• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

Physical Damage: SCADA Attacks Easily Theorized, Hard to Execute

By Owen Lystrup
Posted on August 12, 2015
Updated on March 27, 2020

Share

FacebookTweetLinkedIn

A group of about 25 people crowded around IOActive ICS Principal Jason Larsen as he explained the processes needed to cause physical damage from an attack on an ICS or SCADA system–the control systems for electrical grids, manufacturing plants, water distribution systems, and so on. Just behind Larsen, two 55-gallon drums hooked to hoses and electrical lines monitoring pressure and temperature were arranged in a way similar to a crude whiskey distillery. Larsen was about to demonstrate his ability to digitally catalyze a change that would result in irreparable, real-world physical damage. It would be a remote hacking version of the simple physics experiment you can find on YouTube.

Drums prior to implosion
Jason Larsen’s simple distillery at the ICS village in Defcon 23 demonstrated the physical effects of a hack.

According to Larsen attacks perpetrated remotely in a live environment are never easy. They would take coordinated teams of people, advanced security expertise, and an intimate knowledge of the systems being attacked.

In the aftermath of Stuxnet back in 2010, Liam O’Murchu at Symantec was credited with discovering the level of complexity and sophistication in the Stuxnet malware, which also translated to the actual physical attack. “From the SCADA side of things, which is a very specialized area, [the attackers] would have needed the actual physical hardware for testing, and [they would have had to] know how the specific factory floor works,” O’Murchu said in a ComputerWorld interview.

“The specific factory floor” is important, because–as Larsen demonstrated in his session at Blackhat USA 2015–each environment is unique, and navigating it from a remote location is often done “by feel.”

“Hollywood has conditioned us to believe that once you’re in the [SCADA] controls, there’s a big red button that says ‘mash the big red button,’ and then things explode,” Larsen said. “In reality you have to analyze the process and build the big red button.”

According to Larsen, the detailed knowledge of controls and processes required to pull off an attack that does physical damage is not easy to acquire, despite the copious descriptions of vulnerable SCADA and ICS infrastructure in the media. In a session at Defcon 23 Larsen and his presenting partner, Senior Security Consultant Marina Krotofil, explained that getting into a system and controlling that system are not nearly the same thing.

The two described this misconception in their presentation description, “An attacker targeting a remote process is not immediately gifted with complete knowledge of the process and the means to manipulate it. Exploiting physical process is an exotic and hard to develop skill which have so far kept a high barrier to entry. Therefore real-world control system exploitation has remained in the hands of a few.” In fact, there are only two well-known industrial control attacks to date, the first being Stuxnet and the second an attack that occurred at a German steel mill in January 2015.

Drum after implosion
The aftermath of a remotely initiated change in pressure.

But in his controlled environment at the ICS Village, Larsen gave a small but impactful example of what’s at stake. A change in water temperature, resulting in a drastic change in pressure, ends up in an imploded 55-gallon drum. The demonstration leaves a small crowd gathered around the presentation stage gasping at the blowback of air pressure.

Though they may be extremely difficult, Larsen had provided a live demonstration of what security researchers and SCADA experts have been saying is possible.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella