in progress)

Outcome of the control stage 

SensiCvity Magnitude of manipulaCon Recovery Cme 

High XMV {1;5;7} XMV {4;7} 

Medium XMV {2;4;6} XMV {5} 

Low XMV{3} XMV {1;2;3;6} 

Reliably useful controls

Alarm propagaCon 

To persist we shall not bring about alarms 

Alarm Steady state aQacks Periodic aQacks 

Gas loop 02 XMV {1} XMV {1} 

Reactor feed T XMV {6} XMV {6} 

Rector T XMV{7} XMV{7} 

FEHE effluent XMV{7} XMV{7} 

Gas loop P XMV{2;3;6} XMV{2;3;6} 

HAc in decanter XMV{2;3;7} XMV{3} 

The aQacker needs to figure out the marginal aQack 

parameters which (do not) trigger alarms

Fingerprints of plant dynamic behavior

Jason Larsen at S4x15: new triangles 

Process State Uncertainty 

B 

C 

Falling Slopes 

A 

Rising Slopes 

D 

B 

C 

A 

Falling Dead Time 

1A2A2B1B2C2D 

3A2A2B2C2D2A 

2B1C1D3B3C3D 

Process fingerprint 

Rising Dead Time 

Slopes: Most 

confident 

correlation

Damage

How to break things? 

AQacker needs one or more aQack scenarios to deploy 

in final payload 

q The least familiar stage to IT hackers 

o In most cases requires input of 

subject ma:er experts 

q Accident data is a good star1ng point 

o Governmental agencies 

o Plants’ own data bases

Why control before damage? 

Ethylene 

Reactants 

q Life1me 1-2 years 

q Low per-pass conversion 

o 15-35% for CH₃COOH and 8-10% for C2H4 

q Selec1vity ≈ 94,8% (C2H4) 

Product 

On purpose low 

Subjected to constant 

improvement 

Catalyst

Catalyst killers 

q Hot spots above 200C -> permanent deac1va1on 

o Lower ac1vity at T > 180C 

We were not able to rise temperature in 

the reactor and maintain it for long enough 

to cause damage to the catalyst 

Reactor with 

cooling tubes

Hacker unfriendly process 

q Target plant may not have been designed in a hacker 

friendly way 

o There may no sensors measuring exact values needed for 

the a:ack execu1on 

o The informa1on about the process may spread across 

several subsystems making hacker invading more devices

Measuring the process 

Chemical 

composiCon 

Analyzer 

Analyzer 

FT 

TT 

FT 

Analyzer 

• Reactor exit flowrate 

• Reactor exit temperature 

• No analyzer 

Analyzer 

Measuring 

here is too late

Technician vs. engineer 

Technician 

Engineer 

“It will eventually 

drain with the 

lowest holes loosing 

pressure last” 

“It will be fully 

drained in 20.4 

seconds and the 

pressure curve 

looks like this”

Technician answer 

Usage of proxy sensor 

160.5 

Reactor Exit Temperature 

C 

160 

159.5 

159 

158.5 

0 5 10 15 20 24 

Hours 

Reactor with cooling 

tubes 

q Only tells us whether reac1on rate increases or decreases 

q Is not precise enough to compare effec1veness of different a:acks

Quest for engineering answer 

q Code in the controller 

q Op1miza1on applica1ons 

q Test process/plant 

0,00073; 0,00016; 0,0007…

Engineering answer 

160.5 

Reactor Exit Temperature 

C 

160 

159.5 

159 

158.5 

0 5 10 15 20 24 

Hours 

0.9 

Vinyl Acetate producCon 

VAC Concentration 

Kmol/min 

0.85 

0.8 

0.75 

0.7 

0 500 1000 1500 

Minutes

Product loss 

Product per day: 96.000$ 

Product loss per day: 11.469,70$ 

Average Outflow [Kmol/min] 

12 

10 

8 

6 

4 

2 

0 

Reactor: Loss137.21 Kmol (11469.70 $) 

