damn vulnerable chemical process, vol.2 marina krotofil · pdf filenegligible, ≤ 2.000$ xmv...
TRANSCRIPT
![Page 1: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/1.jpg)
Marina Krotofil
PHDays, Moscow, Russia
29.06.2015
Damn Vulnerable Chemical Process, vol.2
ENCS
![Page 2: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/2.jpg)
Who I am
(Ex)Academic
� Have been teaching security topics
for 10 semesters
� Prefer physics over web
technologies
� Most frequently asked question:
HOW DID I LEARN ALL THESE
THINGS??
![Page 3: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/3.jpg)
What this talk about
ENCS
![Page 4: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/4.jpg)
Industrial Control Systems
Physical
application
Curtesy: Compass Security Germany GmbH
![Page 5: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/5.jpg)
Control loop
Actuators
Control
system
Physical process
Sensors
Measure process
state
Computes control commands for
actuators
Adjust themselves to influence
process behavior
![Page 6: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/6.jpg)
� Converts analog signal into digital
� Sensors pre-process the measurements
� May send data directly to actuators
� IP-enabled (part of the “Internet-of-Things”)
Computational
element
Sensor
Smart instrumentation
Old generation
temperature sensor
![Page 7: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/7.jpg)
� Cyber-physical systems are IT systems “embedded” in an
application in the physical world
Cyber-Physical Systems
� Attack goals:
o Get the physical system in a state
desired by the attacker
o Make the physical system perform
actions desired by the attacker
![Page 8: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/8.jpg)
Promise from the vendors:
Expect instruments of the future
to have multiple communication
channels, each one with built-in
security (LOL), much like a present-
day Ethernet switch. These
channels will be managed with IP
adressing and server technology,
allowing the instrument to
become a true data server
VendorsVendorsVendors
Instrumentation of the future
![Page 9: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/9.jpg)
Chemical plants
Source: simentari.com
![Page 10: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/10.jpg)
Here’s a plant. Go hack it.
![Page 11: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/11.jpg)
Damn Vulnerable Chemical Process, vol. 1
Compliance violation
� Safety
� Pollution
� Contractual agreements
Production damage
� Product quality and
product rate
� Operating costs
� Maintenance efforts
Equipment damage
� Equipment overstress
� Violation of safety limits
Purity Price, EUR/kg
98% 1
99% 5
100% 8205
Paracetamol
Source: http://www.sigmaaldrich.com/
![Page 12: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/12.jpg)
Here’s a plant. Go hack it.
Attack scenario: persistent economic damage
![Page 13: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/13.jpg)
Plants for sale
From LinkedIn
![Page 14: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/14.jpg)
Vinyl Acetate Monomer plant
![Page 15: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/15.jpg)
Stages of cyber-physical attacks
ENCS
![Page 16: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/16.jpg)
Attack objective
Evil
motivation
Cyber-physical
payload
![Page 17: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/17.jpg)
Stages of SCADA attack
Control
Access
DiscoveryCleanup
Damage
Jason Larsen „Breakage“. Black Hat Federal, 2007
![Page 18: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/18.jpg)
Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack
![Page 19: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/19.jpg)
Control
Access
DiscoveryCleanup
Damage
Stages of SCADA attack
![Page 20: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/20.jpg)
Access
ENCS
![Page 21: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/21.jpg)
Traditional IT hacking
• 1 0day
• 1 Clueless user
• AntiVirus and Patch Management
• Database Links
• Backup Systems
![Page 22: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/22.jpg)
Invading field devices
� Jason Larsen at Black Hat’15 “Miniaturization”
o Inserting rootkit into firmware
Attack scenario: pipe damage with
water hammer
![Page 23: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/23.jpg)
Discovery
ENCS
![Page 24: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/24.jpg)
Process discovery
What and how the
process is producing
How it is build and
wired
How it is controlledEspionage
Espionage,
reconnaissance
Espionage,
reconnaissance
![Page 25: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/25.jpg)
Process discovery
![Page 26: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/26.jpg)
Know the equipment
Stripping columnStripper is...
![Page 27: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/27.jpg)
RefinementReaction
Max economic damage?
Final
product
![Page 28: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/28.jpg)
Available controls
fixed
![Page 29: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/29.jpg)
Understanding points and logic
Piping and instrumentation diagram
Ladder logicProgrammable Logic Controller
Pump on the plantCourtesy: Jason Larsen
![Page 30: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/30.jpg)
Available controls
![Page 31: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/31.jpg)
Available controls
� Obtaining control is not being in
control
� Obtained control might not be
useful for attack goal
� Attacker might not necessary be
able to control obtained controls
WTF???
![Page 32: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/32.jpg)
Control
ENCS
![Page 33: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/33.jpg)
Physics of process control
� Once hooked up together, physical components they
become related to each other by the physics of the process
� If we adjust one a valve what happens to everything else?
o Adjusting temperature also increases pressure and flow
o All the downstream effects need to be taken into account
� How much does the process can be changed before releasing
alarms or it shutting down?
