Vulnerabilities / Threats

1/14/2015
05:11 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Anatomy Of A 'Cyber-Physical' Attack

Inflicting major or physical harm in ICS/SCADA environments takes more than malware.

S4x15 Conference — The real threat to a power or manufacturing plant isn't the latest vulnerability or malware variant. 

"If you only consider hackers, you don’t have to be concerned that much. They won't be able to take down a power grid or blow up chemical facilities," says Ralph Langer, founder of Langner Communications and a top Stuxnet expert. The danger is when attackers have an understanding of the physical and engineering aspects of the plant or site they are targeting, he says.

"We have not seen a lot of cyber-physical attacks in the past to actually cause much damage. That requires skillsets that have nothing to do with hacking," says Langner.

Stuxnet, of course, was the first known example of a cyber-physical attack. Its mission was to derail the uranium enrichment process at Iran's Natanz nuclear facility by sabotaging the associated centrifuges.

"So we can conclude at this time that there are organizations out there already who understand this and have mastered this [cyber-physical attack model], more than like nation-states," Langner says. But that knowledge ultimately will spread more widely, he says.

Langner predicts exploit tools will emerge for attack power grids, for example, as the methodologies known by nation-states proliferate. "That's what concerns me."

Bryan Singer, principal investigator at Kenexis Security Corp., teamed up with chemical engineer Lily Glick at his company to demonstrate just what it would take to execute a remote physical attack on a power plant or manufacturing plant floor. "Software vulnerabilities are of no use if want the maximum scenario. You need to know the engineering protocols" of the targeted site, Singer said here today in a presentation.

An attacker would need to have some knowledge of the control systems running in the plant and how the process -- such as vodka distillation, which Singer and Glick featured as an example in their presentation -- works. So process control operators can't merely rely on vulnerability assessment to secure these systems, according to Singer.

That doesn't mean an attacker needs to actually have engineering expertise, however. The attacker could glean intelligence from open-source information on ICS products as well as acquire inside intelligence about the plant itself, either by stealing plant engineering diagrams or information remotely, or even by schmoozing a plant engineer.

"You could social-engineer an engineer," notes Chris Sistrunk, a senior consultant in the ICS practice at Mandiant, a FireEye company.

[ICS/SCADA systems and networks hackable but not easily cyber-sabotaged without industrial engineering know-how, experts say. Read ISIS Cyber Threat To US Under Debate.]

Other methods of reconnaissance, such as surveillance, or attacking the plant's third-party suppliers, such as systems integrators or vendors, are possible, Singer says. RFPs are also a treasure trove of intel, he says. "They're never going to touch one of those systems until they absolutely have to -- to decrease their chances of getting caught," he says.

The first phase of the actual attack could be compromising a workstation to mimic HMI traffic, for example, he says.

Singer showed how an attacker could mess with pressure release valves to release more steam from the distillation columns, for instance, or close off the valves to decrease the steam, both of which would have a financial impact on the plant.

ICS/SCADA environments are known for being well-prepared for physical safety issues, such as fires or explosions, but mostly from physical events caused by random hardware malfunction or failures -- not due to cyberattacks.

"The way we used to approach hazard analysis misses the malicious component," Langner says. "This opens up a completely new state" of hardware failure, he says. Namely, malicious attackers are more likely to make the process control systems "misbehave" while remaining operational -- much like Stuxnet aimed to do.

The key, Langner says, is to identify any possible direct paths from the cyber side to the physical side of the plant, such as a smart sensor, for example. "This has nothing to do with a buffer overflow in a web server," he says. "If you're able to compromise these 'waypoints,' it's an entry point to physical control."

He points to the MKS PR4000 calibration system attached to pressure sensors in the Natanz plant that tracked the pressure readings of the centrifuges. Langner theorizes the attackers behind Stuxnet manipulated those calibration systems so the plant workers didn't see the real pressure readings that would have flagged  the problems with the devices early on.

"The MKS manual for the product shows how you can calibrate the sensors, by sending [a] command to that box. If you simply use a malicious calibration profile, the sensor never shows that it's above the threshold," he says. "I'm very confident this did happen" in the Stuxnet attack.

Langner says the sophisticated attacker would know when to attack as well to ensure maximum impact. "They would consider certain points in time when the attack would be more effective, or the process or facility more vulnerable," he says, such as when first powering up a nuclear power plant.

"We need to start thinking beyond attackers. If we consider professional engineers working on it, this is how they would go about it," says Langner, who on Friday will give a presentation on this. "I call it cyber-physical attack engineering... We'd better figure it out quickly for the defense."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kaytana22
50%
50%
Kaytana22,
User Rank: Apprentice
1/29/2015 | 1:03:58 PM
Hmmm
     It is only a matter of time really, the 'hacktivists' responsible are only going to get better at this. Sooner or later there is going to be a breach and things are going to get very messy. I was just talking to my husband about what would happen if they actually got into the system where they can cause a total shutdown or even an explosion of some kind. It always seems that no matter how good our system securities are, there is always someone out there that is better. I just hope we have the people to combat this threat and keep up on it, to keep people out of the places that we don't want them to be in.

-M. Cummings
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/15/2015 | 3:45:33 PM
Wrench in the works
Reminds me of engineers talking about how they had to add bullet proof steel to electrical transformers because hill billys kept shooting holes in them with high power rifles.  Where there is a will.......

 

Or when striking workers at the meat packing plant simply cut the conveyor belts and left the plant.

 

Always a risk no matter where the "attack" comes from.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/15/2015 | 12:10:39 PM
Re: Interesting
The physical barrier is significant. But it does make social engineering a much more serious risk..
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
1/15/2015 | 10:45:52 AM
Interesting
It's very interesting to see that some of the stuff that science-fiction warned us about hackers, is potentially possible as hardware becomes smarter and more connected than ever before.

However, here's hoping that the world catches up to taking security seriously enough that only the most determined - and therefore potentially the most likely culprits - will be able to achieve some of the physical barrier crossings that you described. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.