Black Hat: Drone ICS Attack Possible

Monday, August 8, 2016 @ 09:08 AM gHale

By Gregory Hale
It may sound far-fetched, but in this day of advanced aero technology it is possible for a drone to attack an industrial installation.

That was the conclusion during a Wednesday briefing at Black Hat USA 2016 in Las Vegas by Jeff Melrose, senior principal technical specialist at Yokogawa, in his presentation entitled, “Drone Attacks on Industrial Wireless A New Front in Cyber Security.”

Black Hat: IT-OT Learning Curve
Network Monitoring: Keeping an Eye on IIoT
The Wireless Edge
Ransomware Masked as Rockwell Update

Yes, the industry is aware of physical security issues and aware of cyber security issues, but the combination of the two, cyber physical is becoming more of an issue. Cyber physical systems are “smart” systems co-engineered interacting networks of physical and computer components, Melrose said.

What comes into play is drone technology is becoming more advanced and the ability to use a drone as a surveillance tool or as a weapon is becoming more possible.

“It doesn’t take a whole lot for people to operate the drones,” Melrose said. “It is really easy.”

At one point, Melrose showed a video of a drone following a person around a field and it had no problems keeping up with or changing what ever direction the person went.

Melrose talked about two basic assumptions about drone security:
• An Adversary needs to be within physical proximity to do major harm
• Physical security can end up minimized inside the plant boundary

However, he said, there is drone reality:
• Drones can allow an adversary to attack over a long distance – even a hobby drone can travel 3 miles
• Drones can tailgate workers as easy as people now; there are drones that can now navigate easily inside buildings

While Melrose got into a discussion about electronic warfare, the long and short of the discussion is it is possible for an attacker to create a disruptor to wireless systems and wreak havoc on an industrial facility. He talked about four incidents that occurred where wireless systems ended up jammed:

1. San Diego Harbor 1999 — A U.S. Navy radar test created EMI which affected 928.5MHz wireless communication from SCADA systems and connected valves controlling San Diego Water Authority and San Diego Gas and Electric.
2. A similar incident in 2007 led to GPS and other wireless services being significantly disrupted throughout San Diego, Emergency pagers stopped working, harbor traffic-management system guiding ships failed, cell phones failed, ATMs failed. The issue ended up being two Navy ships in the harbor doing a jamming training exercise.
3. Newark Airport 2013—The FCC fined a Readington, NJ, man nearly $32,000 after it traced a problem with Newark Liberty International Airport’s satellite-based tracking system to his truck. The man had purchased an illegal GPS jamming device for about $100 and installed it in his company-owned pickup truck so his boss could not monitor his movements.
4. Den Helder, Netherlands, late 1980s — A gas pipeline control system located near a naval base found a 36-inch valve was opening and closing with the same frequency as the scanning of an D/L-band radar (1.215-1.4 GHz) system in the harbor. Shock waves induced by the rapid valve movements caused a pipeline rupture.

Using drones to jam radar or a wireless system is one thing, but they can also carry other types of payloads.

“Usually a camera is a default payload, but they can easily carry a small computer,” Melrose said. “The range used to be about 1000 yards and the speed average is 30 mph. But now drones have upped their capabilities to more than 40 mph and up to three miles.”

When it comes to things like signal strength, distance is a factor, but what if a drone can help eliminate that issue.

“The closer a transmitter can be to the target network, the more effective it is. So the possible use of a drone to move the transmitter closer to the target (is a viable option),” Melrose said.

It may sound like science fiction, but drones are a realistic attack approach.

The following are some cyber defense strategies:
• Know your radio spectrums
• Industrial wireless will need to go with MESH network topologies
• Certain overhead areas need to be secured. Police your Fresnel Zones, which are a series of concentric ellipsoidal regions indicating wave strength between two antennas.
• Industrial wireless networks vs. EMI vs. distance