Normal reaction 

Under attack 

O2 Co2 C2H4 C2H6 VAc H2O HAc 

Chemicals

Outcome of the damage stage 

Product per day: 96.000$ 

Product loss, 24 hours Steady-state aQacks Periodic aQacks 

High, ≥ 10.000$ XMV {2} XMV {4;6} 

Medium, 5.000$ - 10.000$ XMV {6;7} XMV {5;7} 

Low, 2.000$ - 5.000$ - XMV {2} 

Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2} 

SCll might be useful

Clean-up

Socio-technical system 

Operator 

• Maintenance stuff 

• Plant engineers 

• Process engineers 

• …. 

Controller 

Cyber-physical system

CreaCng forensics footprint 

q Process operators may get concerned aXer no1cing 

persistent decrease in produc1on and may try to fix 

the problem 

q If a:acks are 1med to a par1cular employee 

shiX or maintenance work, plant employee 

will be inves1gated rather than the process


1. Pick several ways that the temperature can be 

increased 

2. Wait for the scheduled instruments calibra1on 

3. Perform the first a:ack 

4. Wait for the maintenance guy being 

yelled at and recalibra1on to be 

repeated 

5. Play next a:ack 

6. Go to 4


163 

162 

Four different aQacks 

Reactor Temperature 

C 

160 

158 

157 

0 10 20 30 40 

Hours

DefeaCng chemical forensics 

q If reactor deemed malfunc1oning, chemical forensics will be 

asked to assist 

q Change aQack paQerns according to debugging 

efforts of plant personnel 

Efficiency [%] 

88 

86 

84 

82 

Reactor Average Efficiency Loss: 4.36 % 


Under attack 

Outflow [Kmol/min] 

0.8 

0.6 

0.4 

0.2 

Decanter 

Total Product: 429.04 Kmol (35865.28 $) 

VAc 

H2O 

HAc 

80 

0 200 400 600 800 

Time [minutes] 

0 

0 200 400 600 800 


Selectivity [%] 

89 

88 

87 

86 

Reactor Average Selectivity Loss: 2.73 % 


Under attack 

Conversion [%] 

40 

30 

20 

10 

Reactor Average Conversion Rates O2 30.67%;C2H4 9.81;HAc 29.06% 

O2 

C2H4 

HAc 

85 

0 200 400 600 800 


0 

0 200 400 600 800 

Time [minutes]

Data synchronizaCon and processing

ICCP 

Regulatory 

reporCng 

Just-in-Cme 

manufacturing 

Wireless 

links 

Access 

Operator’s 

screens 

Regulatory 

filings 

Point 

database 

Safety 

briefs 

Discovery 

Historian 

Small 

changes to 

the process 

RealCme 

data from 

sensors 

Safety 

systems 

Minimal 

process 

model 

Control 

Accident 

data 

SEC filings 

Process 

experts 

Custom 

research 

Custom 

operator 

spoofs 

WaiCng for 

unusual 

events 

Log 

tampering 

Forensic 

footprint 

Cleanup 

Damage 

Final Payload

A{erword

State-of-the-art of ICS security 

TCP/IP

Food for thought 

q Cost of aQack can quickly exceed cost of damage 

o Hacking into large number of devices 

o Suppression of alarms and process data spoofing 

o Badly behaved control loops , synchroniza1on of ac1ons 

q Each process is unique, but… 

o There are instances of a:acks applicable to wide range of 

scenarios 

o SCADA payloads for Metasploit is just a maQer of Cme

Thank you 

marina.krotofil@tuhh.de 

@marmusha 

Damn Vulnerable Chemical Process 

TE: h:p://github.com/satejnik/DVCP-TE 

VAM: h:p://github.com/satejnik/DVCP-VAM 

Thanksgiving: 

Jason Larsen for all collaboraCons

Marina Krotofil

Create successful ePaper yourself

Delete template?

Save as template?