Remote Physical Damage 101 - Bread and Butter Attacks

Black Hat USA 2015

Presented by: Jason Larsen
Date: Thursday August 06, 2015
Time: 09:00 - 09:25
Location: Mandalay Bay BCD

It is possible to physically damage equipment through purely cyber means. Most of the time the attacker takes advantage of something specific to the CyberPhysical System (CPS) thats being targeted. As an example mixing in a cleaning agent during a production cycle can cause an unwanted chemical reaction. Attacking software has been described as "unexpected computation". Attacking a process is all about "unexpected physics."

Finding and exploiting process-specific flaws generally takes subject matter expertise in the victim process. However, there are some generic attacks that can be applied in a wide range of scenarios. I call these bread and butter attacks. They take advantage of common configurations of valves, pumps, pipe, etc. to achieve damage to the process. These scenarios can be used as a basis for a first look in a process audit. During a full audit, a subject matter expert will still need to be consulted.Nearly the entire budget for security processes from cyber attack is spent attempting to keep an attacker from gaining code execution in the process control network. This is roughly equivalent to the early 2000s where the industry attempted to find every possible buffer overflow in code. In 2015 were still finding them regularly. It wasn't until ALSR and DEP were introduced that defenders started making attacker work harder. In process control networks, defending the network is still key, but adding a few physical controls can greatly reduce the effectiveness of an attacker. It is hoped that this presentation can help stimulate discussion on how attacker can be mitigated after code execution is already achieved.

Jason Larsen

Having spent the last decade working on the security the critical infrastructure, Jason Larsen can definitely say he was hacking SCADA systems before it was cool. Jason works in the technical aspects of hacking critical infrastructure and lives in the bits and bytes of control systems. His specialty is remote physical damage. Prior to returning to IOActive, Jason worked for the Idaho National Labs where he performed security assessments of the software that runs the critical infrastructure. Over his tenure there he did full assessments of all of the major power control systems vendors including GE, Siemens, Areva, ABB, and others. In addition to laboratory tests, he has performed live penetrations of power grids in multiple countries resulting in control of electric power for a short period of time. Other sectors include chemical manufacturing, pharmaceuticals, petroleum, and water. Before his career in SCADA security Mr. Larsen bounced between a number of other fields. Some of the random jobs of note include modelling neutron beams for use in treating brain tumors, writing software to analyze nerve impulses, writing one of the first intrusion prevention systems, the analyst of last resort for critical infrastructure malware, and two years on the Window 7 penetration testing team.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats