Presented at 31C3 (2014)
Dec. 29, 2014, 12:45 p.m.
So you want to author a next Stuxnet (or even cooler than that). Here is the success recipe: forget what you have known about cyber security. When an attack transitions from control of a digital system to control of a physical process, physics and time become controlling factors instead of the digital rules encoded into your microcontroller.
The holly CIA trinity is meaningless in the physical world. The uncontrollable but still running process is not really available; process dynamics does not stop simply because the controlling equipment is DoSed; electronically segregated components can still communicate over physical media (the process) and a physical phenomenon can be measured terribly wrongly (so that the wrong measurement will be proudly delivered to the digital application in a totally secure way). Where physics plays a governing role, IT security concepts are rendered useless.
Please welcome a new arrival in the "damn"-frameworks series - Damn Vulnerable Chemical Process. Come to the lecture and learn what it takes to exploit a physical process: how to find vulnerabilities and how to exploit them with minimal cost and maximum impact. Get astonished about the gazillion of uncertainties you will have to face on your way to disruptive goal and realize that the TIME is ONLY what matters while designing your attack .
Make sure to visit local library and refresh your knowledge on physics, chemistry, mechanics, control theory, signal processing and algorithms. The lecture will teach you how to apply this knowledge in the exciting world of cyber-physical exploitation.
Attackers and researchers have shown numerous ways to compromise and control the digital systems involved in process control (plants, grids, cars). Little information is available what to actually do with those controls. A single bit flip can engage the burner under a tank of chemicals, but the reaction will still take hours to complete regardless of the state of the controller outputs. Changing the state of the outputs does not immediately put the process into a vulnerable state. An attacker needs to take into account the timing and state of the system and act when the process is in the vulnerable state.
Designing an attack on a cyber-physical systems leads to unconventional hacking and interesting computer science challenges. Thus, DoS attacks on controlls in the physical domain do not deny process dynamics. In fact, if timed wisely, DoS attack allow manipulation of the process at will. Whoever thinks that cryptography will safe the world is wrong. Due to the specifics of controll principles and their implementation in the equipment, DoS attacks allow manipulation of process controls even if the communication is authenticated.
On the example of the DoS attacks on controller inputs and outputs at the level of communication links the lecture will take the audience through all the stages and details of (i) designing and (ii) implementing such attacks to cause physical damage. The experiments are conducted on the realistic model of a chemical plant used in process engineering research.
I am about to complete my PhD at Hamburg University of Technology and am
about to start my job at the European Network for Cyber Security to help
the industrial world with thwarting attacks on their operational goals.
My research over the last few years has been focused on the design and
implementation of cyber-physical attacks aiming at both physical and
economic damage. I am not only destructive but also use my knowledge for
designing process-aware defensive solutions and risk assessment
approaches. During my PhD I collaborated with industry as well as with
cool dudes from the hacking community. I regularly give talks and
workshops at the leading industrial events worldwide.