Damn Vulnerable Chemical Process

54
Marina Krotofil PHDays, Moscow, Russia Damn Vulnerable Chemical Process, vol.2 ENCS

Transcript of Damn Vulnerable Chemical Process

Page 1: Damn Vulnerable Chemical Process

Marina Krotofil

PHDays, Moscow, Russia29.06.2015

Damn Vulnerable Chemical Process, vol.2

ENCS

Page 2: Damn Vulnerable Chemical Process

Who I am

(Ex)Academic

Have been teaching security topics for 10 semesters

Prefer physics over web technologies

Most frequently asked question: HOW DID I LEARN ALL THESE THINGS??

Page 3: Damn Vulnerable Chemical Process

What this talk about

ENCS

Page 4: Damn Vulnerable Chemical Process

Industrial Control Systems

Physical application

Curtesy: Compass Security Germany GmbH

Page 5: Damn Vulnerable Chemical Process

Control loop

Actuators

Control system

Physical process

Sensors

Measure process state

Computes control commands for

actuators

Adjust themselves to influence

process behavior

Page 6: Damn Vulnerable Chemical Process

Converts analog signal into digital Sensors pre-process the measurements May send data directly to actuators IP-enabled (part of the “Internet-of-Things”)

Computational element

Sensor

Smart instrumentation

Old generation temperature sensor

Page 7: Damn Vulnerable Chemical Process

Cyber-physical systems are IT systems “embedded” in an application in the physical world

Cyber-Physical Systems

Attack goals:o Get the physical system in a state

desired by the attackero Make the physical system perform

actions desired by the attacker

Page 8: Damn Vulnerable Chemical Process

Promise from the vendors:

Expect instruments of the future to have multiple communication channels, each one with built-in security (LOL), much like a present-day Ethernet switch. These channels will be managed with IP adressing and server technology, allowing the instrument to become a true data server

Vendors

Instrumentation of the future

Page 9: Damn Vulnerable Chemical Process

Chemical plants

Source: simentari.com

Page 10: Damn Vulnerable Chemical Process

Here’s a plant. Go hack it.

Page 11: Damn Vulnerable Chemical Process

Damn Vulnerable Chemical Process, vol. 1

Compliance violation

Safety

Pollution

Contractual agreements

Production damage

Product quality and product rate

Operating costs

Maintenance efforts

Equipment damage

Equipment overstress

Violation of safety limits

Purity Price, EUR/kg

98% 1

99% 5

100% 8205

Paracetamol

Source: http://www.sigmaaldrich.com/

Page 12: Damn Vulnerable Chemical Process

Here’s a plant. Go hack it.

Attack scenario: persistent economic damage

Page 13: Damn Vulnerable Chemical Process

Plants for sale

From LinkedIn

Page 14: Damn Vulnerable Chemical Process

Vinyl Acetate Monomer plant

Page 15: Damn Vulnerable Chemical Process

Stages of cyber-physical attacks

ENCS

Page 16: Damn Vulnerable Chemical Process

Attack objective

Evil motivation

Cyber-physical payload

Page 17: Damn Vulnerable Chemical Process

Stages of SCADA attack

Control

Access

DiscoveryCleanup

Damage

Jason Larsen „Breakage“. Black Hat Federal, 2007

Page 18: Damn Vulnerable Chemical Process

Control

Access

DiscoveryCleanup

Damage

Stages of SCADA attack

Page 19: Damn Vulnerable Chemical Process

Control

Access

DiscoveryCleanup

Damage

Stages of SCADA attack

Page 20: Damn Vulnerable Chemical Process

Access

ENCS

Page 21: Damn Vulnerable Chemical Process

Traditional IT hacking

• 1 0day• 1 Clueless user

• AntiVirus and Patch Management• Database Links• Backup Systems

Page 22: Damn Vulnerable Chemical Process

Invading field devices

Jason Larsen at Black Hat’15 “Miniaturization”o Inserting rootkit into firmware

Water flow

Shock wave

Valve PhysicalReflected shock wave

Valve closes Shockwave Reflected wave

Pipe

movement

Attack scenario: pipe damage with water hammer

Page 23: Damn Vulnerable Chemical Process

Discovery

ENCS

Page 24: Damn Vulnerable Chemical Process

Process discovery

What and how the process is producing

How it is build and wired

How it is controlledEspionage

Espionage, reconnaissance

Espionage, reconnaissance

Page 25: Damn Vulnerable Chemical Process

Process discovery

Page 26: Damn Vulnerable Chemical Process

Know the equipment

Stripping columnStripper is...

Page 27: Damn Vulnerable Chemical Process

RefinementReaction

Max economic damage?

Final product

Page 28: Damn Vulnerable Chemical Process

Available controls

fixed

Page 29: Damn Vulnerable Chemical Process

Understanding points and logic

Piping and instrumentation diagram

Ladder logicProgrammable Logic Controller

Pump on the plantCourtesy: Jason Larsen

Page 30: Damn Vulnerable Chemical Process

Available controls

Page 31: Damn Vulnerable Chemical Process

Available controls

Obtaining control is not being in control

Obtained control might not be useful for attack goal

Attacker might not necessary be able to control obtained controls

WTF???

Page 32: Damn Vulnerable Chemical Process

Control

ENCS

Page 33: Damn Vulnerable Chemical Process

Physics of process control

Once hooked up together, physical components they become related to each other by the physics of the process

If we adjust one a valve what happens to everything else?o Adjusting temperature also increases pressure and flowo All the downstream effects need to be taken into account

How much does the process can be changed before releasing alarms or it shutting down?

Page 34: Damn Vulnerable Chemical Process

Process control challenges

Controller Process

Transmitter

Final control element

Set point

LoadOperator practice Control strategy

TuningAlgorithm

Configuration

SizingDead band

Flow properties Equipment designProcess design

Sampling frequencyFiltering

Page 35: Damn Vulnerable Chemical Process

Process control challenges

Process dynamic is highly non-linear (???)

Behavior of the process is known to the extent of its modellingo So to controllers. They cannot control the process beyond their

control model

UNCERTAINTY!

Page 36: Damn Vulnerable Chemical Process

Control loop ringing

0 0.02 0.04 0.06 0.08

127.99

128

Hours

psia

Vaporizer Pressure

Caused by a negative real controller poles

Amount of chemical entering the reactor

Page 37: Damn Vulnerable Chemical Process

Types of attacks

Step attack

Periodic attack

Magnitude of manipulation

Recovery time

Page 38: Damn Vulnerable Chemical Process

Outcome of the control stage

Sensitivity Magnitude of manipulation Recovery time

High XMV {1;5;7} XMV {4;7}

Medium XMV {2;4;6} XMV {5}

Low XMV{3} XMV {1;2;3;6}

Reliably useful controls

Page 39: Damn Vulnerable Chemical Process

Alarm propagation

Alarm Steady state attacks Periodic attacks

Gas loop 02 XMV {1} XMV {1}

Reactor feed T XMV {6} XMV {6}

Rector T XMV{7} XMV{7}

FEHE effluent XMV{7} XMV{7}

Gas loop P XMV{2;3;6} XMV{2;3;6}

HAc in decanter XMV{2;3;7} XMV{3}

Page 40: Damn Vulnerable Chemical Process

Damage

ENCS

Page 41: Damn Vulnerable Chemical Process

“It will eventually drain with the lowest holes loosing pressure last”

“It will be fully drained in 20.4 seconds and the pressure curve looks like this”

Technician Engineer

Technician vs. engineer

„SCADA triangles: reloaded“. Jason Larsen, S4.

Page 42: Damn Vulnerable Chemical Process

Process observation

Anal

yzat

or

Anal

yzat

or

Anal

yzat

or

Anal

yzat

or

• Reactor exit flowrate• Reactor exit temperature

FTTT

Chemical composition

FT

Page 43: Damn Vulnerable Chemical Process

Technician answer

0 5 10 15 20 24158.5

159

159.5

160

160.5Reactor Temperature

Hours

C

Reactor with cooling tubes

0,000730,00016

Page 44: Damn Vulnerable Chemical Process

Engineering answer

0 5 10 15 20 24158.5

159

159.5

160

160.5Reactor Temperature

Hours

C

0 500 1000 15000.7

0.75

0.8

0.85

0.9VAM Concentration

Minutes

Km

ol/m

in

Vinyl Acetate production

Page 45: Damn Vulnerable Chemical Process

Product loss

O2 Co2 C2H4 C2H6 VAc H2O HAc0

2

4

6

8

10

12Reactor: Loss137.21 Kmol (11469.70 $)

Chemicals

Ave

rag

e O

utfl

ow

[Km

ol/m

in]

Normal reactionUnder attack

Product per day: 96.000$

,

Page 46: Damn Vulnerable Chemical Process

Outcome of the damage stage

Product loss, 24 hours Steady-state attacks Periodic attacks

High, ≥ 10.000$ XMV {2} XMV {4;6}

Medium, 5.000$ - 10.000$

XMV {6;7} XMV {5;7}

Low, 2.000$ - 5.000$ - XMV {2}

Negligible, ≤ 2.000$ XMV {1;3} XMV {1;2}

Product per day: 96.000$

Still might be useful

Page 47: Damn Vulnerable Chemical Process

Clean-up

ENCS

Page 48: Damn Vulnerable Chemical Process

Socio-technical system

Operator

Controller

• Maintenance stuff• Plant engineers• Process engineers• ……

Cyber-physical system

Page 49: Damn Vulnerable Chemical Process

Creating forensics footprint

Process operators may get concerned after noticing persistent decrease in production and may try to fix the problem

If attacks are timed to a particular maintenance work, plant employee will be investigated rather than the process

1. Pick several ways that the temperature can be increased2. Wait for the scheduled instruments calibration3. Perform the first attack4. Wait for the maintenance guys being screamed at and

recalibration to be repeated5. Play next attack6. Go to 4

Page 50: Damn Vulnerable Chemical Process

0 10 20 30 40157

158

160

162

163Reactor Temperature

Hours

C

Creating forensics footprint

Four different attacks

Page 51: Damn Vulnerable Chemical Process

Defeating chemical forensics

0 200 400 600 80080

82

84

86

88Reactor Average Efficiency Loss: 4.36 %

Time [minutes]

Effic

ien

cy [%

]

Normal reactionUnder attack

0 200 400 600 80085

86

87

88

89Reactor Average Selectivity Loss: 2.73 %

Time [minutes]

Se

lect

ivity

[%]

Normal reactionUnder attack

0 200 400 600 8000

0.2

0.4

0.6

0.8

Decanter Total Product: 429.04 Kmol (35865.28 $)

Time [minutes]

Ou

tflo

w [K

mo

l/min

]

VAcH2OHAc

0 200 400 600 8000

10

20

30

40Reactor Average Conversion Rates O2 30.67%;C2H4 9.81;HAc 29.06%

Time [minutes]

Co

nve

rsio

n [%

]

O2C2H4HAc

Page 52: Damn Vulnerable Chemical Process

Conclusion

ENCS

Page 53: Damn Vulnerable Chemical Process

Defense opportunities

Better understanding the hurdles the attacker has to overcome o Understanding what she needs to do and whyo Eliminating low hanging fruitso Making exploitation harder

Wait for the attackero Certain access/user credentials need to be obtainedo Certain information needs to be gathered

Building attack-resilient processes o Put mechanical protections (e.g. manual valve)o By design (slow vs. fast valves)o Hardening (adjusting control cycle and/or parameters)

Page 54: Damn Vulnerable Chemical Process

TE: http://github.com/satejnik/DVCP-TEVAM: http://github.com/satejnik/DVCP-VAM

Marina Krotofil [email protected]

ENCS

Damn Vulnerable Chemical Process