![Page 34: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/34.jpg)
Process control challenges
Controller Process
Transmitter
Final control element
Set point
Load
Operator practice
Control strategy
Tuning
Algorithm
Configuration
Sizing
Dead band
Flow properties Equipment design
Process design
Sampling frequency
Filtering
![Page 35: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/35.jpg)
Process control challenges
� Process dynamic is highly non-linear (???)
� Behavior of the process is known to the extent of its modelling
o So to controllers. They cannot control the process beyond their
control model
UNCERTAINTY!
![Page 36: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/36.jpg)
Control loop ringing
Caused by a negative real
controller poles
Amount of chemical entering
the reactor
![Page 37: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/37.jpg)
Types of attacks
Step attack
Periodic attack
Magnitude of manipulation
Recovery time
![Page 38: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/38.jpg)
Outcome of the control stage
Sensitivity Magnitude of manipulation Recovery time
High XMV {1;5;7} XMV {4;7}
Medium XMV {2;4;6} XMV {5}
Low XMV{3} XMV {1;2;3;6}
Reliably useful controls
![Page 39: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/39.jpg)
Alarm propagation
Alarm Steady state attacks Periodic attacks
Gas loop 02 XMV {1} XMV {1}
Reactor feed T XMV {6} XMV {6}
Rector T XMV{7} XMV{7}
FEHE effluent XMV{7} XMV{7}
Gas loop P XMV{2;3;6} XMV{2;3;6}
HAc in decanter XMV{2;3;7} XMV{3}
![Page 40: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/40.jpg)
Damage
ENCS
![Page 41: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/41.jpg)
“It will eventually
drain with the
lowest holes loosing
pressure last”
“It will be fully
drained in 20.4
seconds and the
pressure curve
looks like this”
Technician Engineer
Technician vs. engineer
„SCADA triangles: reloaded“. Jason Larsen, S4.
![Page 42: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/42.jpg)
Process observation
An
aly
zato
r
An
aly
zato
r
An
aly
zato
r
An
aly
zato
r
• Reactor exit flowrate
• Reactor exit temperature
FTTT
Chemical composition
FT
![Page 43: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/43.jpg)
Technician answer
Reactor with cooling
tubes
0,00073
0,00016
![Page 44: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/44.jpg)
Engineering answer
Vinyl Acetate production
![Page 45: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/45.jpg)
Product loss
Product per day: 96.000$
,
![Page 46: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/46.jpg)
Outcome of the damage stage
Product loss, 24 hours Steady-state attacks Periodic attacks
High, ≥ 10.000$ XMV {2} XMV {4;6}
Medium, 5.000$ -
10.000$
XMV {6;7} XMV {5;7}
Low, 2.000$ - 5.000$ - XMV {2}
Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2}
Product per day: 96.000$
Still might be useful
![Page 47: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/47.jpg)
Clean-up
ENCS
![Page 48: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/48.jpg)
Socio-technical system
• Maintenance stuff
• Plant engineers
• Process engineers• ……
Cyber-physical system
![Page 49: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/49.jpg)
Creating forensics footprint
� Process operators may get concerned after noticing persistent decrease in production and may try to fix the problem
� If attacks are timed to a particular maintenance work, plant employee will be investigated rather than the process
1. Pick several ways that the temperature can be increased
2. Wait for the scheduled instruments calibration
3. Perform the first attack
4. Wait for the maintenance guys being screamed at
and recalibration to be repeated
5. Play next attack
6. Go to 4
![Page 50: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/50.jpg)
Creating forensics footprint
Four different attacks
![Page 51: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/51.jpg)
Defeating chemical forensics
![Page 52: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/52.jpg)
Conclusion
ENCS
![Page 53: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/53.jpg)
Defense opportunities
� Better understanding the hurdles the attacker has to
overcome
o Understanding what she needs to do and why
o Eliminating low hanging fruits
o Making exploitation harder
� Wait for the attacker
o Certain access/user credentials need to be obtained
o Certain information needs to be gathered
� Building attack-resilient processes
o Put mechanical protections (e.g. manual valve)
o By design (slow vs. fast valves)
o Hardening (adjusting control cycle and/or parameters)
![Page 54: Damn Vulnerable Chemical Process, vol.2 Marina Krotofil · PDF fileNegligible, ≤ 2.000$ XMV {1;3} XMV {1;2} Product per day: 96.000$ Still might be useful. Clean-up ENCS. Socio-technical](https://reader031.vdocuments.mx/reader031/viewer/2022030422/5aa9f5a77f8b9a72188d909a/html5/thumbnails/54.jpg)
TE: http://github.com/satejnik/DVCP-TE
VAM: http://github.com/satejnik/DVCP-VAM
Marina Krotofil
ENCS
Damn Vulnerable Chemical Process