Evil Bubbles or How to Deliver Attack Payload via the Physics of the Process

Presented at Black Hat USA 2017, July 27, 2017, 2:30 p.m. (50 minutes).

Until now, electronic communication was considered a single avenue for delivering attack payload. However, when it comes to cyber-physical systems, this assumption does not hold true. When field devices (sensors, valves, pumps, etc.) are inserted into the process, they become related to each other by the physics of the process. Physical process is a communication media for equipment and can be leveraged for delivering malicious payload even if the devices are segregated electronically. Sensors, valves, safety systems on an isolated network, analog equipment are all vulnerable to this attack vector.

In proposed scenario, an analog pump is damaged by a targeted manipulation of the upstream valve positioner, evoking cavitation process. The final attack payload is delivered to the pump in form of cavitation bubbles over the liquid flow. We will show the damage scenario "in action" with a physical demo on stage. To make things complicated for the defender, we will forger the valve positioner sensor signal to hide the attack from the operator and to confuse operator about true cause of process upset.

The second part of the talk will deal with the detection of this attack. After all, it is bad form to introduce a problem without having remedy. Forged sensor signals cannot be detected with any traditional IT security methods. The detection has to take form of process data plausibility and consistency checks. By monitoring health of pump we will be able to figure out the ongoing detrimental state of the process and accurately determine the ongoing cavitation process and its likely cause – all with a live demo on stage.

By the end of this talk the audience will recognize that security and safety zoning should expand all the way into the physical process (to consider interaction of equipment via the physical process).


Presenters:

  • Marina Krotofil - Lead Cyber Security Researcher, Honeywell
    Marina Krotofil is Lead Security Researcher at the Honeywell Cyber Security Lab. Previously she worked as a Senior Security Consultant at the European Network for Cyber Security. Her research over the last few years has been focused on discovering unique attack vectors, design vulnerabilities, engineering damage scenarios and understanding attacker techniques when exploiting control systems. Marina authored more than 20 academic works and white papers on cyber-physical security. She gives workshops on cyber-physical exploitation and is a frequent speaker at the leading security events around the world. She holds MBA in Technology Management, MSc in Telecommunication and MSc in Information and Communication Systems.

Links:

Similar Presentations: