A group of about 25 people crowded around IOActive ICS Principal Jason Larsen as he explained the processes needed to cause physical damage from an attack on an ICS or SCADA system–the control systems for electrical grids, manufacturing plants, water distribution systems, and so on. Just behind Larsen, two 55-gallon drums hooked to hoses and electrical lines monitoring pressure and temperature were arranged in a way similar to a crude whiskey distillery. Larsen was about to demonstrate his ability to digitally catalyze a change that would result in irreparable, real-world physical damage. It would be a remote hacking version of the simple physics experiment you can find on YouTube.
According to Larsen attacks perpetrated remotely in a live environment are never easy. They would take coordinated teams of people, advanced security expertise, and an intimate knowledge of the systems being attacked.
In the aftermath of Stuxnet back in 2010, Liam O’Murchu at Symantec was credited with discovering the level of complexity and sophistication in the Stuxnet malware, which also translated to the actual physical attack. “From the SCADA side of things, which is a very specialized area, [the attackers] would have needed the actual physical hardware for testing, and [they would have had to] know how the specific factory floor works,” O’Murchu said in a ComputerWorld interview.
“The specific factory floor” is important, because–as Larsen demonstrated in his session at Blackhat USA 2015–each environment is unique, and navigating it from a remote location is often done “by feel.”
“Hollywood has conditioned us to believe that once you’re in the [SCADA] controls, there’s a big red button that says ‘mash the big red button,’ and then things explode,” Larsen said. “In reality you have to analyze the process and build the big red button.”
According to Larsen, the detailed knowledge of controls and processes required to pull off an attack that does physical damage is not easy to acquire, despite the copious descriptions of vulnerable SCADA and ICS infrastructure in the media. In a session at Defcon 23 Larsen and his presenting partner, Senior Security Consultant Marina Krotofil, explained that getting into a system and controlling that system are not nearly the same thing.
The two described this misconception in their presentation description, “An attacker targeting a remote process is not immediately gifted with complete knowledge of the process and the means to manipulate it. Exploiting physical process is an exotic and hard to develop skill which have so far kept a high barrier to entry. Therefore real-world control system exploitation has remained in the hands of a few.” In fact, there are only two well-known industrial control attacks to date, the first being Stuxnet and the second an attack that occurred at a German steel mill in January 2015.
But in his controlled environment at the ICS Village, Larsen gave a small but impactful example of what’s at stake. A change in water temperature, resulting in a drastic change in pressure, ends up in an imploded 55-gallon drum. The demonstration leaves a small crowd gathered around the presentation stage gasping at the blowback of air pressure.
Though they may be extremely difficult, Larsen had provided a live demonstration of what security researchers and SCADA experts have been saying is possible.