"Man-in-the-SCADA:" Anatomy of Data Integrity Attacks in Industrial Control Systems

Presented at Black Hat Asia 2017, March 30, 2017, 2:15 p.m. (60 minutes)

There is a continuous evolving gap between SCADA/ICS attackers and the defenders. Once unauthorized access is gained to a control network or a piece of industrial equipment, an attack still needs to be performed. This is where the public literature falls short. This talk will discuss data integrity attacks in industrial sector through the eyes of the attacker. <br> <br> One would normally think that an analog inputs such as power line voltage or pressure in a pipeline are transmitted in SCADA/ICS network packets in a human-comprehensible way. In reality, these process measurements are scaled and transformed in totally different units each time the data traverse different electric circuits, protocol stacks, applications and DBs located at different layers of the Purdue reference architecture. <br> <br> This talk will consider a strategic attacker with a specific malicious goal in mind. When the attacker gets a privileged access and is able to intercept and modify the traffic, she/he needs to find a way to interpret SCADA/ICS data. For that the attacker will have to obtain user manuals, best practices, network architecture drawings, configuration files of sensors, RTUs, PLCs and SCADA DB's settings, and exercise A LOT OF ENGINEERING MATH. Only then the attacker will be able to make sense of the observed data units on the wire and perform targeted data manipulation attacks (instead of causing a nuisance). <br> <br> The talk will analyze real-world RTU-based power substation and DCS-based (petro)chemical plant configurations along with all the challenges that attackers must understand, such as selection of most beneficial network segment/piece of equipment, minimum amount of network and systems configuration analysis, etc. The goal of this talk is to educate the audience about real-world facility configurations and show what the attacker needs to do and why when executing data integrity attacks in Industrial Control Systems. Understanding attacker activities and challenges is crucial for planning further research activities and designing effective defensive approaches and solutions.

Presenters:

  • Marina Krotofil - Lead Cyber Security Researcher, Honeywell Industrial Cyber Security Lab
    Marina Krotofil is a Lead Cyber Security Researcher at the Honeywell Industrial Cyber Security Lab. Previously she worked as a Senior Security Consultant at the European Network for Cyber Security. Her research over the last few years has been focused on discovering unique attack vectors, design vulnerabilities, engineering damage scenarios and understanding attacker techniques when exploiting control systems. Marina authored more than 20 academic works and white papers on cyber-physical security. She gives workshops on cyber-physical exploitation and is a frequent speaker at the leading security events around the world. She holds MBA in Technology Management, MSc in Telecommunication and MSc in Information and Communication Systems.
  • Chris Sistrunk - Principal Consultant, Mandiant
    Chris Sistrunk is a Principal Consultant at Mandiant, focusing on cyber security for industrial control systems (ICS) and critical infrastructure. Prior to joining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) where he was the Subject Matter Expert (SME) for Transmission & Distribution SCADA systems. He has 10 years of experience in SCADA systems with tasks such as standards development, system design, database configuration, testing, commissioning, troubleshooting, and training. He was the co-overseer of the SCADA, relay, and cyber security labs at Entergy Transmission for 6 years. He is a Senior Member of IEEE, member of the DNP Users Group, President of Mississippi Infragard, and also is a registered PE in Louisiana. He holds a BS in Electrical Engineering and MS in Engineering and Technology Management from Louisiana Tech University. Chris also founded and organizes BSidesJackson, Mississippi's only cyber security conference.

Links:

Similar Presentations: