 Thank you, and welcome to the masterclass on hacking chemical processes So I started doing I see a security before stax net and before it became sexy So I'm a true fan and not a follower So and it didn't take me a long time to realize it actually control system consists of two parts of the control system itself and of the physical process and And if you attended the talk of straight a skater strange laugh or a ring leverage You already know how to find and exploit vulnerabilities in this control system and support in IT infrastructure But because of the physical component this industrial control systems are also called cyber physical system and in contrast to the traditional IT security the goal of the attacker is not in like data or information but To get the physical system in a state designed by the attacker like suboptimal operations Or to make the system performing actions designed by the attacker like spin that centrifuge until it breaks So while the attack clearly needs to hack his way and to obtain controls I was wondering whether the processes themselves have vulnerabilities with the attack I can leverage to achieve his evil goals So like starting the security of the chemical of the physical processes became a research topic While one of the challenges of explaining the need of cyber physical security is the absence of public disclosures about bad things happening to the physical systems and What actually goes in the dark eventually comes into the light So the December was full of like big disclosures about Accidents leading to the physical damage So well done Santa. Thank you very much So the second biggest challenge of Contacting cyber physical security is that you need to actually test bad of the of the process under the investigation And it it is not only extremely expensive to build such a process It also requires a lot of specialized knowledge and the presence of the specialist and also a lot of regulatory permissions for conducting unsafe Experiments and of top of that you need even more money to rebuild your test bed if you destroyed it in the result of successful attack so So therefore typically such research should be conducted on the simulation models so At the beginning I try to Build model myself But quickly I have realized that it takes a lot of lines of code a lot of specialized knowledge and I'm too lazy to do that So I decided to look around is there anything and actually there were there was few models not many but few so for my research Yeah, and the problem also that building simulation model is extremely expensive as well as as Expenses building physical systems. So most of the simulation models are proprietary and not for public use so The two models which I selected for my research for models of chemical plants So why did I decided to study chemical processes or chemical plants chemical processes are large they have a lot of complex interactions and interdependencies and It also they usually model a lot of disturbances so which represent a wide variety of different Dynamic behaviors, so it's interesting to study them and it poses a lot of challenges while studying it also such models are accompanied with Objective functions like optimal operations safety limits minimize an operating cost So having such functions also allowed to numerically evaluate the success of your attack so What is them vulnerable chemical process itself? It is a research initiative to enable community to study cyber physical Experimentation it consists of the models of two chemical plants the one is Tennessee Eastman process This is a realistic chemical process of the Eastman chemical company And it was the process was released to researchers in a form of Fortran code, but the exact chemicals and the equipment was not defined So this model is best suitable for for black box hacking and so far most of my research today It is done based on this model The second model is vanilla citate Modemia process. It's a realistic chemical process to produce vanilla citate All the chemicals defined all the equipment is defined It's extremely large Processor much more complex at Tennessee Eastman and probably understanding it will take you initially a couple of beers with your chemical engineer friend So I will not go into further details about the process because I want to spare time to Explain how we have the processes, but I will tell you how this frameworks look like so they all have a simulink model Which is like it's a typical way how you model chemical processes and they can be understood with the average Like moderate effort and the advantage of the simulink model that they're very interactive and it allows you to quickly change things and observe What is happening? So and we and it is very well suitable for for the what if nature of the cyber physical experimentation so We created also a GUI which allows you to set up attacks on the individual components of the chemical plants with few mouse clicks The results of the simulations are stored as data which you have to analyze and also they're visualized in form of actuator sensor signals So The process the code of the process itself is written in the c code and open so basically you can modify it to fit your needs You can add maybe some Dynamic behavior and so on but the execution is happening in MATLAB. Yes, I know MATLAB is licensed but this is so far the closest what we get to the like public availability because Most of the process models are implemented in a proprietary commercial simulation software Which is not available really to anybody to everybody and in contrast MATLAB You can always find it in the all the academic institutions. Most research institutions has licenses and Also in the industry. So there are also some other sources to get a copy of MATLAB so So today is the official release of them vulnerable chemical process which was a very long Project and work. So this is the way you can find it for now So this is we call it still a better version because we did not finish implementing the disturbances in vanilla citate process And we need to write a very good read me but otherwise it works and it can be used and maybe like after the talk find Me I can show you how it works So obviously it was a very complex project and I'm not a single team in a member in the team So who else is who else is standing behind the curtains? So, thank you very much to Aiden Levering for persistent fostering my belief in my own hacking skills I also the thanks goes to Mona Lange who motivated me to apply with this talk Obviously the project would not be possible without generous and constant support of my professor Dita Goldman who did not only provide me with all money I needed but he also gave me freedom to do what I want and if you think And if you think that he reminds you somebody yes, he does look like Einstein and he's also Austrian I Also thankful to professor Alvara Cardenas from University of Texas in Dallas who taught me how to sell Hacking stuff at the academic conferences So I'm thankful to my friend Ola who designed and who draws a logo for them vulnerable chemical process And of course them vulnerable chemical process would not be awesome without a programmer So Alexander is the is the one who was working mostly on the simulink model goo is and so on and we spent a lot of productive nights in the lab a Big applause to chemical engineer Pavel Guriko for believing in hackers So he is responsible for like monitoring the correct the chemical correctness of the experiment and last but not sleep The collaborators Jason Larson. He's an awesome hacker who believes in chemical engineers He has a 15 years of experience in haggie hacking skater system and breaking the equipment. So here's my Wikipedia for most Questions and also we publish a lot together By the way, he he promised to look as he's now in the states. He could not make it to the conference But he's watching us online So so far I'm done with the introduction and we can really start to talk about serious stuff. So how do we exploit chemical processes So and to start with I would like to debunk a couple of myths about skater hacking So a typical belief about skater hacking is that you gain access then some magic happens and That's it success everything explodes So let me tell you Ah Disclosure number one Obtaining a control is not the same as obtaining access is not the same as obtaining control If you exploit vulnerability on a single IP enabled device on the skater system That does not automatically give you control of all IP stupid Controllers and sensors on the network and also does not allow you to overcome all the 7 t checks Also breaking into the system is not the same breaking the system in order to damage the system You need to know how it works and how it fails So, do you know what strip is? But no, it is not exotic dancer. It's a stripping column and you need to know and you need to be able to recognize equipment when you see it So skater hacker is not somebody who hacked into them god knows what Did something achieved something skater hacker is has a defined? Attack objective. He's a human with limited limited to the real time constraints like bad management Time pressure limited budget own experience and so on so skater hacker is a rational human and not a Harry Potter Okay, so In order like when you write your shell code you usually put they in set of commands to instruct computer software to do What you want so it's similar Designing the payload cyber physical payload you need to pack inside the series of commands to instruct physical process to do what you want and The set of instruction will depend on your what Aval thinks you want to do to the process So actually what is possible to do to the process? So let's start thinking Aval So in a nutshell all bad things which you can do to the process can be attributed in one of the three Big groups so you can for example want to damage the equipment Like either breaking it completely or just damaging so that can be achieved in two ways You can either like over stress the equipment over the prolonged time For example, this type of attack was realizing the stacks net or you can also violate safety limits Obviously in some smart ways this type of attack was realizing the Idaho National Labs when they remotely destroy the power generator so Instead of breaking the equipment the attack I can also try to damage the production itself This type of attacks can be roughly divided into three like attack goals first the attack I can go after the product itself so either The attack I can either Tumper with the quality or is the production rate so every product has a specification and a market price for the quality So the attack I either can spoil make the product completely useful or reduce its Like purity Here okay, sorry so look at the prices of the Paracetamol as You can see not achieving the desired purity can be extremely expensive So Also instead of like targeting exactly spoiling the products the attacker can try to increase the production costs Increase production costs will make product in competitive probably Christmas wish of every competitor So How can it be done so every factory has a cost objective function which comes consist of certain components which Mostly influence the production of the cost that could be for example laws of the raw materials in the purge premature deactivation of the catalyst increase usage of the energy so that I can go After any of this like cost function parameters The attack I can also impact the production by increasing the maintenance workload. What does it mean? maintenance refers to solving the process disturbances and to Revisit the equipment malfunctioning so for example, if the operator if the attacker will rapidly operate the valve it will cause very damaging cavitation process in the pipe cavitation process is a creation of the vapor cavities in the liquid and Cavitation process Extremely complicates process control and also it calls cavities for example in the valve. So after some time the it will Cavitation process will create cavities in the valve. It will start leaking it will need to be replaced So Obviously certain attacks scenarios will eventually also converge into the same attack instances for example there in order to damage the production the hacker can also Break the equipment, but knowing exactly your goal will first of all help you to design attack with a maximum impact and secondly to minimize your effort in designing attack basically not to over engineer it and So far what I've been talking Those type of attacks will not likely to make the front pages of the newspapers Why because the operators do not like to disclose as such accidents is damaging for the reputation But if the attack I really would like to spoil the reputation He would go to another type of attack. So chemical industry is extremely and heavily regulated Also, like all of those regulations safety limits and requirements. They all public so that the requirements are readily available to the attacker so instead of Damaging the production the attacker can make a company just simply non-compliant So what does it mean and like non-compliance must be reported and it is public. It's like an aviation industry So the most damaging scenario would be Targeted at the occupational and Environmental safety because this type of attacks will result in lethal Accidents like human death and also severe damages to the environment And less damaging attack would be on the regulatory pollution. This refers to the concentration and volume of the emissions So the company for example may operate perfectly fine. They are the optimal Economic operating conditions, but because of the increased concentration of heavy metals in the emissions. They are non-compliant and Especially we know Greenpeace and community responsibility that cause a lot of bad publicity in certain cases the community may even demand Company to close down and move the production somewhere far away which cost money This also pollution costs like just to give another example. This is a soil and water contamination Like a less known example, it is contractual agreements which results in contractual sanctions. It's for example Certain chemical certain substances takes time to produce for example the vaccinations usually needs six times. So if Health organization is planning a mission to the Africa and they say okay We are doing it in six months. You have to deliver the vaccinations So if the company does not deliver it's a very bad publicity and cost a lot of money So So, okay. Now, I hope that you are motivated enough So let's start exploiting So and to start exploit we need to find exploitable vulnerabilities. How do vulnerabilities and chemical processes look like? Let's take a look. So this is the Tennessee Eastman process find the vulnerability Difficult To know to know that to find the vulnerability the attacker first need to figure out how the protest is controlled So this is the chemical reactor and it is controlled with the purge valve, which is kind of small in comparison to the size of the Like to the volume of the inflow of the reactants and this well has a large time constant 60 minutes so It takes 60 minutes to to observe to achieve the desired change in the reactor pressure after the After use chain like after you adjust the valve So this combination of a small valve with a large time constant it's a severe vulnerability of the in the design of this plant and it's actually its bottleneck and Typically, there are many control strategies exist for this Tennessee Eastman process and None of them is using this scenario because it's this valve is not able to cope when the pressure Will be rising the reactor too fast. So The goal then like after the attack I see this vulnerability then he has to start thinking Okay, I have to raise the pressure very fast in the reactor. How can I do it and the fastest way to do there is to switch off the cooling system because vapors expand rapidly in the hot so So if you want to break something a combination of a valve and a pump is Good candidate for a water hammer attack a signature attack of Jason Larson So think of the what is water hammer think of the tsunami in the pipe it's like a rapid rise of the pressure in the pipe which leads to pipe failure and You can then decide where to break it So if you would like just to break in the pipe and stop the production you would go somewhere in the recycle loop but if you want to cause something like Safety related accident you for example can break the pipe which carries a saline because it's toxic to the humans and So For production damage you can find probably also to exploit the vulnerabilities or let's say features of the chemical process itself So the reacted chemicals From the reactor goes through the heat exchanger to cool down. Otherwise, they will keep reacting so if if you switch off the attack switch off the cooling system there The vinyl acetate will keep reacting after going out of the reactor and it will turn from the liquid into particles It will turn into its solid state into the vinyl polymer and that will clock the pipes and the valves and the production will have to be stopped for Valve replacement and probably pipe replacement as well So if you want to vent something out So if you can see there is a bypass valve in the recycling loop So it seems like if you completely open it There are a lot of other chemicals will go back and we got knows what we will emit So this is how the vulnerabilities look like So now we know Like what can we do to the process? We know how the vulnerabilities look like let's start planning something out So we will start planning the attack stages So obviously skater hacking is extremely complex But you would typically have to go through the specific steps of it So you obviously you start with a traditional hacking you get an excess The next step is to figure out where I am and what it is doing So what does it mean? So this is process discovery. So what does it exactly mean? Process discovery means first you have to figure out like what is this process? Doing and what it is producing even if the attacker isn't know that he's in some vinyl acetate production plant Every chemistry in each individual plant is still unique and very proprietary This is a competitive advantage of each company. So the attacker has to figure it out Then the attacker needs to know how the plant is controlled So basically the location of the control Valves the control strategies used and the configuration of the control loops And also after that that I also need to know how the plant is building how it is wired because he needs to get access to the specific components This attack this stage of attack requires a lot of information to collect Therefore, it's typically start a couple of like sometimes in advance before you plan your damage And it starts with the old-fashioned espionage in the last three years have been a lot of espionage attacks on the like energy sector chemical sector and so on and this is like This is The citation from the report of the cement tech of the nitro espionage attack So the next step is control So even if you discover that there are like certain valve and there are the certain measurements first of all you need to figure out How you exactly can change something on the fact in the factory So what does it mean that even if you there are some control that not Maybe not those control which will bring you the desired outcome So you maybe have to think of something like how to misuse it in a different way Secondly, it's not also necessarily that you will be able to get control over the controls of your interest So you again, you will probably have to think Way around so basically you will have to see like what exactly you can manipulate and how and also in this state You start thinking how can you can hide? Your activities and also the state of the process from the operator to prevent operator response At the damage state you actually start implementing your attack Yeah, so this is the damage that this is exactly where you I was just wanted to see it if I wanted to say something else No, this is where you start to compile and you actually find a payload and The last step is a cleanup step. Although here it is like I locate I put it at the last stage But this is the step which you plan throughout all the steps of your attack. So cleanup is a Constructing the forensic footprint. Basically, what do you want investigators to think about what has happened? So it it goes through there like all the stages you start to thinking in advance like to adjust in control logs and so on so This is a part of the which I will partially cover today only this ones and In reality, of course, there are many more things to do while going through the steps But if I would like to save some time to tell you really some details I will not go into the details. Maybe you can see it on the video or buy me a mintee of the conference And I can explain it to you So, okay, so now we know what we can do to the process We know about the vulnerabilities and we know how to plant like like the stages how to execute such attack So let's start really doing something So and first we need to fix a scenario like what do we want to do and the scenario would be the catalyst deactivation so Let's say like you want to cause Maximum economic damage to the plant. So hopefully this is already hopefully by now recognizable by you vinyl acetate process and if the attack I want just to cause Maximum damage. He can just destroy the pipe which carries out the final product and you're done You spend all the money you get nothing out of it. But that attack is kind of too obvious and What if you want to be a little bit more subtle than that? So we should do something in the factory. So the entire factory can be roughly divided into two big groups like parts It's a reaction section and refinement. So let's look in the refinement refinement will consist of a lot of different operating units is a big part of the plant and So the the attacker has a lot of things which he can do in the refinement sections but also the operator has a lot of opportunities to Notice that something is happening and to take compensating actions So here winning winning on this part of the plant can be difficult or challenging So in contrast if you just go into the reaction side and you just say completely destroy the reaction in the reactor Then you basically have nothing to refine because you did not get your product. So that's really sounds like a good Scenario for the Mexican well economic damage. So but how exactly do we spoil the product in the reactor? So for that we need to look inside of the reactor. What is happening inside? so Typically like a bunch of chemicals is thrown into the reactor and heated up so the reaction is happening and you get your product However, if you will not without the catalyst Let's put it other way. So if you will not control the reaction in the your reactor, it will react in Kind of a lot of different strange ways and you will not get your product There will be a lot of different chemical reactions happening So the control over the reaction is usually done by adding the catalyst into the reactor That is a special chemical substance which will guide the reaction and it will Direct it in the desired direction and it will also make sure that you get the right product out of it so in the vanilla citate you can see it's a Catalyst in the vanilla citate the chemicals get in they are absorbing to the catalyst and the vanilla citate is Disorbed out of the catalyst so it provides a service surface for the reaction and Vanilla the catalyst is a kind of life substance substance It it's very sensitive to different Disturbencies and imperfections in the in the operating in the reaction conditions It also so has a lifetime and if it's not treated properly if they're not the right conditions created in the reactor it will die killing the catalyst in the reactor is Extremely expensive to any chemical production and especially vanilla citate and I can tell you why so as you can see so the main components for Producing the vanilla citate is a ceiling but only 8 to 10 percent of the excellent Like the reactor is constructed in such ways that only 8 to 10 percent of the ceiling will come in contact With a catalyst it's done on purpose because this reaction is extremely exothermic and requires the oxygen a saline Oxygen together under high temperatures create explosive get danger So as you can see the process is not very efficient in the way of using raw materials per pass So you have to recycle it many times also only 95 percent Of all the excellent which comes in contact with the catalyst will become a vanilla citate if you think this it is a big number Well, it's not a bad number, but it is Subjected to constant improvement Because even increase in selectivity even by one percent results in enormous cost savings So if you will manage to catch it to kill the catalyst We will produce a lot much less product per pass and it will also Substantially increase the production of the cause because you the unreacted chemicals will need to be recycled back Also, it will increase emissions and if we will manage to build the catalyst Only if you manage to kill 20% of the catalyst that will already for the company to shut down the production and Remove the catalyst and replace the freshman. So this is a good attack target So, how can we kill the catalyst Roughly, there are two reasons which there are two let's say dangers to the catalyst. It's a danger of the High temperature under the high temperatures the catalyst activation in first decreasing and then it dies completely So it's irreversibly And also you can change the inflow of the reactions of the reactants because it changing the inflow of the reactants will change the Reaction in the chemical process and it will cause to for example, the excellent will combust so less Molecules will come into contact with and also it will produce some side products Many of them which are poisonous to the catalyst. So now we know we need Is it to change the temperature or change the inflow of the reactants? so We need to find our controls now. So we discovered the process. We now need to find the controls So We are now at the discovery stage So How can we change the behavior of the process? So the process can be changed the behavior of the or the process can be changed in two ways You can directly adjust the actuators or you can deceive the controller about current state of the process by Presenting the controller with the false state of the process So what exactly does it mean now let's spend five minutes as a control engineers So the modern like the entire concept of process control is based on the concept of control loop So and the design of the process start with the deciding on the set point, which is not on this picture. I'm sorry Then I will do it like this So you decide for design of the process start with the design Deciding on the value of the set point set point is a desired value of the physical parameter for example Temperature in the reactor then the sensor measures the current state of the process and Send the measurement to the controller the controller has a control algorithm which decide How to instruct the actuator how to adjust the actuator to bring the process to the desired state to the set point So if the attacker will manage to lie to control about current state of the process the controller will take Wrong and probably harmful control decision. So this is what we want to achieve. This is one of the ways to achieve that one so Typically in the production environments control loops are nested they're very complex they Interactive and it has very complex dynamic and somewhere there is also the operator sitting and monitoring the process so if the controller if the process runs out of the like expected production envelopes and the Operator intervening takes control to himself. It's called manual control So the next slide is extremely important because this is a main key Conceptual difference between traditional it is hacking and hacking in the chemical in the of the physical processes so Attacks on the traditional IT system typically does not deal with time you flip a bit in your software already doing what you want unless except few scenarios like a single flip Bit flip can change like can engage the burner under the tank of chemical, but the reaction will still take time to complete so Changing the output of the controller does not immediately bring the process into the desired state and in fact There will be a time when the system will not respond at all. This time is called that time and The time which it takes of system to achieve 63 percent of the desired Like parameter like target parameter is called time constant The attacker needs to know these parameters to be able to construct attack on the on the physical process These numbers are extremely individual to each control loop to each facility and Typically they depend on the type of the physical process and also configuration of control loop and The challenge is also that this is not the number which the attacker can easily espionage So typically these numbers consist only in the head of the most experience and the oldest process operator on the plant So you either have to kidnap the rate the right operator Or you have to figure out these numbers yourself through reconnaissance activities So basically you will have to start turning things on and off sending impulses to the system and observe the timing reactions and Try to estimate them So let's stay for a couple more minutes in the role of the process operator Yeah, so