Miniaturization

Presented at Black Hat USA 2014, Aug. 7, 2014, 2:15 p.m. (60 minutes)

Too often researchers ignore the hard parts of SCADA hacking. Too many presentations could be described as "I got past the SCADA firewall so I win!!!" Little information is available on what to do after the attacker gains control of the process. As a challenge, consider the scenario where I just gave you control of a paint factory. Now what? The answer to that question is often specific to the process, but there are a number of generic techniques that can be discussed. Often, designing an attack leads to interesting hacking and computer science challenges. Miniaturization is one of those problems. Suppose an attacker wanted to hide in a PLC. Suppose he wanted to hide all the way down in a pressure sensor. Is such a thing possible? The attack must be miniaturized to fit within the constraints of the embedded device and may need to be miniaturized into just a few kilobytes of memory. This is an interesting problem. The sensor has only a few kilobytes of memory and the attacker has a number of tasks to perform. During the attack he must spoof the original process to keep the operator happy. He must estimate the state of the physical process by extracting artifacts from noisy sensor signals. He must also process those artifacts to extract the necessary constants to perform an attack. In order to keep the presentation real and understandable, it will walk through setting up an optimal pressure transient in a chemical piping system. (Commonly referred to as a water hammer). A set of novel algorithms will be describe that would allow someone to pull off such an attack. A variant of "runs analysis" taken from statistics will be used to produce nearly perfect sensor noise without previous look at the sensor. An algorithm derived from 3D graphics will be used to extract artifacts from noisy sensor data. Finally scale-free geometry matching techniques will be used to process the artifacts into the time constants needed to pull off an attack.

Presenters:

• Jason Larsen - IOActive
  Having spent the last decade working on the security the critical infrastructure, Jason Larsen can definitely say he was hacking SCADA systems before it was cool. Jason works in the technical aspects of hacking critical infrastructure and lives in the bits and bytes of control systems. His specialty is remote physical damage. Prior to returning to IOActive, Jason worked for the Idaho National Labs where he performed security assessments of the software that runs the critical infrastructure. Over his tenure there he did full assessments of all of the major power control systems vendors including GE, Siemens, Areva, ABB, and others. In addition to laboratory tests he has performed live penetrations of power grids in multiple countries resulting in control of electric power for a short period of time. Other sectors include chemical manufacturing, pharmaceuticals, petroleum, and water. Before his career in SCADA security Mr. Larsen bounced between a number of other fields. Some of the random jobs of note include modeling neutron beams for use in treating brain tumors, writing software to analyze nerve impulses, writing one of the first intrusion prevention systems, the analyst of last resort for critical infrastructure malware, and two years on the Window 7 penetration testing team.

Links:

• https://www.blackhat.com/us-14/archives.html#miniaturization
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Miniaturization.mp4
• https://www.youtube.com/watch?v=bv_k3PEYpK0
• https://www.blackhat.com/docs/us-14/materials/us-14-Larsen-Miniturization.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Larsen-Miniturization-WP.pdf

Similar Presentations:

• Black Hat USA 2011 / Spy-Sense: Spyware Tool for Executing Stealthy Exploits Against Sensor Networks
• Black Hat USA 2015 / Rocking the Pocket Book: Hacking Chemical Plant for Competition and Extortion
• Black Hat USA 2017 / Evil Bubbles or How to Deliver Attack Payload via the Physics of the Process