Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of...
Transcript of Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of...
![Page 1: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/1.jpg)
Breakage
Jason Larsencopyright IOActive, Inc. 2007, all rights
reserved.
![Page 2: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/2.jpg)
Who am I?
• Currently work for IOActive• Spent the last five years doing SCADA
research• I don’t often get a chance to speak to
security researchers
![Page 3: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/3.jpg)
SCADA
• Supervisory Control and Data Acquisition
![Page 4: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/4.jpg)
What do we know about SCADA?
• Controls physical systems• Comes in two flavors
– Supervisory Control– Momentary Control
![Page 5: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/5.jpg)
SCADA vs. The Movies• SCADA hacking has been a staple of Hollywood for a while• Evil hackers use computers to kill people• As a result, even non-computer people have some concept of SCADA
hacking
![Page 6: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/6.jpg)
Myth vs. Legend
• Lots of myths in SCADA– “Digital Pearl Harbor”– “Terrorist can take down the nation”– “I now have to fear my toaster”
• First let’s have a reality check
![Page 7: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/7.jpg)
Live Free or Die Hard
©20th Century Fox
![Page 8: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/8.jpg)
“Power Grid Isn’t Connected”
![Page 9: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/9.jpg)
Electric Power Connectedness
• If you had to hook together the most critical computer systems in the nation, you’d use a bullet-proof protocol right?
• One that had been well thought out and was easy to secure?
![Page 10: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/10.jpg)
Electric Power Layout(Finger Paint Version)
![Page 11: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/11.jpg)
ICCP
• Complete TCP/IP Stack
• RFC Glue• ISO Stack• MMS Stack• ASN.1• Custom Protocol• XML
![Page 12: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/12.jpg)
“Only Super Hackers Can Get In”
![Page 13: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/13.jpg)
Incidents
• JavaScript scans• Extortion• CIA statement
![Page 14: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/14.jpg)
“Send all the Gas There”
![Page 15: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/15.jpg)
Oil and Natural Gas Delivery
• Relief valves work really well• Oil pipeline explosion in Russia
– “…in June of 1982, a huge explosion occurred in the Siberian wilderness in the former Soviet Union. The yield was estimated at 3 kilotons…It had been implanted in the host software by a foreign intelligence service.”
![Page 16: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/16.jpg)
Stages of a SCADA Attack
![Page 17: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/17.jpg)
Maximizing Damage
• Most public research has focused on access to the SCADA LAN and control of the process
• Very little information about how an attacker would maximize damage once he had achieved control
![Page 18: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/18.jpg)
Big Equipment vs. Little Equipment
• Big equipment in a large process is generally easier to physically damage than tabletop equipment
• Only one public video of physical damage of big equipment
![Page 19: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/19.jpg)
Aurora Project
![Page 20: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/20.jpg)
Classes of Physical Damage
• Watching generators jump is fun, but are there other ways to physically damage equipment?
![Page 21: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/21.jpg)
Example 1 - Water Hammers
![Page 22: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/22.jpg)
Example 2 - Crunching Motors
![Page 23: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/23.jpg)
Classes of Physical Damage
• Inertial Attacks• Exclusion Attacks• Resonance Attacks• Wear Attacks• Surge Attacks• Latent Abilities
![Page 24: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/24.jpg)
Inertial Attacks
• Heavy stuff doesn’t like to speed up or slow down
• This is the easiest and most common way to make physical equipment fail
• The larger the process, the more likely it can be accelerated to failure
![Page 25: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/25.jpg)
Exclusion Attacks
• Some stuff isn’t supposed to happen at the same time– For example, the motor should never be
operating if the oil pump isn’t on
![Page 26: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/26.jpg)
Resonance Attacks• Resonance attacks happen mostly in electrical power and water distribution• Small variation in current or flow are conserved as a standing wave in
another part of the system• Continuing the small variations increases the size of the standing wave• These are the hardest to pull off remotely
![Page 27: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/27.jpg)
Wear Attacks• Components have a finite lifespan• Manipulating the controls can often significantly reduce the lifespan of the
component– For example, keeping a clutch 90% of the way engaged
![Page 28: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/28.jpg)
Surge Attacks
• “Send all the gas there now”• Continuous systems are designed to
handle only a certain amount of product at a time
• Exceeding those limits can cause physical damage– For example, filling a mixer 100% full
instead of the normal 20%
![Page 29: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/29.jpg)
Latent Abilities
• Building every piece of a process out of custom components is expensive
• Wherever possible, off-the-shelf components are used
• Off-the-shelf components are often manufactured for more than one purpose– For example, a motor that can run in
reverse but is never used that way
![Page 30: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/30.jpg)
Discovery
• Great, but we probably don’t have the engineer pointing out all the weaknesses
![Page 31: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/31.jpg)
Information
• Equipment doesn’t come with a manual on how to physically damage it
• You either have to find the weak points or guess
• Guessing can be surprisingly effective
![Page 32: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/32.jpg)
What you probably already have
![Page 33: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/33.jpg)
Analyzing Ladder Logic for Clues
![Page 34: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/34.jpg)
Ladder Logic
• In modern systems, most of the process safety depends on the logic in the controllers
• Analyzing tells you what the engineer that designed the process was worried about
![Page 35: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/35.jpg)
Start at the Master Stop
• All roads that lead to the master stop are interesting
• It can be labeled any number of things—luckily labels are human readable
![Page 36: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/36.jpg)
Ladder Logic
• This is a candidate for an exclusion attack• The engineer wanted to make sure that a
motor wasn’t running at the same time a valve was closed
![Page 37: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/37.jpg)
Ladder Logic
• If the level is above 17, shut everything down
• Since this is in the ladder logic, we can override the shutdown
![Page 38: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/38.jpg)
Operator’s Console
• Here’s a good candidate for a surge attack• Did the engineer plan for both pumps to
kick on at full power simultaneously?
![Page 39: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/39.jpg)
Inertial and Resonance Attacks
• Test a control point• Look for indications• Maximize the indications
![Page 40: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/40.jpg)
The test hit• Pick a point to manipulate and manipulate it
Valve1
Analog1
Analog2
Analog3
![Page 41: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/41.jpg)
Looking For Indications
Valve1
Analog1
Analog2
Analog3
![Page 42: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/42.jpg)
Maximizing the Indications
• Other inputs you control may change the height of the peaks
• If two inputs produce peaks in the same values, they can be synchronized to produce waveform addition
• Fast-moving values more often lead to breakage
• Don’t get stuck on a single peak—often breakage occurs where you least expect it
![Page 43: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/43.jpg)
Physical Damage
• Engineers try to take into account all the things that can go wrong in a process
• This is no different than searching for buffer overflows in code
• You’re looking for something the engineer missed
![Page 44: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/44.jpg)
Where do we have to be?
• How deep into the system you need to hack depends on two factors– How fast you need to manipulate the
point– What layers of the system perform sanity
checks
![Page 45: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/45.jpg)
Where do we have to be?
![Page 46: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/46.jpg)
The Defenders
• If physical damage isn’t instantaneous, the personnel running the process may try to stop the attacker
• As far as I know, no experimental data exists on the response time of the defenders
![Page 47: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/47.jpg)
The Defenders
• Attackers can easily change the state of the defender’s display
• Defenders are often in noise-controlled offices, per OSHA
• Diversion???
![Page 48: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/48.jpg)
Why Study Physical Damage?
• The current assumption is that the attacker will be stopped at the firewall– That really hasn’t happened
• Current thread models only consider the process under malicious control doing what it was meant to do
![Page 49: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/49.jpg)
Why Study Physical Damage?
• The worst-case scenario is physical damage to the process
• Hopefully, by understanding the worst case we can come up with a list of physical safeguards that need to be in place
![Page 50: Risk Management through Threat Modeling - Black · PDF fileMyth vs. Legend • Lots of myths in ... kick on at full power simultaneously? Inertial and Resonance Attacks ... point –](https://reader038.fdocuments.us/reader038/viewer/2022110221/5a75a5de7f8b9a9c548cb1ae/html5/thumbnails/50.jpg)
Questions?
• Jason Larsen• IOActive