Blackhat: Hacking a Chemical Plant

Wednesday, August 12, 2015 @ 01:08 PM gHale

By Gregory Hale
Hackers go where the money is and a chemical plant is a very viable place to earn a good piece of change.

“There are two parts to a chemical plant, the reaction and refinement areas,” said Marina Krotofil, senior security consultant at the European Network for Cyber Security, during her talk last week at Blackhat USA 2015 in Las Vegas. “The reaction area is where a hacker can do the most damage.”

Blackhat: Recovering from Shamoon
Blackhat: Satellite Hack has ICS Connection
Blackhat: Free, Open Internet Dying
Tesla Patches Auto after Software Hack

So, understanding the future of cyber-physical systems security will pay off in terms of keeping a plant safe, Krotofil said during her talk entitled, “Rocking the Pocketbook: Hacking Chemical Plants for Competition and Extortion.”

After giving a quick basics course on the manufacturing automation industry and the importance of keeping systems up and running because of the dangerous possibilities of a successful hack, Krotofil said getting into a chemical plant means the hacker has to have a plan to see if they want to cause equipment damage, production damage or have a compliance violation.

She was able to show how to hack into a vinyl acetate monomer production system. The goal any hacker has in an attack is to potentially cause damage in the complex system through learning from the beginning to eventually creating a false path to lead any potential investigators in the wrong direction.

When Krotofil talked about a cyber-physical attack, she mentioned the various stages like access, discovery, control, damage and cleanup.

The construction of a successful attack has to go through several stages, some can end up performed in parallel, some will end up performed repeatedly, and some will require expertise on the physical part of the cyber-physical system.

In the access stage, you find a Zero Day and also “a clueless user” and select a vulnerable device and you are then off to the races. “The access part is where IT knowledge comes into play,” she said. But from now on, you have to think like a process control engineer.”

The discovery stage looks at what and how the process is producing, how is it controlled, how is it built, wired and where are the safety systems, she said.

Trying to get into a process and cause an issue like an overheated tank could trigger an emergency shutdown, so the discovery stage could also involved looking a chemical plant diagrams. For instance, she said, “talking about a stripping column; you need to speak the language.”

The control stage: “Obtaining control does not mean being in control,” Krotofil said. This stage maps out which device depends on what so an attacker can figure out their approach.

The damage stage is the least understood by hackers, she said. Finding accident data is a good starting point. “The target plant may not be designed in a hacker friendly way.”

Hiding the attack or finding a good person to blame, is part of the clean up stage, she said. One good thing a hacker could do is to wait for a shift change or maintenance. “If you do that, it will drive them crazy.”

An attack aimed at physical damage would be like the famous Stuxnet attack, Krotofil said. The attackers, which ISSSource reported was the United States and Israel, revved up centrifuges at the Natanz, Iran, nuclear facility, while the operators were seeing everything was running safely. The resulting damage wiped out the centrifuges and set the Iranian nuclear program back for years.

Attacks aimed at production damage change the product quality and production rate; this can affect the price of a product, increase operating costs, or impact production process by increasing maintenance workloads.

An attack aimed at compliance violation can result in fines for a company and bad publicity.

“Once hooked up together, physical components become related to each other by the physics of the process,” Krotofil said.

The simple fact is Krotofil wanted to show how a hack into a simulated chemical plant could work to give users a “better understanding of what attackers need to do. You have to look for attackers.”