this requires reconnaissance activities. So this is IT infrastructure for controlling the centrifuge the Stuxnet So the very responsible network administrator is very concerned about how exactly The loss of data integrity has happened in the network Which blinded the operator about state of the process But the operator sorry for my French does not give a shit how it happened all he cares about that this is a loss of loss of situational awareness which leads to complete loss of control So And you know why the operator was deprived from controls because the scatter hacker needs them So during the During the attack the hacker himself is a process engineer is a control engineer and the process operator So no he's controlling operating the process. So and in order to be able to Control the process that attacker has first observe the process. So the process must to be observable to the attacker So he has to be able to estimate its state and in order to be able to control the process The process must be controllable. So the attacker has to enable all necessary controls So controllability and observability are key pillars Peeler Pealers of the modern process control theory And During the attack the operator and the hacker they have conflicting goals They both want to have controls like control the process. So the Objective the target the goal of the attacker s is to take controls from the operator and enable controls for himself So and talking about this controllability observability take us very close to the security properties of physical systems so in a In a security community now there is a very serious Civil war going about what should be there? How should we describe? The security requirements of the industrial control system. So in IT domain it is CIA model So it was suggested that we will be good enough if you just reverse it So okay Fantastic and now tell the operator that he now has a loss of A loss of confidentiality situation He will stare at you with blank eyes. It tells him nothing So we don't need to reverse anything. We just need to use the right terms It's controllability observability Which is accompanied by the third property, which is operability. It's an ability of the system to achieve acceptable operations So for the process controls the security Properties are c o o or c o 2 so Remember cia is for information security co2 for process control security Okay, so um, let's go back to our process So we need to find the controls. So this is a Our vanilla citate process, but now it also has a control structure Which the attacker has to figure out not only finding the location, but how the process exactly is control So what will be the sensor and what which will the actuator he needs to find those couples? so um Here we found some controls which hopefully could be useful And If the if the attacker does not have the exact mock-up of the process Which he wants to exploit He probably will need also to be able to observe the process to To be able to estimate the effect of his attack. So he needs to find the measurements So we want to kill the catalyst. So, uh, they How do we know how successful we are we need to measure the amount of molecules of vinyl acetate in the reactor exit so the chemical concentration is usually Uh Defined with the help of analyzers. So there are a lot of analyzers in the vanilla citate process But none of them in the reactor exit So what do we do? It's a bad situation for the attacker So the only measurements which we have is only is reactor exit flow rate and reactor exit temperature So, um Process observation challenges. So if the required measurements are not in place So what are your choices? So you can easily build a simple model Of the process and derive measurements from there. So you basically will be estimating You can also try to deduce process state from the related measurements. For example, if the reactor If the reactor exit temperature will decrease probably then less reaction is happening in the reactor. So your catalyst is deactivating Uh, and you also can for example convert a sensor in place to measure what you need This is a work on pro in progress of jason larson you can also try to enable the Sensor like with certain capabilities for example to measure the shock wave in the During the water hammer attack you can Usually the sensors are not cannot do not sample the As measured signal very fast. So if you so the shock wave goes between the adjacent samples So you can increase the sampling frequency in order to be able to measure what you need The other challenge with the attacker will experience is non-linearity of the process So what is that? My students usually get mad when they try to understand that So, um It means that the Reaction of the process to the input is not proportional Moreover the behavior of the process is Different and unpredictable when you try to change it even for a few degrees For example, the way how the process will behave while you try to heat it to 150 degrees is completely Different from what if you will try to heat it further from 150 to 160 For example, this is the equation of the energy balance in the reactor. So as you can see it is highly non-linear And The problem is also that the behavior of the process to everybody on this planet Is only known to the extent of its modeling. We don't know physics if you don't Measure it. So also the controller will only be able to control the process to the extent of the control algorithms um also the The instruments are calibrated to measure the process within some boundaries. So and the Attacker will likely to push the process outside of that boundary. So this introduces serious uncertainty for the attacker and he will need to take Uh, like listen to account while designing his attack Okay, so we found the controls we found the measurements. Well, it's time to start exploiting So let's manipulate the process And ralph lagnar had said nicely about exploit like about using the features to compromise like the ics Okay, so are we pros? Yes The answer is yes. So let's use it So I'll show you So yesterday It's not your talk. Sorry. Yeah, okay um So yesterday aiden has uh levered has presented uh how to find Vulnerabilities in the switches So let's assume that the only control which you got in the process Is a code execution on the switch. Can you do something with it? So, um aiden is also has managed that it's like if you have a control over the switch, you can call it denial of service attack. So What does it mean? So for uh, for example, so Like as I mentioned that for example, one of the way how we can manipulate change the process We can deceive the controller about current state of the process so, um That could be for example achieve through Man in the middle attack But the cpu's on the switches are typically has very little resources like very So the full man in the middle for each and single packet is not possible in any mean So what you can still do if you have a code execution on the cpu You have you can ask switching fabric to forward you few packets so that you look into the payload and you Get to know the state of the process And then if you cause denial of service of the at the opportunity time on this Communication between the sensors and the cpu of the controller you can actually Manipulate process at will So in the it domain I Those attacks means like the system does not do anything here. You can actually control process as you want So and I'll tell you how it happens so, um This is um The typical controllers like programmable logic controllers. They operate on the scan cycle architecture So at each control cycle, which is like every millisecond They ask the sensors about state of the process and they store the measurements in the input buffers And based on the store data, they calculate their control commands to the actuators So this is happening like this. We read the measurements. We read the measurements and Instruct the actuators. We read the measurements and here we We Caused the denial of service. We do not route packets anymore so at the each subsequent control cycle there The controller will keep generating command based on the last received value and If this value is below or above a set point that will eventually Bring process into some undesired state um, so This work was over we published already this work and presented already to the wider audience like just two weeks ago um so If you will dose the process at some like random time you have no idea I dose now So if you can see this is just like I selected just few responses of the system of such dose attack on the Reactor pressure sensor. So as you can see the response of the system to such attack differ greatly so In fact, so you need to select the right time when to attack the process So it's you probably can relate So our work was our work was exactly on finding the right time When to launch dose attack on the process to achieve effects, which you want Okay, so um, this is one of the ways how to manipulate the process And so far we've been talking about kind of Straight forward manipulation. We took actuators or we take the measurements and we try to change Try to deceive the controller and change the process state um, but There are also more complex and interesting scenarios are possible So physical environment is a communication media on its own So two components, even if they are segregated electronically, they can communicate over the physical media So if you get access to one pump and stand set up a standing wave between two This pump and the other pump you can actually influence the performance of the other pump Uh, and this unseen state of that component will be have a hidden impact. We call it a hidden impact data um, also for example, um Like the reactions are planned to happen in the specific reaction vessels because they also have like relief valves and catching basin if things go wrong so what if you Displace unreacted chemicals from the reactor and already send it into the pipe Nobody knows which chemistry will happen. So kind of unexpected physics And if you know the research of serguei bratos, this is kind of this concept of unexpected physics is similar to the concept of weird machines Okay, so um, I'm good on time And we now can manipulate the process we decided we decided already how we will manipulate the process What else left is we have to hide So we need to conceal our actions, so Um, I removed this slide, but I'll tell you in words. So in the recent Accident disclosure on the uh, uh, turkish is german turkish. It's english Sorry Pipeline there was that they like they They demo is like like they destroy the pipe, but the operators which were monitoring the pipe have to Like learned about the accident 40 minutes after the accident because somebody reported. Mmm. There is a fire So the attackers took Effort to conceal their actions to prevent operator response. So basically that will burn a lot So what are the possible spoof scenarios like typically there could be the first on the Possible scenario is recording playback. So you record Like a good batch or a good day and playback during the attack. This was uh, used in the stux net but That challenge is it requires a lot of storage. So and if you're somewhere on the small microcontroller on a sensor, that's probably bad scenario not Possible scenario for you on the others And you can also try to derive a process model of sufficient accuracy and Like kind of generate process measurements on flight and send them to the operator But this requires the knowledge requires cpu cycles to run the model and also requires the storage. So also difficult scenario may not be for sensor microcontroller and the First scenario is just like craft your own signals, which are in a believable which are very believable So you just reconstruct sensor like process data features like because it's just normal sensor signal And so we did it we implemented this one. I will show you in a moment and we also This is just recently accepted work of ours. We will present it in april Uh, and we also found the way how to detect those signals. So you cannot detect them with a normal like signal processing Tools, but we we detected such signals through the plausibility checks knowing the Other measurements in the system. So if you know the other measurements in the process, you can Detect that this is actually this measurement is not plausible So how did we uh, how did we build our system? So first of all you need to reconstruct the believable noise, which will replicate the spikes and the gaps in the noise. So we use This is the this is the idea of the jason larson. So we use To use a run test So which treats sensor as a pseudorandom pseudorandom sequence it extracts Runs which you then build together to reconstruct the noise and you can see it's very accurate And the second we need to be able to reconstruct the dynamic behavior on the signal. So We use a line approximation to extract line dynamics and like Again, it starts with a learning phase you extract the mean value then you extrapolate signal dynamics with a With a line segment you learn enough and then during this poofing stage you place together the segment around the mean So that it fluctuates evenly and you can see It's quite accurate so And it's very evil So, um What is the future? This is how I see the future I often hear the argument like Well, but we are it like guys we are security professional what we have to do with control. That's not our department So my idea is that security specialists define security requirements, for example think of the confidentiality we The security specialist says that we need Signatures for authentication integrity protection or we need encryption for confidentiality We post security challenges And then the for example the guys who can implement it do their job. For example the mathematicians designed for us the good and secure Cryptographic primitives, so it's no different with secure control find the problem set set the challenges to the control engineers and let them do the job Um, so Thank you very much for listening And I still have five minutes. We have still five minutes for questions Yes, please line up at the microphones and um Maybe we should start with mic two Hi, uh problem The best kind of talk on congress. Thank you Just to point first From risk assessment, I suggest to use three levels. First is disaster. Second is economic And lower says reliability safety like seal level. So it's easy to show money Yeah Second What we do in that moment we put in the same model not for chemical But for transportation and physics Uh vulnerabilities. So you get graph and you can calculate from disaster to technical vulnerability And do you take in account? Cis system in your model? Uh Safety systems Well, there are safety like a negative feedback system which Uh can understand what you know So so far like you only drive like you know your safety limits and you try to achieve them And then the system shutdowns Yes a shutdown, but say it's not a disaster Well, that's the model. So basically it's shut down. It's yeah, it's it's better enough, but it's economics So if you want to be real You see for example, especially in the vanilla citade that can be actually added So the model is extensible. So we actually that's why we want to do it public So that the community can also contribute to improve the models and which research questions can be started Excellent and one more point about automation. You use historians to learn your model On the last slide. I don't get it. So previous state of the system Well, it is in this like in In the matlab, you don't have the it infrastructure. So the data just logged in the workspace. Okay One more point maybe not for phd, but for your next Degree, uh, you can decompile scada and plc Processes processing where I go for instance and automatically learn Boundaries by historian analysts actually for example like this model. So also I was invited to nist to Also to consult them how to build skada Testbed and they exactly they build the entire infrastructure And they just use the model to take the process data and then to pass it into the infrastructure And then they already see what do you do with this process data in the infrastructure? Yeah, because this approach can be used not only for hacking but also for security It's like intrusion detection system for the process and yeah, and many Yeah, exactly and many already do that. It's just that I I stay as close as possible to the physics I don't care about the infrastructure. But yes the data from the processes can be used For example, yeah model to detect. Yeah, exactly. Yeah, excellent talk. Thank you Okay, maybe a question from the signal angels Yeah, there are two questions and the first is Have you tried to run your code on sci lab? Which is probably more or less a free software reverse engineering of matlab Not there is no octave. I guess this is a like free version of Like what is free? Let's say free matlab and the models must be portable, but we still did not try. We want to try But still not And the second question was if you Dosed the switch Wouldn't it tend to prevent the plz because from the beginning If you dose the switch Well, wait But you do not dose the switch you just drop the packets of interest like particular data flow You just drop the packets from the data flow. You don't dose the switch. Maybe you can also dose the switch, but I did not Talk about that the question is if it doesn't prevent When you can't read the sensors anymore So you also have a problem don't you No, not the attacker I'm sorry for the ones still standing at the mics, but we don't have time for any more questions You can I think you can meet up with the speaker Now until the next talk starts for like, I don't know five minutes And yes, please. Yeah Thank you